Encrypting partitions with cryptsetup
Simple Security

Modern installers offer the option of encryption with just a few clicks, but you might want to take control of the process. We show how to encrypt your partitions safely without sacrificing convenience.
The easiest time to encrypt a partition is when installing your operating system. Usually, you don't have to juggle existing partitions or even think about the process: Just click an option, and many modern installers take care of the rest. By contrast, encryption after installation is more complex, although it's still possible, as long as you work systematically.
Because modern installers routinely give the option of encryption, you might think it an unalloyed good. What could possibly go wrong with concealing your data from intruders? The simple answer is: a lot.
For one reason, all forms of encryption reduce performance, which means that encryption might not be suitable for older or less powerful machines. For another, if an encrypted filesystem becomes corrupted, recovery becomes more complicated – especially if you have encrypted the entire drive. The man page for cryptsetup [1] can give all sorts of other worries to test your nerves, ranging from corrupted headers, to problems when character encoding changes, to lingering problems caused by insufficiently wiped data.
Instead, you might want to create a partition for storing only private files, so that encryption cannot affect the ordinary functionality of the system. Such a partition, which is technically known as a container, offers less protection but is a reasonable compromise between security and convenience.
You should also consider what method of encryption to use. You might want to consider using an encrypted filesystem, such eCryptfs [2] or EncFS [3]. The alternative is to use block-level encryption, such as that offered by Loop-AES [4] or the now discontinued TrueCrypt [5].
Currently, the most popular method is block-level encryption using dm-crypt [6] combined with Linux Unified Key Setup-on-disk-format (LUKS) [7], which is configured in the kernel in all major distributions of which I am aware.
Preparing to Encrypt
Before adding any form of encryption, make a complete external backup. A backup is especially important if you want to encrypt an existing directory – particularly /home
. Even if you have no intention of touching an existing directory with data in it, accidents can still happen.
Additionally, you need to install the package cryptsetup [8] if you are running Debian, Ubuntu, Linux Mint, or any other Debian derivative. If you are running Fedora, Red Hat, or CentOS, you need to install the package cryptsetup-luks
.
As a final preparation, use parted -l
or gparted
to see what free space is available on your system. If you reformat an existing partition, install and run wipefs
to help eliminate potential problems. If you need to shrink existing partitions to provide space for a new partition, boot from a Live CD to perform the operation to minimize any problems.
If you are setting up an encrypted /home
directory, you will need a new partition at least the size of the existing /home
directory. By contrast, if you only plan an encrypted vault for essential files, make sure any partition you create is large enough to hold all its intended contents.
Once new partitions are ready, use the command mkdir
to create a mountpoint for each one under /mnt
, the traditional location for new mountpoints created during daily operations. Then, mount the partitions; for example:
mount /dev/sda4 /mnt/vault
Unless you are using an unusual filesystem format, the mount
command should not require any options.
Finally, copy the contents of any existing directory for which you intend an encrypted version to one of the new partitions. Yes, you should have made a backup, but assuming all goes well, copying from partition to partition will be faster than restoring from an external device.
Encrypting a Partition
To initialize an encrypted partition, run cryptsetup
as root with the partition unmounted. This command supports Loop-AES and TrueCrypt encryption, but unless you know the pros and cons of these choices, experts consistently recommend that you use LUKS as the encryption method that provides the greatest security with the least knowledge.
Add a device to encrypt and add the -v
option for verboseness and the -y
option so that you must enter passphrases twice. For most purposes, these requirements make the basic command structure:
cryptsetup -y -v luksFormat /dev/[DEVICE]
When you enter this command, you are warned that all data on the device will be overwritten, and you must confirm the action by typing YES (notice the uppercase). You are then asked to enter the passphrase (essentially, a longer version of a password, also known as a key) twice (Figure 1).

If the passphrase is inadequate for any reason, then the command fails and returns you to the prompt, giving you the explanation for the failure (Figure 2). However, if the passphrase is acceptable (and the normal rules apply, such as length, and a combination of characters, letters, and symbols and upper- and lowercase), then the command simply returns the message Command successful.

Partitions encrypted with LUKS can have up to eight passphrases or keys. The keys are stored in a key file. To add a key, use the command structure:
cryptsetup -y -v luksAddKey /dev/[DEVICE]
To remove a key, use
cryptsetup -y -v luksRemoveKey /dev/[DEVICE]
Similarly, luksChangeKey
replaces the specific passphrase entered with a new one.
The command can, of course, grow vastly more complicated, accommodating more sophisticated knowledge of encryption than I am assuming here. Options to consider include
--test-passphrase
, which tests the setup as a trial run without setting up the partition--timeout [SECONDS]
, which sets the interval for retrying a failed passphrase--tries [NUMBER]
, which alters the default of three attempts to enter the passphrase successfully.
Mapping Encrypted Partitions for Use
The next step is to map and open the newly encrypted partition for everyday use with LUKS. Enter the command
cryptsetup luksOpen /dev/DEVICE
and enter the passphrase for the device. The device is now listed as a subdirectory of /dev/mapper
, ready for use.
From this point on, refer to the device mapping name, rather than the device's partition, when entering commands (Figure 3). For example, to view information about an encrypted partition (Figure 4), run:
cryptsetup -v status /dev/DEVICE [MAPPED NAME]
Sometimes, a useful option can be --readonly
, which gives a passphrase limited access to the mapped partition.
You will still need to mount the device to copy files to and from it, to create additional filesystems on the encrypted device, or to unmount it when you are finished working with it – just remember to use the mapped name. When you finish using the encrypted partition, run the command:
cryptsetup luksClose [MAPPED NAME]
This command also removes the mapped name from kernel memory, so that information about your system cannot be obtained even when the partition is unavailable. Whether you are in the mounted partition does not affect the command, so be sure you remain aware of what you are doing.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
elementary OS 7.1 Now Available for Download
The team behind elementary OS has released the latest version of its operating system with a focus on personalization, inclusivity, accessibility, and privacy.
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.