LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux

LUKS acronym stands for Linux Unified Key Setup which is a widely method of disk-encryption used by Linux Kernel and is implemented with the cryptsetup package.

The cryptsetup command line encrypts a volume disk on fly using symmetric encryption key derived from supplied passphrase that is provided every time a volume disk, a partition and also a whole disk (even a USB stick) is mounted in filesystem hierarchy and uses aes-cbc-essiv:sha256 cipher.

Linux Hard Disk Encryption
Linux Hard Disk Encryption Using LUKS

Because LUKS can encrypt the entire block devices (hard-disks, USB sticks, Flash disks, partitions, volume groups etc) on Linux systems is largely recommended for protecting removable storage media, laptop hard-disks or Linux swap files and not recommended for file level encryption.

NTFS (New Technology File System) is a proprietary file system developed by Microsoft.

Ubuntu 14.04 provides full support for LUKS encryption and also NTFS native support for Windows with the help of ntfs-3g package.

To prove my point in this tutorial I’ve added a new hard-disk (4th) on Ubuntu 14.04 box (the system reference to newly added HDD is /dev/sdd) which it will be divided in two partitions.

  1. One partition (/dev/sdd1 -primary) used for LUKS encryption.
  2. The second partition (/dev/sdd5 – extended) formatted NTFS for accessing data on both Linux and Windows based systems.

Also the partitions will be automatically mounted on Ubuntu 14.04 after reboot.

Step 1: Create Disk Partitions

1. After your hard-disk is physically added on your machine use ls command to list all /dev/devices ( the fourth disk is /dev/sdd).

# ls /dev/sd*
List Partitions in Linux
List Partitions in Linux

2. Next check your newly added HDD with fdisk command.

$ sudo fdisk –l /dev/sdd
Check Linux Hard Disk
Check Linux Hard Disk

Because no filesystem had been written what so ever the disk doesn’t contain a valid partition table yet.

3. The next steps slices the hard-disk for a two partition result using cfdisk disk utility.

$ sudo cfdisk /dev/sdd

4. The next screen opens cfdisk interactive mode. Select your hard-disk Free space and navigate to New option using left/right key arrows.

cfdisk Interactive Mode
cfdisk Interactive Mode

5. Choose your partition type as Primary and hit Enter.

Select Your Partition Type
Select Your Partition Type

6. Write down your desired partition size in MB.

Write Down Partition Size
Write Down Partition Size

7. Create this partition at the Beginning of hard-disk Free space.

Create a Partition
Create a Partition

8. Next navigate to partition Type option and hit Enter.

Partition Type
Partition Type

9. The next prompt present a list of all types of filesystem and their number code ( Hex number). This partition will be a Linux LUKS encrypted so choose 83 code and hit Enter again to create partition.

Enter File System Type
Enter File System Type

10. The first partition is created and the cfdisk utility prompt goes back to beginning. To create the second partition used as NTFS select the remaining Free space, navigate to New option and press Enter key.

Create New Partition
Create New Partition

11. This time the partition will be an Extended Logical one. So, navigate to Logical option and again press Enter.

Select Logical Partition Type
Select Logical Partition Type

12. Enter your partition size again. For using the remaining free space as the new partition leave the default value on size and just press Enter.

Enter Size of Partition
Enter Size of Partition

13. Again choose you partition type code. For NTFS filesystem choose 86 volume code.

Select Partition Type
Select Partition Type

14. After reviewing and verifying partitions select Write, answer yes on next interactive prompt question then Quit to leave cfdisk utility.

Write Partition Table to Disk
Write Partition Table to Disk
Confirm Changes
Confirm Changes
Quit to leave cfdisk utility
Quit to leave cfdisk utility

Congratulations ! Your partitions have been successfully created and are now ready to be formatted and used.

15. To verify again disk Partition Table issue the fdisk command again which will show a detailed partition table information.

$ sudo fdisk –l /dev/sdd
Confirm Parition Table
Confirm Parition Table

Step 2: Create Partition Filesystem

NTFS Filesystem

16. To create NTFS filesystem on second partition run mkfs command.

$ sudo mkfs.ntfs /dev/sdd5
Create NTFS Filesystem
Create NTFS Filesystem

17. To make the partition available it must be mounted on filesystem to a mount point. Mount the second partition on fourth hard-disk to /opt mount point using mount command.

$ sudo mount /dev/sdd5 /opt

18. Next, check if partition is available and is listed in /etc/mtab file using cat command.

$ cat /etc/mtab
Check Partition Availability
Check Partition Availability

19. To unmount partition use the following command.

$ sudo umount /opt
EXT4 LUKS

20. Make sure cryptsetup package is installed on your system.

$ sudo apt-get install cryptsetup		[On Debian Based Systems]

# yum install cryptsetup				[On RedHat Based Systems]

21. Now is time to format the first partition on fourth hard-disk with ext4 filesystem by issuing the following command.

$ sudo luksformat  -t ext4  /dev/sdd1

Answer with uppercase YES on “Are you sure?” question and enter three times your desired passphrase.

Format Partition
Format Partition

Note: Depending on your partition size and HDD speed the filesystem creation can take a while.

22. You can also verify partition device status.

$ sudo cryptsetup luksDump  /dev/sdd1
Verify Partition Status
Verify Partition Status

23. LUKS supports maximum 8 passwords added. To add a password use the following command.

$ sudo cryptsetup luksAddKey /dev/sdd1
Add a Password
Add a Password

To remove a password use.

$ sudo cryptsetup luksRemoveKey /dev/sdd1
Remove a Password
Remove a Password

24. For this Encrypted partition to be active it must have an name entry (be initialized ) to /dev/mapper directory with the help of cryptsetup package.

This setting require the following command line syntax:

$ sudo cryptsetup luksOpen  /dev/LUKS_partiton  device_name

Where “device_name” can be any descriptive name you like it! ( I’ve name it mine crypted_volume). The actual command will look like as shown below.

$ sudo cryptsetup luksOpen  /dev/sdd1 crypted_volume
Active Encrypted Partition
Active Encrypted Partition

25. Then verify if your device is listed on /dev/mapper, directory, symbolic link and device status.

$ ls /dev/mapper
$ ls –all /dev/mapper/encrypt_volume
Verify Encrypted Partition
Verify Encrypted Partition
$ sudo cryptsetup –v status encrypt_volume
Encrypted Partition Status
Encrypted Partition Status

26. Now for making the partition device widely available mount it on your system under a mount point using mount command.

$ sudo mount  /dev/mapper/crypted_volume  /mnt
Mount Encrypted Partition
Mount Encrypted Partition

As can be seen the partition is mounted and accessible for writing data.

27. To make it unavailable just unmount it from your system and close the device.

$ sudo umount  /mnt
$ sudo cryptsetup luksClose crypted_volume
Umount Encrypted Partition
Umount Encrypted Partition

Step 3: Mount Partition Automatically

If you use a fixed hard-disk and need both partitions to be automatically system mounted after reboot you must follow this two steps.

28. First edit /etc/crypttab file and add the following data.

$ sudo nano /etc/crypttab
  1. Target name: A descriptive name for your device ( see above point 22 on EXT4 LUKS).
  2. Source drive: The hard-disk partition formatted for LUKS ( see above point 21 on EXT4 LUKS).
  3. Key file: Choose none
  4. Options: Specify luks

The final line would be look like as shown below.

encrypt_volume               /dev/sdd1          none       luks
Mount Partition Automatically
Mount Partition Automatically

29. Then edit /etc/fstab and specify your device name, mount point, filesystem type and other options.

$ sudo nano /etc/fstab

On last line use the following syntax.

/dev/mapper/device_name (or UUID)	/mount_point     filesystem_type     options    dump   pass

And add your specific content.

/dev/mapper/encrypt_volume      /mnt    ext4    defaults,errors=remount-ro     0     0
Add Partition Entry in Fstab
Add Partition Entry in Fstab

30. To get device UUID use the following command.

$ sudo blkid
Get Device UUID
Get Device UUID

31. To also add the NTFS partition type created earlier use the same syntax as above on a new line in fstab ( Here Linux file append redirection is used ).

$ sudo su -
# echo "/dev/sdd5	/opt	ntfs		defaults		0              0"  >> /etc/fstab
Add NTFS Partition in fstab
Add NTFS Partition in fstab

32. To verify changes reboot your machine, press Enter after “Starting configure network device” boot message and type your device passphrase.

Reboot Machine
Reboot Machine
Verify Partition is Mounted Automatically
Verify Partition is Mounted Automatically

As you can see both disk partitions were automatically mounted on Ubuntu filesystem hierarchy. As a advice do not use automatically encrypted volumes from fstab file on physically remote servers if you can’t have access to reboot sequence for providing your encrypted volume password.

The same settings can be applied on all types of removable media such as USB stick , Flash memory, external hard-disk, etc for protecting important, secret or sensitive data in case of eavesdropping or stealing.

Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 thoughts on “LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux”

  1. LUKS is great, but it’s missing one thing. The setup should include something I call a Fricosu key. This is a separate key which, when entered under duress in Colorado, causes the system to silently and permanently forget the real decryption key.

    Could this be used for bad purposes? Sure it could. But if you value your privacy, it might be a life saver. The only way to get around it is if the bad guys (I mean the Government) makes a forensic copy before they force you to enter your (secret) Fricosu key.

    Reply

Leave a Reply to Tomas Cancel reply

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.