Disk Encryption (LUKS)

On Linux systems, a relatively common practice amongst high-security systems is to use a disk or filesystem-level encryption.

LUKS (Linux Unified Key Setup)

LUKS is a Linux disk encryption utility. It helps to protect data by encrypting the contents of a disk or partition so that it cannot be read without the correct key.

LUKS can only be applied to an empty disk or partition, as it destroys all existing data during the configuration process.

LUKS is configured using the cryptsetup command - this is likely already installed on most linux distros, but can be installed if needed.

LUKS Setup

Wipe the partition/disk for security

Replace /dev/sdX with your actual disk or partition (e.g., /dev/sdb1).

sudo dd if=/dev/zero of=/dev/sdX bs=1M status=progress

Format the partition for LUKS

During this step, you'll be prompted to enter a password - this will be your decryption password, make sure to take note and save this!

sudo cryptsetup -v luksFormat /dev/partition

Open the LUKS container

This creates a virtual decrypted device at: /dev/mapper/my_secure_volume

cryptsetup luksOpen /dev/partition my_secure_volume

Create a filesystem inside the unlocked container

sudo mkfs -t type /dev/mapper/my_secure_volume

Mount the encrypted volume

sudo mkdir /mnt/secure
sudo mount /dev/mapper/my_secure_volume /mnt/secure

At this point, you can use the mounted partition/drive as you would use a normal drive.

Lock the encrypted drive once its no longer in use

sudo umount /mnt/secure
sudo cryptsetup luksClose my_secure_volume

If a server reboots without the drive being manually locked, then the server will automatically lock the drive.

cryptab

Crypttab is the equivalent of fstab for encrypted volumes - meaning that crpttab is used for setting up mount from boot on encrypted volumes. See HERE for more info.