Information Security

Disk encryption using cryptsetup

Disk encryption is used to encrypt the entire hard disk or a thumb drive in order to secure and protect the information contained within from prying eyes. For this exercise, we shall be using the program called cryptsetup to encrypt a thumb drive.

Obligatory unrelated vintage photo
Obligatory unrelated vintage photo

These instructions can also be extended to hard-disks for full-disk encryption.


Install cryptsetup

On Debian / Ubuntu, do:

$ sudo apt-get install cryptsetup

On RedHat / Fedora, do:

$ sudo yum install cryptsetup-luks

Linux Unified Key Setup (LUKS) is a platform independent standardised disk-encryption specification for Linux. We’ll be using programs that use LUKS for encryption. Read about it on Wikipedia!

Identify your device

Can’t stress this enough. If you don’t identify the device (your thumb drive) correctly, you’ll end up screwing a different storage device that you didn’t originally intend to wipe.

Plug in your device, and see if there are extra files under /dev. They usually start with sd. My thumb drive assumed /dev/sdb. With partitions like /dev/sdb1, /dev/sdb2 and so on. My memory cards usually assume /dev/mmcblk0 with partitions /dev/mmcblk0p1, /dev/mmcblk0p2 and so on

Distinction: sdb, sdc, etc represent devices; sdb1, sdb2, sdc1, sdc2 (that which end in numbers) are usually partitions on the corresponding device. Similarly, mmcblk0, mmcblk1 represent memory card devices and mmcblk0p1, mmcblk1p2, (that which end in p1, p2, etc.) are usually memory card partitions.

p1, p2 presumably stand for partition 1, partition 2, etc.

Note the device. This device needs to be formatted in preparation for encrypting. We will create an encrypted layer on the device and then format it to any desired filesystem to be able to use the thumb drive. For the purposes of this exercise, let’s assume that our device is /dev/sde. We will refer to the device as /dev/sde for the rest of the article.

Format the device to LUKS


To encrypt the device, do:

$ sudo cryptsetup luksFormat /dev/sde 
This will overwrite data on /dev/sde irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

This will create an encrypted layer on top of the device. You will use the passphrase you chose to use the device when you need to.

Do not forget the passphrase or you will lose access to your data.

And for the love of all things secure, use a really good passPHRASE (not a pass’WORD’) that’s at least 12 characters long and that has upper/lower case letters and numbers. And no dictionary words or personally identifiable names, please (duh).

Using the device

First, we need to initialize the encrypted device like so:

$ sudo cryptsetup luksOpen /dev/sde mydevice
Enter passphrase for /dev/sde:

The above command creates a virtual mapping of the encrypted device at /dev/mapper/mydevice. mydevice is an arbitrary name and you can specify any name there. Consequently, the mapping should be accessed at /dev/mapper/<nameSpecified>

Formating the device ( first time only )

Now this device can be formatted in the desired filesystem. This is a one time step and needs to be done the first time.

$ sudo mkfs.ext4 /dev/mapper/mydevice

or for NTFS (assuming you have NTFS drivers):

$ sudo mkfs.ntfs /dev/mapper/mydevice

Mounting the filesystem

Now the filesystem can be mounted like any other filesystem

$ sudo mount /dev/mapper/mydevice /media

You can verify the mount using the mount command or the df command. From now on, you can use the device by doing cryptsetup luksOpen and then mounting the mapper device.

Unmounting the device securely

The device can be unmounted securely like so:

$ sudo umount /dev/mapper/mydevice
$ sudo cryptsetup luksClose mydevice

Adding additional pass-phrases

You can add up to 8 passphrases for each LUKS device. See man page for more info. To add an extra key, use the following command: At first you have to provide an existing pass-phrase, later a new pass-phrase.

$ sudo cryptsetup luksAddKey /dev/sde
Enter any passphrase: 
Enter new passphrase for key slot:
Verify passphrase:

Removing a pass-phrase

To remove an existing passphrase, do:

$ sudo cryptsetup luksRemoveKey /dev/sde

Then enter the passphrase you want to remove from the device.

Getting LUKS status

If you are interested in the status of the LUKS mapping, use the following command:

$ sudo cryptsetup -v status mydevice
/dev/mapper/mydevice is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sde
  offset:  4096 sectors
  size:    419426304 sectors
  mode:    read/write
Command successful.

Note that this article is about block level disk encryption and not file level encryption (stacked) like ecryptfs. This means the disk is encrypted completely and the filesystem layer is on top of the encryption layer. Whereas in a stacked encryption scheme, the encryption is done on top of the filesystem layer to specific trees in the Linux file hierarchy system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s