Simple Security

The easiest time to encrypt a partition is when installing your operating system. Usually, you don't have to juggle existing partitions or even think about the process: Just click an option, and many modern installers take care of the rest. By contrast, encryption after installation is more complex, although it's still possible, as long as you work systematically.

Because modern installers routinely give the option of encryption, you might think it an unalloyed good. What could possibly go wrong with concealing your data from intruders? The simple answer is: a lot.

For one reason, all forms of encryption reduce performance, which means that encryption might not be suitable for older or less powerful machines. For another, if an encrypted filesystem becomes corrupted, recovery becomes more complicated – especially if you have encrypted the entire drive. The man page for cryptsetup [1] can give all sorts of other worries to test your nerves, ranging from corrupted headers, to problems when character encoding changes, to lingering problems caused by insufficiently wiped data.

Instead, you might want to create a partition for storing only private files, so that encryption cannot affect the ordinary functionality of the system. Such a partition, which is technically known as a container, offers less protection but is a reasonable compromise between security and convenience.

You should also consider what method of encryption to use. You might want to consider using an encrypted filesystem, such eCryptfs [2] or EncFS [3]. The alternative is to use block-level encryption, such as that offered by Loop-AES [4] or the now discontinued TrueCrypt [5].

Currently, the most popular method is block-level encryption using dm-crypt [6] combined with Linux Unified Key Setup-on-disk-format (LUKS) [7], which is configured in the kernel in all major distributions of which I am aware.

Preparing to Encrypt

Before adding any form of encryption, make a complete external backup. A backup is especially important if you want to encrypt an existing directory – particularly /home. Even if you have no intention of touching an existing directory with data in it, accidents can still happen.

Additionally, you need to install the package cryptsetup [8] if you are running Debian, Ubuntu, Linux Mint, or any other Debian derivative. If you are running Fedora, Red Hat, or CentOS, you need to install the package cryptsetup-luks.

As a final preparation, use parted -l or gparted to see what free space is available on your system. If you reformat an existing partition, install and run wipefs to help eliminate potential problems. If you need to shrink existing partitions to provide space for a new partition, boot from a Live CD to perform the operation to minimize any problems.

If you are setting up an encrypted /home directory, you will need a new partition at least the size of the existing /home directory. By contrast, if you only plan an encrypted vault for essential files, make sure any partition you create is large enough to hold all its intended contents.

Once new partitions are ready, use the command mkdir to create a mountpoint for each one under /mnt, the traditional location for new mountpoints created during daily operations. Then, mount the partitions; for example:

mount /dev/sda4 /mnt/vault

Unless you are using an unusual filesystem format, the mount command should not require any options.

Finally, copy the contents of any existing directory for which you intend an encrypted version to one of the new partitions. Yes, you should have made a backup, but assuming all goes well, copying from partition to partition will be faster than restoring from an external device.

Encrypting a Partition

To initialize an encrypted partition, run cryptsetup as root with the partition unmounted. This command supports Loop-AES and TrueCrypt encryption, but unless you know the pros and cons of these choices, experts consistently recommend that you use LUKS as the encryption method that provides the greatest security with the least knowledge.

Add a device to encrypt and add the -v option for verboseness and the -y option so that you must enter passphrases twice. For most purposes, these requirements make the basic command structure:

cryptsetup -y -v luksFormat /dev/[DEVICE]

When you enter this command, you are warned that all data on the device will be overwritten, and you must confirm the action by typing YES (notice the uppercase). You are then asked to enter the passphrase (essentially, a longer version of a password, also known as a key) twice (Figure 1).

Figure 1: The first step in encryption is to create a passphrase. Cryptsetup allows up to eight passphrases per encrypted device.

If the passphrase is inadequate for any reason, then the command fails and returns you to the prompt, giving you the explanation for the failure (Figure 2). However, if the passphrase is acceptable (and the normal rules apply, such as length, and a combination of characters, letters, and symbols and upper- and lowercase), then the command simply returns the message Command successful.

Figure 2: Cryptsetup requires passphrases to have certain content and a certain length and to avoid common weaknesses.

Partitions encrypted with LUKS can have up to eight passphrases or keys. The keys are stored in a key file. To add a key, use the command structure:

cryptsetup -y -v luksAddKey /dev/[DEVICE]

To remove a key, use

cryptsetup -y -v luksRemoveKey /dev/[DEVICE]

Similarly, luksChangeKey replaces the specific passphrase entered with a new one.

The command can, of course, grow vastly more complicated, accommodating more sophisticated knowledge of encryption than I am assuming here. Options to consider include

• --test-passphrase, which tests the setup as a trial run without setting up the partition
• --timeout [SECONDS], which sets the interval for retrying a failed passphrase
• --tries [NUMBER], which alters the default of three attempts to enter the passphrase successfully.

Mapping Encrypted Partitions for Use

The next step is to map and open the newly encrypted partition for everyday use with LUKS. Enter the command

cryptsetup luksOpen /dev/DEVICE

and enter the passphrase for the device. The device is now listed as a subdirectory of /dev/mapper, ready for use.

From this point on, refer to the device mapping name, rather than the device's partition, when entering commands (Figure 3). For example, to view information about an encrypted partition (Figure 4), run:

Figure 3: Once an encrypted partition is mapped, its mapped name can be used with any command.

Figure 4: For convenience, you can use cryptsetup to view how encrypted partitions are configured.

cryptsetup -v status /dev/DEVICE [MAPPED NAME]

Sometimes, a useful option can be --readonly, which gives a passphrase limited access to the mapped partition.

You will still need to mount the device to copy files to and from it, to create additional filesystems on the encrypted device, or to unmount it when you are finished working with it – just remember to use the mapped name. When you finish using the encrypted partition, run the command:

cryptsetup luksClose [MAPPED NAME]

This command also removes the mapped name from kernel memory, so that information about your system cannot be obtained even when the partition is unavailable. Whether you are in the mounted partition does not affect the command, so be sure you remain aware of what you are doing.