Encrypt your Hard Drive in Linux

Do you need to encrypt a hard drive in Linux? This post will show you how to encrypt a separate partition, a whole hard drive, or just a USB stick. It will work in any Linux distribution.

There are many methods to perform encryption in Linux. In this post, I will show you the encryption method I use the most. It is probably the simplest method to encrypt your data in Linux. It is a command line tool, but there is nothing extraordinary.

Encrypt your hard drive in Linux with LUKS

I usually use LUKS encryption and dm-crypt.

Install the necessary programs

First, you need to install cryptsetup package:

sudo apt install cryptsetup

Identify the partition name

Next, make sure the partition you are going to encrypt doesn’t have any important data on it because it will be overwritten during the encryption process.

If your hard drive is brand new, you may need to create a new partition table. If you want to encrypt only part of your hard drive, you also need to re-partition your hard drive into two partitions: one will be encrypted and another one won’t. You can use Gparted for that.

Gparted
Gparted

You can also find out the name of your partition with the command lsblk and find the partition you need based on its size.

Running lsblk command to show all partition on your hard drive
Running lsblk command to show all partition on your hard drive

Encrypt this partition

When the partition you want to encrypt is ready and all the data is backed up into another hard drive, run this command:

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1

Where /dev/sdb1 is the partition you want to encrypt. Next, confirm that you agree to overwrite all the data in this partition.

Encrypting the partition
Encrypting the partition

Next, you will be prompted to type your passphrase. When you type it, you will see nothing. This is normal and due to security reasons. You will need this password to unencrypt the partition. Make sure you memorize it.

Next, open the encrypted partition. This is where you will need to type your passphrase.

sudo cryptsetup luksOpen /dev/sdb1 sdb1

Once the partition is opened, the encrypted partition is mapped to /dev/mapper/sdb1.

sudo fdisk -l
Mapped partition
Mapped partition

Then, create a new filesystem on it:

sudo mkfs.ext4 /dev/mapper/sdb1
Making a new filesystem to the partition
Making a new filesystem to the partition

I also suggest to get rid of reserved space. EXT4 file system reserves some space by default, but you won’t need it if you don’t run your system on this partition. This way you also get more space on the drive:

sudo tune2fs -m 0 /dev/mapper/sdb1
Getting more space on the partition
Getting more space on the partition

Now, your partition is encrypted and ready to use.

Test the encrypted partition

Mount it somewhere on your system. /mnt is the most common place to mount partitions.

Let’s create a folder encrypted in it.

sudo mkdir /mnt/encrypted

And perform the mounting:

sudo mount /dev/mapper/sdb1 /mnt/encrypted

Now, you can start placing your files into it. However, you will be able to do that only with sudo because regular users do not have access to this folder.

Let’s change the ownership of this encrypted folder, to give access to regular users:

sudo chown -R `whoami`:users /mnt/encrypted

Now test it by create a file as a regular user without sudo.

touch /mnt/encrypted/test.txt

You can also create and view encrypted files, from your file manager:

Using the file manager to show the encrypted partition
Using the file manager to show the encrypted partition

When you finish working with the encrypted partition, unmount it.

sudo umount /dev/mapper/sdb1

Let me remind you that my encrypted partition name is sdb1, in your case it may be different.

Then, close the mapped device.

sudo cryptsetup luksClose sdb1

Finally, it is safe to disconnect the hard drive from your system.

How to use the encrypted hard

Next time, when you want to use your encrypted drive. You have to connect your hard drive to the system and check its name.

lsblk
Checking the partitions
Checking the partitions

It is sdb1 in my case.

Next, open the encrypted partition with your decryption password:

sudo cryptsetup luksOpen /dev/sdb1 sdb1

Then, mount it.

sudo mount /dev/mapper/sdb1 /mnt

Now, it is available at /mnt/encrypted. As you can see, the test files we created earlier are there.

Mounting the encrypted partition
Mounting the encrypted partition

When you finished working with this encrypted files, unmount the partition:

sudo umount /dev/mapper/sdb1

And close it.

sudo cryptsetup luksClose sdb1

In some Linux systems, such Linux Mint in my case, you can also mount the encrypted partition by double-clicking on it in the file manager and entering your passphrase. So, you can avoid the command line hassle.

Some Linux distribution can open a encrypted partition easily
Some Linux distribution can open an encrypted partition easily

Conclusion

This way you can encrypt any hard drive, including flash drives. If you encrypt a hard drive that is permanently connected to your system, you can also make it mount automatically on the boot of your system.

For the next read, I recommend you my post about Linux Root Folders.

So, do you use an encrypted partition? What method do you use to encrypt it? Let me know below.

Average Linux User
Average Linux User I am the founder of the Average Linux User project, which is a hobby I work on at night. During the day I am a scientist who uses computers to analyze genetic data.

Comments



mbrandizi

Great tutorial, thanks.

Just one addition: this can be used to open the LUKS volume in a non-interactive way:

echo "" | cryptsetup luksOpen /dev/sdb1 sdb1 -

As you can see, the '-' tells cryptsetup to get the password from the standard input. This is useful for unattended scripts (eg, crontab). Of course, it isn't secure, if that password is on the same host where the volume is, but it might be reasonable if, for instance, it is (ssh) sent from a remote client that has to backup its local data. Indeed, I'm thinking of using this approach to auto-backup my laptop (where the password can be saved on a secure place like keepass, which is also accessible from scripts).



Blaise

Thanks for the tutorial! Could you elaborate on the purpose of the “test1.txt” and “test2.txt” files? It's not clear what difference using “sudo” has in this case, nor is it clear what this has to do with the drive being encrypted or not.

Average Linux User

Average Linux User

You would not be able to create/place files without sudo because you had no permission for a regular user. After you change the ownership with chown, you can place files into encrypted folder without sudo


Learn how to write in Markdown with this Quick Reference.
Notify me of new comments on this post.
* E-mail is used to display Gravatar.