LUKS Full Disk Encryption Setup

TL;DR

This guide shows you how to securely encrypt your entire disk using LUKS (Linux Unified Key Setup). It covers partitioning, formatting, unlocking, and basic maintenance. This is a robust method for protecting your data.

Partitioning the Disk

1. Identify the Disk: Use lsblk to find the disk you want to encrypt (e.g., /dev/sda). Be absolutely sure you select the correct disk, as this process will erase all data on it!
2. Partition with fdisk or parted: We’ll create a single partition for simplicity.

   sudo fdisk /dev/sda

   • Type g to create a new GPT partition table.
   • Type n to add a new partition. Accept the defaults for partition number, first sector, and last sector (using the entire disk).
   • Type t to change the partition type. Use code 8300 for Linux filesystem.
   • Type w to write the changes to disk.

Formatting with LUKS

1. Encrypt the Partition: This step creates the LUKS container.

   sudo cryptsetup luksFormat /dev/sda1

   You will be prompted for a passphrase. Choose a strong, memorable one!

2. Open the LUKS Container: This maps the encrypted partition to a device you can use.

   sudo cryptsetup luksOpen /dev/sda1 myencryptedvolume

   You will be prompted for your passphrase again. ‘myencryptedvolume’ is an arbitrary name; choose something descriptive.

3. Create a Filesystem: Format the mapped device with ext4 (or another filesystem of your choice).

   sudo mkfs.ext4 /dev/mapper/myencryptedvolume

Mounting and Unlocking

1. Create a Mount Point: This is where the filesystem will be accessible.

   sudo mkdir /mnt/encrypted

2. Mount the Filesystem: Make the encrypted volume available.

   sudo mount /dev/mapper/myencryptedvolume /mnt/encrypted

3. Unlock at Boot (fstab): To automatically unlock during boot, add an entry to /etc/fstab. This requires careful configuration and understanding of security implications! First get the UUID:

   sudo blkid /dev/mapper/myencryptedvolume

   Then edit /etc/fstab (using sudo) and add a line similar to this, replacing with the actual UUID you obtained:

   UUID=  /mnt/encrypted ext4 defaults 0 2

   Important: Consider using systemd-cryptsetup for more secure automatic unlocking.

4. Unlock Manually: To unlock after boot (if not configured in fstab):

   sudo cryptsetup luksOpen /dev/sda1 myencryptedvolume

   Then mount as described above.

Maintenance

• Backups: Regularly back up your data, even with encryption.
• Passphrase Security: Keep your passphrase safe and secure. Consider using a password manager.
• Update cryptsetup: Ensure you have the latest version of the cryptsetup package for security fixes.

  sudo apt update && sudo apt upgrade cryptsetup