Install a new Drive with LUKS Disk Encryption


*[LUKS]: Linux Unified Key Setup
This article describes the process of setting up a physical drive with LUKS encrypted filesystem. The process is tested on Ubuntu 10.10.


First, one necessary package needs to be installed:

aptitude install cryptsetup

Setup of the partition

Initialisation of the encrypted partition is done like this:

cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/{physical_partition}

Now, the newly encrypted partition needs to be introduced to the system i.e. to the device mapper. Do this as follow with cryptfs being the device's mapping name, i.e. name it as you like:

cryptsetup luksOpen /dev/{physical_partition} cryptfs

The next step is to set up a filesystem on the partition. I prefer xfs, but you are free to choose what suits you best:

mkfs.xfs /dev/mapper/cryptfs

Now, mount your new partition:

mount /dev/mapper/cryptfs /{mount_point}

If that worked, you may want to add your encrypted partition to /etc/fstab by adding the following line. Replace {mount_point} with the location where you wish to mount your device:

/dev/mapper/cryptfs /{mount_point} xfs defaults 0 2

Set up mount at boot time

In order to let the device get mounted at boot time, you may want to add these lines to /etc/rc.local. Bear in mind that now you'll have to enter the cryptfs passphrase at boot:

cryptsetup luksOpen /dev/{crypt_partition} cryptfs
mount /dev/mapper/cryptfs

If you wish to easily mount the device from shell after boot, save the following lines as /usr/local/bin/crypt-start:

cryptsetup luksOpen /dev/{crypt_partition} cryptfs
mount /dev/mapper/cryptfs

Make the file executable:

chmod +x /usr/local/bin/crypt-start

... and run the command crypt-start after boot.

Change LUKS passphrase

Changing an existing LUKS passphrase seems a bit odd on first sight. That is, because you first need to add a new passphrase before you can remove the old one. Yet, this helps to only change your passphrase at a point where you can be absolutely certain that you do know the new passphrase. The relevant commands look like this:

cryptsetup luksAddKey /dev/{physical_partition}
cryptsetup luksRemoveKey /dev/{physical_partition}

Leave a Comment