Encrypted disks and/or filesystems are nothing new on Linux; most distributions, these days, allow you to encrypt some or all your disk partitions, so that they can only be accessed with a password. In this tutorial, however, we’re going to add a new encrypted partition to an existing system, using only the command line. I’ve found that tutorials on the web seem to make this issue more complex than it actually is, so here’s mine — hopefully it’ll be easier than most.
In this guide, we’ll be making a few assumptions. First, as said above, it’ll be an existing system, to which we’ve just added a new disk, /dev/sdb . Adapt to your situation, of course. If you’re not using an entire disk, just create a new partition with fdisk (e.g. /dev/sdb1) and use it instead. Second, we’ll have the machine boot with the disk unmounted, then use a command to mount it (asking for a passphrase, of course), and another to dismount it when you don’t need it. The obvious usage of such a partition is for storing sensitive/private data, but theoretically, you could run software on it — as long as you don’t automatically attempt to start it on boot, and don’t mind keeping it mounted most or all of the time, which perhaps defeats its purpose: if it’s mounted, it’s accessible.
So, without further ado…
First, install cryptsetup (use only the appropriate command for your distribution, of course):
As said before, we’ll be using the entire /dev/sdb disk, so let’s encrypt it:
Answer YES to the confirmation question, and enter a passphrase when prompted. Don’t forget it, or you won’t be able to later access anything you store on that partition! And pick something that can’t be guessed by someone who knows you, that you don’t use anywhere else, and that can’t easily be brute-forced.
Let’s make the encrypted partition available to the system:
Enter the same passphrase as above, when prompted. This will create a new device, /dev/mapper/encrypted , which can now (after the “luksOpen”) be accessed as a normal disk partition. Right now there’s no actual filesystem on it, so we’ll create one:
You can now mount it…
… add it to /etc/fstab:
(note the “noauto” option to prevent it from being mounted automatically on boot. The “user” option is for mounting the filesystem as a non-root user, which you’ll see used a bit later.)
Finally, to unmount it and leave only the unencrypted version (so that nobody can mount or access it without knowing your passphrase), you can do:
The above, you’ll note, will remove the /dev/mapper/encrypted device from your system (it’ll come back when you enter the command that includes “luksOpen“). In that state (which will be the default on boot), no one1 can access your data (including listing its contents), even if they gain root access, or physically steal the disk drive.
To make life easier, I first added the following commands to my non-root user’s sudoers configuration: “/sbin/cryptsetup luksOpen /dev/sdb encrypted, /sbin/cryptsetup luksClose encrypted” without prompting for a password (it’ll already ask for the passphrase, anyway), and then created this couple of scripts in /usr/local/bin (which is in the default path):
So I enter “encrypted_mount” when I need to access the encrypted drive, and “encrypted_umount” when I’m done with it.
Easy stuff, right? 🙂 Any questions, feel free to comment.