How to Encrypt Disk Partition using Cryptsetup in Debian

How to Encrypt Disk Partition using Cryptsetup in Debian

Do you want to know how to encrypt disk partition using Cryptsetup in Debian for an added layer of security? Then rest assured that we have your back with this how-to guide. 

There are situations where you want to encrypt your disk partition. By employing this security measure, you can avoid bare metal security attacks. 

Government organizations, businesses, and security companies now widely observe this practice. They encrypt their disk partitions to protect all kinds of confidential data within their systems.

Once you encrypt your data, it will no longer be readable to anyone who doesn’t have access to the encryption key. 

So now we will discuss how to encrypt disk partitions using Cryptsetup in Debian. We will start with a brief introduction to Cryptsetup. Then, we will follow it up with all the necessary steps to encrypt data in your system.

Note: In Linux, you can also encrypt your whole file system. However, you may want to encrypt specific essential files only. For this purpose, you may Encrypt Disk Partition using Cryptsetup.

What is Cryptsetup?

Cryptsetup is a Linux utility that can encrypt the hard disk data and the external drive. Based on DM-Crypt, it encrypts data using Linux Unified Key Setup (LUKS). LUKS provides Linux disk encryption specifications. With it, you can check compatibility on various distributions.

Encrypt Disk Partition using Cryptsetup

Now we will discuss the basic steps to encrypt disk partition using Cryptsetup. To perform the steps of this article, you should have administrative privileges or an account with sudo privileges.

Install Cryptsetup on Debian

The very first step is the installation of Cryptsetup on Debian. It’s very easy to install Cryptsetup since it’s already available on the Debian repository by default. What you need to do first is update your system by typing the following command on your Terminal:

$ sudo apt update

Now, install the Cryptsetup using the following command:

$ sudo apt install cryptsetup

Format the disk partition

The next step is to format the disk partition. To see the disk partitions in your system, type the following command:

$ lsblk

After that, a list of drives on your system will appear on your screen, as shown below:

list of drives

Suppose you have identified sda as the partition. You can take the data backup on the drive and then format it as LUKS. And you can do this by typing the following command on your Terminal:

 $ sudo cryptsetup luksFormat /dev/sda

In the previous command, we initiated the format of the disk. When prompted, type YES. And then, you will have to type a passphrase which will serve as the encryption key. It will take a while to complete. Once you’re done, you can view the disk again using the following command:

$ lsblk –f

Create a partition for encryption

So now, since the disk is already encrypted, we won’t be able to access it as it is. To open it, you have to type the following command:

$ sudo cryptsetup luksOpen /dev/sda cryptpart

Provide the passphrase when asked for it. Now, run the following command to identify the disk:

$ lsblk –f

You should see a new volume cryptpart under sda. The new volume has been created through the mapper device of Linux. Now, create a partition as follows:

$ sudo mkfs.ext4 /dev/mapper/cryptpart

To mount for a short period of time, you may use the following command:

$ sudo mkdir -p /mnt/encrypted
$ sudo mount /dev/mapper/cryptpart /mnt/encrypted

You can verify that the disk has been mounted by inputting this specific command:

$ lsblk | grep cryptpart

Mounting the disk permanently

We will use the /etc/crypttab file to mount the disk permanently. With it, the init process of Linux will read the file when the system boots. It will also ask for an unlock key. But first, you have to identify the UUID for the LUKS partition using the following command:

$ sudo blkid | grep -i luks

Hint: We use a fstab file in Linux to mount disks permanently. But for encrypted partitions, we need to use a crypttab file.

Now using your favorite editor, create a file as follows:

$ sudo vim /etc/crypttab

Save the file. Identify the UUI for the ext4 partition using the following command:

$ sudo blkid | grep -i ext4

Finally, open the fstab file using vim and add the decrypted mount point as follows:

UUID=289493ba-f87b-41c9-803a-c59baf112fff  /mnt/encrypted ext4 defaults 0 0

Verify automount

Reboot your system to verify that the automount works. To do this, type the following command:

$ sudo reboot

After that, you will have to provide a passphrase upon boot. Once rebooted, type the following command to verify if the disk is now mounted properly:

$ lsblk -f | grep sda -A 2

Creating an authentication key

You can also create an authentication key using the following command:

$ echo "StrongPassw0rd" > volume-key
$ sudo mv volume-key /boot/

Next, set the desired permissions as follows:

$ sudo chown root:root /boot/volume-key
$ sudo chmod 0400 /boot/volume-key

Then, type the following command:

$ sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>

Provide the passphrase when asked, and then verify if the key has been added using the following command:

$ sudo cryptsetup luksDump /dev/sda

You need to configure the crypttab file to accommodate the new authentication method. Change none with the key as follows:

$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    /boot/volume-key    luks

After that, reboot your system and verify if the disk has been mounted using this command:

$ lsblk –f

Restore the Backup

Once you’ve confirmed that the disk has been mounted successfully, you can now restore the backup made on the disk before formatting.

And that’s about it! In this article, we covered all the necessary steps to encrypt disk partition using Cryptsetup. The tool can encrypt the partition and secure your data from malicious attacks. If you have any questions about this topic, don’t hesitate to leave a comment down below.

If this guide helped you, please share it. 

Related Posts