Encrypt your disks on Linux
Unreadable
Encrypted volumes have long since ceased to be an exception or luxury. Corporate policies and compliance rules often demand encryption for critical data. This article looks at tools for disk encryption on Linux.
It's no coincidence that portable computers have pushed desktop PCs into the background over the past 10 years. Today, users only need desktop systems for computationally intensive work such as video rendering or games. For everything else, even mid-range laptops are now perfectly adequate. But laptops also have one disadvantage: They are far easier to steal than a standalone PC. An appropriate insurance policy can cushion the cost of replacing the device in case of theft. However, it is not so easy to compensate for the loss of data.
Corporations and users can only protect themselves effectively against this kind of horror scenario by completely encrypting the data carriers in the device, from USB sticks to external hard drives. How can a Linux user best secure disk data by means of encryption? This article describes some leading encryption methods and tools for Linux.
Cryptsetup with LUKS
Just about everyone who has ever dealt with encryption on Linux will have come across the abbreviation LUKS [1], which stands for Linux Unified Key Setup. The LUKS standard describes what disk encryption should look like on Linux (Figure 1). LUKS is based on the Cryptsetup tool, which in turn uses the Dmcrypt kernel module of the Linux kernel to manage encrypted volumes.
At first glance, this sounds considerably more chaotic than it actually is – at least if you keep in mind how the Linux kernel has handled block devices and their drivers for decades. The block device layer of the kernel resorts to a trick, allowing different drivers to be connected in series in order to combine their functions.
Dmcrypt forms part of the block device layer. If the administrator instructs the device mapper (which includes LVM, for example) to prepend the Dmcrypt driver to a block device before accessing it, all Dmcrypt functions are available for the block device. In fact, Dmcrypt also implements its own basic encryption. However, these measures are not nearly enough to meet today's requirements in the eyes of the kernel developers. Accordingly, they created the LUKS format, which standardizes all the functions needed for encryption and defines them as part of a header in the partition table. This also means that the definition of encrypted drives on Linux is independent of the distribution and vendor.
Integrated into the System
Today, Cryptsetup with LUKS support is included with all distributions. Most manufacturers have also integrated the tool directly into their setup routines. You can start encrypting when installing the individual directories, such as /home
, or you can encrypt the entire non-removable disk.
Once you encrypt the disk, the operating system can no longer boot without the password. If you remove the data medium from the device and try to read it, you will only see a mess of data. It is unanimously understood that this way of using encrypted drives under Linux is by far the most secure approach today. It also uses hardware acceleration. If you don't have an Atom or another low-cost processor in the device, the CPU will probably come with built-in hardware support for various encryption algorithms.
Devices connected to the system via USB can also be encrypted with Cryptsetup and LUKS – just like a built-in NVMe drive. However, there are differences in the setup between the individual distributions, and different desktop environments also offer their own tools to operate Cryptsetup and LUKS. If you want to avoid an excursion to the command line, you will need to familiarize yourself with your system's defaults.
Of course, a combination of Cryptsetup and LUKS has one major disadvantage: It offers virtually no interoperability with other operating systems. You'll need a way to deal with a kind of chicken-and-egg problem. When LUKS and Cryptsetup were just gathering speed, there were already solutions that worked equally well on all the major operating systems. These alternative solutions are not as deeply integrated into the system, but they work across operating system boundaries, and not just on Linux.
Remembering Truecrypt
An article about disk encryption under Linux would be incomplete without mentioning Veracrypt [2] and its famous predecessor. Veracrypt emerged from Truecrypt in 2013. At that time, Truecrypt was considered by many observers in the Linux world to be the only valid alternative to the combination of Cryptsetup and LUKS on Linux.
Truecrypt development came to an end as a result of an audit in 2014, and it was the Truecrypt developers themselves who warned people not to use their own software. Shortly thereafter, the developers provided a new and final version of Truecrypt, which was massively limited in terms of its functionality. According to the developers, this final release was only intended to convert existing setups into Bitlocker setups with Microsoft's standard encryption.
The end of Truecrypt caused wild speculation in the community, which even considered the involvement of intelligence agencies. This speculation did not subside when additional audits completed retrospectively found no significant problems in the way Truecrypt worked. The actual reason for Truecrypt's end will probably never be clarified.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.