Linux: Creating and using an encrypted data partition

Encrypted disks and/or filesystems are nothing new on Linux; most distributions, these days, allow you to encrypt some or all your disk partitions, so that they can only be accessed with a password. In this tutorial, however, we’re going to add a new encrypted partition to an existing system, using only the command line. I’ve found that tutorials on the web seem to make this issue more complex than it actually is, so here’s mine — hopefully it’ll be easier than most.

In this guide, we’ll be making a few assumptions. First, as said above, it’ll be an existing system, to which we’ve just added a new disk, /dev/sdb . Adapt to your situation, of course. If you’re not using an entire disk, just create a new partition with fdisk (e.g. /dev/sdb1) and use it instead. Second, we’ll have the machine boot with the disk unmounted, then use a command to mount it (asking for a passphrase, of course), and another to dismount it when you don’t need it. The obvious usage of such a partition is for storing sensitive/private data, but theoretically, you could run software on it — as long as you don’t automatically attempt to start it on boot, and don’t mind keeping it mounted most or all of the time, which perhaps defeats its purpose: if it’s mounted, it’s accessible.

So, without further ado…

First, install cryptsetup (use only the appropriate command for your distribution, of course):

apt install cryptsetup # Debian-based, or
yum install cryptsetup # Red Hat-based

As said before, we’ll be using the entire /dev/sdb disk, so let’s encrypt it:

cryptsetup luksFormat /dev/sdb

Answer YES to the confirmation question, and enter a passphrase when prompted. Don’t forget it, or you won’t be able to later access anything you store on that partition! And pick something that can’t be guessed by someone who knows you, that you don’t use anywhere else, and that can’t easily be brute-forced.

Let’s make the encrypted partition available to the system:

cryptsetup luksOpen /dev/sdb encrypted

Enter the same passphrase as above, when prompted. This will create a new device, /dev/mapper/encrypted , which can now (after the “luksOpen”) be accessed as a normal disk partition. Right now there’s no actual filesystem on it, so we’ll create one:

mkfs.ext4 /dev/mapper/encrypted

You can now mount it…

mkdir /encrypted
mount /dev/mapper/encrypted /encrypted/

… add it to /etc/fstab:

/dev/mapper/encrypted /encrypted ext4 defaults,noauto,user 0 0

(note the “noauto” option to prevent it from being mounted automatically on boot. The “user” option is for mounting the filesystem as a non-root user, which you’ll see used a bit later.)

Finally, to unmount it and leave only the unencrypted version (so that nobody can mount or access it without knowing your passphrase), you can do:

umount /encrypted
cryptsetup luksClose encrypted

The above, you’ll note, will remove the /dev/mapper/encrypted device from your system (it’ll come back when you enter the command that includes “luksOpen“). In that state (which will be the default on boot), no one1 can access your data (including listing its contents), even if they gain root access, or physically steal the disk drive.

To make life easier, I first added the following commands to my non-root user’s sudoers configuration: “/sbin/cryptsetup luksOpen /dev/sdb encrypted, /sbin/cryptsetup luksClose encrypted” without prompting for a password (it’ll already ask for the passphrase, anyway), and then created this couple of scripts in /usr/local/bin (which is in the default path):

/usr/local/bin/encrypted_mount
#!/bin/bash
sudo cryptsetup luksOpen /dev/sdb encrypted # this will ask for your passphrase
mount /encrypted
/usr/local/bin/encrypted_umount
#!/bin/bash
umount /encrypted && sudo cryptsetup luksClose encrypted

So I enter “encrypted_mount” when I need to access the encrypted drive, and “encrypted_umount” when I’m done with it.

Easy stuff, right? 🙂 Any questions, feel free to comment.

  1. with the possible exception of a couple of government agencies, but let’s not open that can of worms…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.