Encrypt your disks on Linux
Unreadable
![](/var/linux_magazin/storage/images/issues/2022/257/disk-encryption/257_123rf_17158169_lock_drizzd_resized.png/801482-1-eng-US/257_123RF_17158169_Lock_drizzd_resized.png_medium.png)
Encrypted volumes have long since ceased to be an exception or luxury. Corporate policies and compliance rules often demand encryption for critical data. This article looks at tools for disk encryption on Linux.
It's no coincidence that portable computers have pushed desktop PCs into the background over the past 10 years. Today, users only need desktop systems for computationally intensive work such as video rendering or games. For everything else, even mid-range laptops are now perfectly adequate. But laptops also have one disadvantage: They are far easier to steal than a standalone PC. An appropriate insurance policy can cushion the cost of replacing the device in case of theft. However, it is not so easy to compensate for the loss of data.
Corporations and users can only protect themselves effectively against this kind of horror scenario by completely encrypting the data carriers in the device, from USB sticks to external hard drives. How can a Linux user best secure disk data by means of encryption? This article describes some leading encryption methods and tools for Linux.
Cryptsetup with LUKS
Just about everyone who has ever dealt with encryption on Linux will have come across the abbreviation LUKS [1], which stands for Linux Unified Key Setup. The LUKS standard describes what disk encryption should look like on Linux (Figure 1). LUKS is based on the Cryptsetup tool, which in turn uses the Dmcrypt kernel module of the Linux kernel to manage encrypted volumes.
![](/var/linux_magazin/storage/images/issues/2022/257/disk-encryption/figure-1/801485-1-eng-US/Figure-1_large.png)
At first glance, this sounds considerably more chaotic than it actually is – at least if you keep in mind how the Linux kernel has handled block devices and their drivers for decades. The block device layer of the kernel resorts to a trick, allowing different drivers to be connected in series in order to combine their functions.
Dmcrypt forms part of the block device layer. If the administrator instructs the device mapper (which includes LVM, for example) to prepend the Dmcrypt driver to a block device before accessing it, all Dmcrypt functions are available for the block device. In fact, Dmcrypt also implements its own basic encryption. However, these measures are not nearly enough to meet today's requirements in the eyes of the kernel developers. Accordingly, they created the LUKS format, which standardizes all the functions needed for encryption and defines them as part of a header in the partition table. This also means that the definition of encrypted drives on Linux is independent of the distribution and vendor.
Integrated into the System
Today, Cryptsetup with LUKS support is included with all distributions. Most manufacturers have also integrated the tool directly into their setup routines. You can start encrypting when installing the individual directories, such as /home
, or you can encrypt the entire non-removable disk.
Once you encrypt the disk, the operating system can no longer boot without the password. If you remove the data medium from the device and try to read it, you will only see a mess of data. It is unanimously understood that this way of using encrypted drives under Linux is by far the most secure approach today. It also uses hardware acceleration. If you don't have an Atom or another low-cost processor in the device, the CPU will probably come with built-in hardware support for various encryption algorithms.
Devices connected to the system via USB can also be encrypted with Cryptsetup and LUKS – just like a built-in NVMe drive. However, there are differences in the setup between the individual distributions, and different desktop environments also offer their own tools to operate Cryptsetup and LUKS. If you want to avoid an excursion to the command line, you will need to familiarize yourself with your system's defaults.
Of course, a combination of Cryptsetup and LUKS has one major disadvantage: It offers virtually no interoperability with other operating systems. You'll need a way to deal with a kind of chicken-and-egg problem. When LUKS and Cryptsetup were just gathering speed, there were already solutions that worked equally well on all the major operating systems. These alternative solutions are not as deeply integrated into the system, but they work across operating system boundaries, and not just on Linux.
Remembering Truecrypt
An article about disk encryption under Linux would be incomplete without mentioning Veracrypt [2] and its famous predecessor. Veracrypt emerged from Truecrypt in 2013. At that time, Truecrypt was considered by many observers in the Linux world to be the only valid alternative to the combination of Cryptsetup and LUKS on Linux.
Truecrypt development came to an end as a result of an audit in 2014, and it was the Truecrypt developers themselves who warned people not to use their own software. Shortly thereafter, the developers provided a new and final version of Truecrypt, which was massively limited in terms of its functionality. According to the developers, this final release was only intended to convert existing setups into Bitlocker setups with Microsoft's standard encryption.
The end of Truecrypt caused wild speculation in the community, which even considered the involvement of intelligence agencies. This speculation did not subside when additional audits completed retrospectively found no significant problems in the way Truecrypt worked. The actual reason for Truecrypt's end will probably never be clarified.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.