LUKS: Encrypting Your Partitions
Introduction
LUKS is one of the best disk encryption tools for Linux. We’ll see here how to use it.
Usage
Creating an Encrypted Partition
Be aware that if you use an existing partition, all its data will be erased when initializing the encrypted partition. To initialize it (sdb1 for example):
|
|
Enter the password you want to use to decrypt the partition.
Unlocking
Next, we’ll unlock the encrypted partition to use it:
|
|
‘secret’ corresponds here to the device mapper name. We can then verify its existence:
|
|
Preparing the Partition
Now we just need to format this partition:
|
|
And mount it in a directory.
Unmounting the Encrypted Disk
Once you’ve finished, you need to properly close the disk by unmounting and locking it:
|
|
Mounting the Encrypted Partition Permanently
If you want to mount the partition permanently, you’ll need to use fstab and crypttab. In crypttab:
|
|
- secret: name of the device mapper
- /dev/sdb1: the physical device
- /root/password: the file containing your password (you can alternatively put the password directly in the crypttab file)
If you chose to use a file containing the key, create it like this:
|
|
Then add the following line to fstab:
|
|
Your encrypted partition will now mount automatically at startup (there’s less benefit, but it might interest some users).
Adding a Passphrase
To add a passphrase (maximum of 8 total), here’s how to proceed. First locate your encrypted partition:
|
|
Once you’re sure it’s the right one, add an additional passphrase:
|
|
If you want to change a passphrase, you’ll need to delete the old one using the method mentioned below.
Removing a Passphrase
If you want to remove one of your passphrases:
|
|
Last updated 23 Dec 2013, 21:16 +0200.