LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux

LUKS acronym stands for Linux Unified Key Setup which is a widely method of disk-encryption used by Linux Kernel and is implemented with the cryptsetup package.

The cryptsetup command line encrypts a volume disk on fly using symmetric encryption key derived from supplied passphrase that is provided every time a volume disk, a partition and also a whole disk (even a USB stick) is mounted in filesystem hierarchy and uses aes-cbc-essiv:sha256 cipher.

Linux Hard Disk Encryption

Linux Hard Disk Encryption Using LUKS

Because LUKS can encrypt the entire block devices (hard-disks, USB sticks, Flash disks, partitions, volume groups etc) on Linux systems is largely recommended for protecting removable storage media, laptop hard-disks or Linux swap files and not recommended for file level encryption.

NTFS (New Technology File System) is a proprietary file system developed by Microsoft.

Ubuntu 14.04 provides full support for LUKS encryption and also NTFS native support for Windows with the help of ntfs-3g package.

To prove my point in this tutorial I’ve added a new hard-disk (4th) on Ubuntu 14.04 box (the system reference to newly added HDD is /dev/sdd) which it will be divided in two partitions.

  1. One partition (/dev/sdd1 -primary) used for LUKS encryption.
  2. The second partition (/dev/sdd5 – extended) formatted NTFS for accessing data on both Linux and Windows based systems.

Also the partitions will be automatically mounted on Ubuntu 14.04 after reboot.

Step 1: Create Disk Partitions

1. After your hard-disk is physically added on your machine use ls command to list all /dev/devices ( the fourth disk is /dev/sdd).

# ls /dev/sd*
List Partitions in Linux

List Partitions in Linux

2. Next check your newly added HDD with fdisk command.

$ sudo fdisk –l /dev/sdd
Check Linux Hard Disk

Check Linux Hard Disk

Because no filesystem had been written what so ever the disk doesn’t contain a valid partition table yet.

3. The next steps slices the hard-disk for a two partition result using cfdisk disk utility.

$ sudo cfdisk /dev/sdd

4. The next screen opens cfdisk interactive mode. Select your hard-disk Free space and navigate to New option using left/right key arrows.

cfdisk Interactive Mode

cfdisk Interactive Mode

5. Choose your partition type as Primary and hit Enter.

Select Your Partition Type

Select Your Partition Type

6. Write down your desired partition size in MB.

Write Down Partition Size

Write Down Partition Size

7. Create this partition at the Beginning of hard-disk Free space.

Create a Partition

Create a Partition

8. Next navigate to partition Type option and hit Enter.

Partition Type

Partition Type

9. The next prompt present a list of all types of filesystem and their number code ( Hex number). This partition will be a Linux LUKS encrypted so choose 83 code and hit Enter again to create partition.

Enter File System Type

Enter File System Type

10. The first partition is created and the cfdisk utility prompt goes back to beginning. To create the second partition used as NTFS select the remaining Free space, navigate to New option and press Enter key.

Create New Partition

Create New Partition

11. This time the partition will be an Extended Logical one. So, navigate to Logical option and again press Enter.

Select Logical Partition Type

Select Logical Partition Type

12. Enter your partition size again. For using the remaining free space as the new partition leave the default value on size and just press Enter.

Enter Size of Partition

Enter Size of Partition

13. Again choose you partition type code. For NTFS filesystem choose 86 volume code.

Select Partition Type

Select Partition Type

14. After reviewing and verifying partitions select Write, answer yes on next interactive prompt question then Quit to leave cfdisk utility.

Write Partition Table to Disk

Write Partition Table to Disk

Confirm Changes

Confirm Changes

Quit to leave cfdisk utility

Quit to leave cfdisk utility

Congratulations ! Your partitions have been successfully created and are now ready to be formatted and used.

15. To verify again disk Partition Table issue the fdisk command again which will show a detailed partition table information.

$ sudo fdisk –l /dev/sdd
Confirm Parition Table

Confirm Parition Table

Step 2: Create Partition Filesystem

NTFS Filesystem

16. To create NTFS filesystem on second partition run mkfs command.

$ sudo mkfs.ntfs /dev/sdd5
Create NTFS Filesystem

Create NTFS Filesystem

17. To make the partition available it must be mounted on filesystem to a mount point. Mount the second partition on fourth hard-disk to /opt mount point using mount command.

$ sudo mount /dev/sdd5 /opt

18. Next, check if partition is available and is listed in /etc/mtab file using cat command.

$ cat /etc/mtab
Check Partition Availability

Check Partition Availability

19. To unmount partition use the following command.

$ sudo umount /opt
EXT4 LUKS

20. Make sure cryptsetup package is installed on your system.

$ sudo apt-get install cryptsetup		[On Debian Based Systems]

# yum install cryptsetup				[On RedHat Based Systems]

21. Now is time to format the first partition on fourth hard-disk with ext4 filesystem by issuing the following command.

$ sudo luksformat  -t ext4  /dev/sdd1

Answer with uppercase YES on “Are you sure?” question and enter three times your desired passphrase.

Format Partition

Format Partition

Note: Depending on your partition size and HDD speed the filesystem creation can take a while.

22. You can also verify partition device status.

$ sudo cryptsetup luksDump  /dev/sdd1
Verify Partition Status

Verify Partition Status

23. LUKS supports maximum 8 passwords added. To add a password use the following command.

$ sudo cryptsetup luksAddKey /dev/sdd1
Add a Password

Add a Password

To remove a password use.

$ sudo cryptsetup luksRemoveKey /dev/sdd1
Remove a Password

Remove a Password

24. For this Encrypted partition to be active it must have an name entry (be initialized ) to /dev/mapper directory with the help of cryptsetup package.

This setting require the following command line syntax:

$ sudo cryptsetup luksOpen  /dev/LUKS_partiton  device_name

Where “device_name” can be any descriptive name you like it! ( I’ve name it mine crypted_volume). The actual command will look like as shown below.

$ sudo cryptsetup luksOpen  /dev/sdd1 crypted_volume
Active Encrypted Partition

Active Encrypted Partition

25. Then verify if your device is listed on /dev/mapper, directory, symbolic link and device status.

$ ls /dev/mapper
$ ls –all /dev/mapper/encrypt_volume
Verify Encrypted Partition

Verify Encrypted Partition

$ sudo cryptsetup –v status encrypt_volume
Encrypted Partition Status

Encrypted Partition Status

26. Now for making the partition device widely available mount it on your system under a mount point using mount command.

$ sudo mount  /dev/mapper/crypted_volume  /mnt
Mount Encrypted Partition

Mount Encrypted Partition

As can be seen the partition is mounted and accessible for writing data.

27. To make it unavailable just unmount it from your system and close the device.

$ sudo umount  /mnt
$ sudo cryptsetup luksClose crypted_volume
Umount Encrypted Partition

Umount Encrypted Partition

Step 3: Mount Partition Automatically

If you use a fixed hard-disk and need both partitions to be automatically system mounted after reboot you must follow this two steps.

28. First edit /etc/crypttab file and add the following data.

$ sudo nano /etc/crypttab
  1. Target name: A descriptive name for your device ( see above point 22 on EXT4 LUKS).
  2. Source drive: The hard-disk partition formatted for LUKS ( see above point 21 on EXT4 LUKS).
  3. Key file: Choose none
  4. Options: Specify luks

The final line would be look like as shown below.

encrypt_volume               /dev/sdd1          none       luks
Mount Partition Automatically

Mount Partition Automatically

29. Then edit /etc/fstab and specify your device name, mount point, filesystem type and other options.

$ sudo nano /etc/fstab

On last line use the following syntax.

/dev/mapper/device_name (or UUID)	/mount_point     filesystem_type     options    dump   pass

And add your specific content.

/dev/mapper/encrypt_volume      /mnt    ext4    defaults,errors=remount-ro     0     0
Add Partition Entry in Fstab

Add Partition Entry in Fstab

30. To get device UUID use the following command.

$ sudo blkid
Get Device UUID

Get Device UUID

31. To also add the NTFS partition type created earlier use the same syntax as above on a new line in fstab ( Here Linux file append redirection is used ).

$ sudo su -
# echo "/dev/sdd5	/opt	ntfs		defaults		0              0"  >> /etc/fstab
Add NTFS Partition in fstab

Add NTFS Partition in fstab

32. To verify changes reboot your machine, press Enter after “Starting configure network device” boot message and type your device passphrase.

Reboot Machine

Reboot Machine

Verify Partition is Mounted Automatically

Verify Partition is Mounted Automatically

As you can see both disk partitions were automatically mounted on Ubuntu filesystem hierarchy. As a advice do not use automatically encrypted volumes from fstab file on physically remote servers if you can’t have access to reboot sequence for providing your encrypted volume password.

The same settings can be applied on all types of removable media such as USB stick , Flash memory, external hard-disk, etc for protecting important, secret or sensitive data in case of eavesdropping or stealing.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

4 Responses

  1. sdsd says:

    device LUKS /dev/sdb1 at /usr/sbin/luksformat line 91, line 59.

  2. vicdeveloper says:

    Added to favorites.

    Useful guide.

    Thanks dude.

  3. Tomas says:

    The LUKS setup should also include a process of backing up a LUKS header.

  4. David says:

    LUKS is great, but it’s missing one thing. The setup should include something I call a Fricosu key. This is a separate key which, when entered under duress in Colorado, causes the system to silently and permanently forget the real decryption key.

    Could this be used for bad purposes? Sure it could. But if you value your privacy, it might be a life saver. The only way to get around it is if the bad guys (I mean the Government) makes a forensic copy before they force you to enter your (secret) Fricosu key.

Leave a Reply to sdsd Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.