LUKS acronym stands for Linux Unified Key Setup which is a widely method of disk-encryption used by Linux Kernel and is implemented with the cryptsetup package.
The cryptsetup command line encrypts a volume disk on fly using symmetric encryption key derived from supplied passphrase that is provided every time a volume disk, a partition and also a whole disk (even a USB stick) is mounted in filesystem hierarchy and uses aes-cbc-essiv:sha256 cipher.
Because LUKS can encrypt the entire block devices (hard-disks, USB sticks, Flash disks, partitions, volume groups etc) on Linux systems is largely recommended for protecting removable storage media, laptop hard-disks or Linux swap files and not recommended for file level encryption.
NTFS (New Technology File System) is a proprietary file system developed by Microsoft.
Ubuntu 14.04 provides full support for LUKS encryption and also NTFS native support for Windows with the help of ntfs-3g package.
To prove my point in this tutorial I’ve added a new hard-disk (4th) on Ubuntu 14.04 box (the system reference to newly added HDD is /dev/sdd) which it will be divided in two partitions.
- One partition (/dev/sdd1 -primary) used for LUKS encryption.
- The second partition (/dev/sdd5 – extended) formatted NTFS for accessing data on both Linux and Windows based systems.
Also the partitions will be automatically mounted on Ubuntu 14.04 after reboot.
Step 1: Create Disk Partitions
1. After your hard-disk is physically added on your machine use ls command to list all /dev/devices ( the fourth disk is /dev/sdd).
# ls /dev/sd*
2. Next check your newly added HDD with fdisk command.
$ sudo fdisk –l /dev/sdd
Because no filesystem had been written what so ever the disk doesn’t contain a valid partition table yet.
3. The next steps slices the hard-disk for a two partition result using cfdisk disk utility.
$ sudo cfdisk /dev/sdd
4. The next screen opens cfdisk interactive mode. Select your hard-disk Free space and navigate to New option using left/right key arrows.
5. Choose your partition type as Primary and hit Enter.
6. Write down your desired partition size in MB.
7. Create this partition at the Beginning of hard-disk Free space.
8. Next navigate to partition Type option and hit Enter.
9. The next prompt present a list of all types of filesystem and their number code ( Hex number). This partition will be a Linux LUKS encrypted so choose 83 code and hit Enter again to create partition.
10. The first partition is created and the cfdisk utility prompt goes back to beginning. To create the second partition used as NTFS select the remaining Free space, navigate to New option and press Enter key.
11. This time the partition will be an Extended Logical one. So, navigate to Logical option and again press Enter.
12. Enter your partition size again. For using the remaining free space as the new partition leave the default value on size and just press Enter.
13. Again choose you partition type code. For NTFS filesystem choose 86 volume code.
14. After reviewing and verifying partitions select Write, answer yes on next interactive prompt question then Quit to leave cfdisk utility.
Congratulations ! Your partitions have been successfully created and are now ready to be formatted and used.
15. To verify again disk Partition Table issue the fdisk command again which will show a detailed partition table information.
$ sudo fdisk –l /dev/sdd
Step 2: Create Partition Filesystem
16. To create NTFS filesystem on second partition run mkfs command.
$ sudo mkfs.ntfs /dev/sdd5
17. To make the partition available it must be mounted on filesystem to a mount point. Mount the second partition on fourth hard-disk to /opt mount point using mount command.
$ sudo mount /dev/sdd5 /opt
18. Next, check if partition is available and is listed in /etc/mtab file using cat command.
$ cat /etc/mtab
19. To unmount partition use the following command.
$ sudo umount /opt
20. Make sure cryptsetup package is installed on your system.
$ sudo apt-get install cryptsetup [On Debian Based Systems] # yum install cryptsetup [On RedHat Based Systems]
21. Now is time to format the first partition on fourth hard-disk with ext4 filesystem by issuing the following command.
$ sudo luksformat -t ext4 /dev/sdd1
Answer with uppercase YES on “Are you sure?” question and enter three times your desired passphrase.
Note: Depending on your partition size and HDD speed the filesystem creation can take a while.
22. You can also verify partition device status.
$ sudo cryptsetup luksDump /dev/sdd1
23. LUKS supports maximum 8 passwords added. To add a password use the following command.
$ sudo cryptsetup luksAddKey /dev/sdd1
To remove a password use.
$ sudo cryptsetup luksRemoveKey /dev/sdd1
24. For this Encrypted partition to be active it must have an name entry (be initialized ) to /dev/mapper directory with the help of cryptsetup package.
This setting require the following command line syntax:
$ sudo cryptsetup luksOpen /dev/LUKS_partiton device_name
Where “device_name” can be any descriptive name you like it! ( I’ve name it mine crypted_volume). The actual command will look like as shown below.
$ sudo cryptsetup luksOpen /dev/sdd1 crypted_volume
25. Then verify if your device is listed on /dev/mapper, directory, symbolic link and device status.
$ ls /dev/mapper $ ls –all /dev/mapper/encrypt_volume
$ sudo cryptsetup –v status encrypt_volume
26. Now for making the partition device widely available mount it on your system under a mount point using mount command.
$ sudo mount /dev/mapper/crypted_volume /mnt
As can be seen the partition is mounted and accessible for writing data.
27. To make it unavailable just unmount it from your system and close the device.
$ sudo umount /mnt $ sudo cryptsetup luksClose crypted_volume
Step 3: Mount Partition Automatically
If you use a fixed hard-disk and need both partitions to be automatically system mounted after reboot you must follow this two steps.
28. First edit /etc/crypttab file and add the following data.
$ sudo nano /etc/crypttab
- Target name: A descriptive name for your device ( see above point 22 on EXT4 LUKS).
- Source drive: The hard-disk partition formatted for LUKS ( see above point 21 on EXT4 LUKS).
- Key file: Choose none
- Options: Specify luks
The final line would be look like as shown below.
encrypt_volume /dev/sdd1 none luks
29. Then edit /etc/fstab and specify your device name, mount point, filesystem type and other options.
$ sudo nano /etc/fstab
On last line use the following syntax.
/dev/mapper/device_name (or UUID) /mount_point filesystem_type options dump pass
And add your specific content.
/dev/mapper/encrypt_volume /mnt ext4 defaults,errors=remount-ro 0 0
30. To get device UUID use the following command.
$ sudo blkid
31. To also add the NTFS partition type created earlier use the same syntax as above on a new line in fstab ( Here Linux file append redirection is used ).
$ sudo su - # echo "/dev/sdd5 /opt ntfs defaults 0 0" >> /etc/fstab
32. To verify changes reboot your machine, press Enter after “Starting configure network device” boot message and type your device passphrase.
As you can see both disk partitions were automatically mounted on Ubuntu filesystem hierarchy. As a advice do not use automatically encrypted volumes from fstab file on physically remote servers if you can’t have access to reboot sequence for providing your encrypted volume password.
The same settings can be applied on all types of removable media such as USB stick , Flash memory, external hard-disk, etc for protecting important, secret or sensitive data in case of eavesdropping or stealing.
4 thoughts on “LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux”
device LUKS /dev/sdb1 at /usr/sbin/luksformat line 91, line 59.
Added to favorites.
The LUKS setup should also include a process of backing up a LUKS header.
LUKS is great, but it’s missing one thing. The setup should include something I call a Fricosu key. This is a separate key which, when entered under duress in Colorado, causes the system to silently and permanently forget the real decryption key.
Could this be used for bad purposes? Sure it could. But if you value your privacy, it might be a life saver. The only way to get around it is if the bad guys (I mean the Government) makes a forensic copy before they force you to enter your (secret) Fricosu key.