Do you want to know how to encrypt disk partition using Cryptsetup in Debian for an added layer of security? Then rest assured that we have your back with this how-to guide.
There are situations where you want to encrypt your disk partition. By employing this security measure, you can avoid bare metal security attacks.
Government organizations, businesses, and security companies now widely observe this practice. They encrypt their disk partitions to protect all kinds of confidential data within their systems.
Once you encrypt your data, it will no longer be readable to anyone who doesn’t have access to the encryption key.
So now we will discuss how to encrypt disk partitions using Cryptsetup in Debian. We will start with a brief introduction to Cryptsetup. Then, we will follow it up with all the necessary steps to encrypt data in your system.
Note: In Linux, you can also encrypt your whole file system. However, you may want to encrypt specific essential files only. For this purpose, you may Encrypt Disk Partition using Cryptsetup.
What is Cryptsetup?
Cryptsetup is a Linux utility that can encrypt the hard disk data and the external drive. Based on DM-Crypt, it encrypts data using Linux Unified Key Setup (LUKS). LUKS provides Linux disk encryption specifications. With it, you can check compatibility on various distributions.
Encrypt Disk Partition using Cryptsetup
Now we will discuss the basic steps to encrypt disk partition using Cryptsetup. To perform the steps of this article, you should have administrative privileges or an account with sudo privileges.
Install Cryptsetup on Debian
The very first step is the installation of Cryptsetup on Debian. It’s very easy to install Cryptsetup since it’s already available on the Debian repository by default. What you need to do first is update your system by typing the following command on your Terminal:
$ sudo apt update
Now, install the Cryptsetup using the following command:
$ sudo apt install cryptsetup
Format the disk partition
The next step is to format the disk partition. To see the disk partitions in your system, type the following command:
After that, a list of drives on your system will appear on your screen, as shown below:
Suppose you have identified sda as the partition. You can take the data backup on the drive and then format it as LUKS. And you can do this by typing the following command on your Terminal:
$ sudo cryptsetup luksFormat /dev/sda
In the previous command, we initiated the format of the disk. When prompted, type YES. And then, you will have to type a passphrase which will serve as the encryption key. It will take a while to complete. Once you’re done, you can view the disk again using the following command:
$ lsblk –f
Create a partition for encryption
So now, since the disk is already encrypted, we won’t be able to access it as it is. To open it, you have to type the following command:
$ sudo cryptsetup luksOpen /dev/sda cryptpart
Provide the passphrase when asked for it. Now, run the following command to identify the disk:
$ lsblk –f
You should see a new volume cryptpart under sda. The new volume has been created through the mapper device of Linux. Now, create a partition as follows:
$ sudo mkfs.ext4 /dev/mapper/cryptpart
To mount for a short period of time, you may use the following command:
$ sudo mkdir -p /mnt/encrypted
$ sudo mount /dev/mapper/cryptpart /mnt/encrypted
You can verify that the disk has been mounted by inputting this specific command:
$ lsblk | grep cryptpart
Mounting the disk permanently
We will use the
/etc/crypttab file to mount the disk permanently. With it, the init process of Linux will read the file when the system boots. It will also ask for an unlock key. But first, you have to identify the UUID for the LUKS partition using the following command:
$ sudo blkid | grep -i luks
Hint: We use a fstab file in Linux to mount disks permanently. But for encrypted partitions, we need to use a crypttab file.
Now using your favorite editor, create a file as follows:
$ sudo vim /etc/crypttab
Save the file. Identify the UUI for the ext4 partition using the following command:
$ sudo blkid | grep -i ext4
Finally, open the fstab file using vim and add the decrypted mount point as follows:
UUID=289493ba-f87b-41c9-803a-c59baf112fff /mnt/encrypted ext4 defaults 0 0
Reboot your system to verify that the automount works. To do this, type the following command:
$ sudo reboot
After that, you will have to provide a passphrase upon boot. Once rebooted, type the following command to verify if the disk is now mounted properly:
$ lsblk -f | grep sda -A 2
Creating an authentication key
You can also create an authentication key using the following command:
$ echo "StrongPassw0rd" > volume-key
$ sudo mv volume-key /boot/
Next, set the desired permissions as follows:
$ sudo chown root:root /boot/volume-key
$ sudo chmod 0400 /boot/volume-key
Then, type the following command:
$ sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>
Provide the passphrase when asked, and then verify if the key has been added using the following command:
$ sudo cryptsetup luksDump /dev/sda
You need to configure the crypttab file to accommodate the new authentication method. Change none with the key as follows:
$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart UUID=<partition_uuid> /boot/volume-key luks
After that, reboot your system and verify if the disk has been mounted using this command:
$ lsblk –f
Restore the Backup
Once you’ve confirmed that the disk has been mounted successfully, you can now restore the backup made on the disk before formatting.
And that’s about it! In this article, we covered all the necessary steps to encrypt disk partition using Cryptsetup. The tool can encrypt the partition and secure your data from malicious attacks. If you have any questions about this topic, don’t hesitate to leave a comment down below.
If this guide helped you, please share it.