LUKS
Being able to encrypt individual files can be handy, but it can be quite unwieldy for a large number of files. For that, we need something better, and we have three different methods:
- Block encryption: We can use this for either whole-disk encryption, or to encrypt individual partitions.
- File-level encryption: We'd use this to encrypt individual directories, without having to encrypt the underlying partitions.
- Containerized Encryption: Using third-party software that doesn't come with any Linux distribution, we can create encrypted, cross-platform containers that can be opened on either Linux, Mac, or Windows machines.
The Linux Unified Key Setup (LUKS), falls into the first category.
Partition Encryption
One needs to use the cryptsetup command to interact with LUKS partitions.
Configure a LUKS partition
# -v stands for verbose mode # -y asks for password confirmation sudo cryptsetup -y -v luksFormat /dev/<...>
If you need to get some metadata about the partition that just got encrypted, run:
sudo cryptsetup luksDump /dev/<...>
Next, you map the newly created partition to a device name:
# device name can be anything, like "crypt", "supasekrit", etc sudo cryptsetup luksOpen /dev/<...> <device-name>
Check the symlink created in the /dev/mapper directory:
ls -l /dev/mapper/<device-name> # you can also fetch information via dmsetup sudo dmsetup info <device-name>
Another useful trick is to fill the new partition with zeros before formatting:
pv -tpreb /dev/zero | dd of=/dev/mapper/<device-name> bs=128M