Encrypt an empty partition with LUKS

LUKS encrypts block devices. It can be used both to encrypt individual partitions within a disk, or entire LVM volumes, in which case you can have multiple partitions under an encrypted container.

The encryption headers and other metadata will be stored at the start of the drive. It has space for multiple passphrases, so in cases of a shared drive each user can have their own passphrase without needing to share it. Be careful when manipulating partition tables on encrypted drives – erasing these headers will lead to total and unrecoverable data loss.

You can get a list of your devices using lsblk:

sda        /dev/sda           WDC W ATA    465.8G               disk  
├─sda1     /dev/sda1                         512M  75.7M    15% part  /boot
└─sda2     /dev/sda2                       465.3G               part  
sdb        /dev/sdb                          3.7T               disk  
└─sdb1     /dev/sdb1                         3.7T               part  

As you can see, I already have a “luksdev” device, which is my laptopt’s encrypted SSD.

If the device is mounted, you will need to back up all data from it then unmount it.

Then, if you want to create a new partition:

fdisk /dev/sdX

The above will open the drive with fdisk. Typing m will pop up the help menu.

If it’s a new disk, you’ll most likely need to set up a new gpt partition table with g, then create a new partition with n.

If you just want a new partition on an already configured disk, you’ll only need to use n, then specify the sectors.

Once you have the partition set up, you will need to install cryptsetup.

# Debian/ubuntu based systems
sudo apt install cryptsetup

# Arch based systems
sudo pacman -S cryptsetup

# Fedora based systems
sudo dnf install cryptsetup-luks

# RHEL/CentOS/Oracle
sudo yum install cryptsetup-luks

This will install the tool used to encrypt and decrypt your partitions.


The next step is the encryption itself:


# Whole drive encryption
cryptsetup luksFormat --verbose /dev/sdX
# Partition encryption
cryptsetup luksFormat --verbose /dev/sdX#

The process will walk you through encrpyting the drive/partition, and will ask you for a passphrase. It then formats the device with LUKS, writes the headers and metadata, then closes it.

The device should now be encrypted and ready to be used. You can unlock it with:

cryptsetup luksOpen /dev/sdX# dev_name

You should replace dev_name with a name of your choosing. By default, it will mount the unlocked partition to /dev/mapper/dev_name.

If you encrypted the whole device, you will need to create partitions on it with a disk manager such as fdisk. You will need to grab /dev/mapper/dev_name in the tool, and set up the partitions as you want. The partitions will then be ready to be used, as they are at this point indivudally unencrypted partitions under an encrypted container.

It’s important that you don’t change the label (partition table) itself on the drive, as it would erase the LUKS headers.

If you’ve only encrypted a partition, it is not yet usable. You will first need to create a filesystem on it, as it currently has none. To create an ext4 fs:

mkfs.ext4 /dev/mapper/dev_name

This will create an ext4 file system on your decrypted partition. You can mount it with:

mount /dev/mapper/dev_name /mnt

Your encrypted partition is now ready to be used!

You Might Also Like
Leave a Reply