Luks Encryption

I encrypted my root filesystem with the ubuntu default installer script. When the system boots i have to enter a password to decrypt my root partion with a password. But i want my internal drives to be encrypted as well and avoid to enter a password each time the partition is mounted. We will begin with the encryption of a pendrive to see how that works and what happens behind the scenes and resume with auto-mounting encrypted internal drives in another blog post.

Encrypting, decrypting and mounting a pendrive

Encrypt

Open a terminal and type lsblk. This lists all your devices. Find out which file is your pendrive, let’s asume it’s /dev/sdb. Open gparted, delete all partions and create a new partion table gpt with a single partion (i use ext4 as filesystem).

After that lsblk should list following:

$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
...
sdb           8:16   1  14,3G  0 disk 
└─sdb1        8:17   1  14,3G  0 part 
...

The next step is to format the luks partition. We have to set up a pasword and confirm the changes to the partition with (uppercase) YES.

sudo cryptsetup -y luksFormat /dev/sdb1

Decrypt and format

The device it not usable because the encrypted partion is not formated yet. To do so we can open the encrypted partition and add it to our device list. Normally, on any modern distribution, opening and mounting is automated by your filemanager, but we will quickly walk through it via terminal.

sudo cryptsetup luksOpen /dev/sdb1 test-crypt

After you entered your password, lsblk should output:

$ lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdb              8:16   1  14,3G  0 disk  
└─sdb1           8:17   1  14,3G  0 part  
  └─test-crypt 253:0    0  14,3G  0 crypt 

Before the partition is mountable we have to format it, we can find it under /dev/mapper/test-crypt. I’am using ext4 again, but you can use any other filesystem.

sudo mkfs.ext4 /dev/mapper/test-crypt

Manually mount and unmount

We can finally mount our decrypted partition to a folder.

# create a folder in which the pendrive should be mounted
sudo mkdir /media/usb 
# give access rights to this folder
sudo chown $USER.$USER /media/usb
# finally mount it
sudo mount /dev/mapper/test-crypt /media/usb

Now we can browse the decrypted pendrive with the filemanager and create files on it.

Automatic mount

Before you let the filemanager (like nautilus or pcmanfm) open and mount the the encrypted pendrive it would be nice to correctly label your partion, otherwise the filemanager would assign a ugly device id as the label.

sudo e2label /dev/mapper/test-crypt encrypted-pendrive-16gb

Let’s unmount the partition and close luks.

sudo umount /dev/mapper/test-crypt
sudo cryptsetup close test-crypt

Unplug and plug in the device again. Your filemanger should recognize it and ask you for the password. If you’re not able to create files on it, remember to chown the mountpoint.

Adding, removing and changing the password

The password doesn’t really decrypt the luks partition. A masterkey, also stored encrypted (by the password) will decrypt the partition. So it’s easy to change or add another password without encrypting the partition again, only the masterkey has to be decrypted and encrypted. In this way you can define up to 8 passwords.

If you mounted your pendrive with your filemanager, use lsblk to identify the luks name. Use one of follwing commands to add/change/remove a key from luks. Be carefull, if you remove the last key you can’t ever access the encrypted partition again.

sudo cryptsetup luksAddKey test-crypt 
sudo cryptsetup luksChangeKey test-crypt 
sudo cryptsetup luksRemoveKey test-crypt