Recent Linux distributions include cryptsetup-luks package installed by default. This package makes disk encryption pretty easy in Linux. You can either choose to encrypt a partition on the disk or create encrypted file system with in a file using loop-back device. This article outlines the basic usage of cryptsetup tool to set up encryption of a disk partition.

If you don’t have cryptsetup-luks package installed in Fedora Linux you can use “yum” to install it. For more details read this article and look for xinetd package installation.

Initializing Disk Partition for Encryption

This procedure is required only once to initialize a disk partition for the first time. The next section explains how to mount and unmount a partition for daily usage.

First chose a partition to encrypt. But ensure that you don’t have any useful data and take backup of any data present on it before you use it for encryption.

First the chosen partition should be formatted for luks encryption. Here I am using “/dev/sda6″ partition as example. Use a password that you must always remember when it prompts for passphrase. Be careful while choosing the password because forgetting the password means a permanent loss of files and data you will store in the encrypted partition forever.

[root@techpulp mark]# cryptsetup luksFormat /dev/sda6

WARNING!

========

This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase: <-- input "yourpassword" here

Verify passphrase: <-- input "yourpassword" here

Command successful.

[root@techpulp mark]#

Once the partition is formatted you need to use luksOpen option to open the device and map it another device with a symbolic name using device mapper. Here I am using “enc-disk” as device mapper name. Whenever you attempt to open a luks encrypted partition, you will be requested to supply the password that you used while formatting the partition.

[root@techpulp mark]# cryptsetup luksOpen /dev/sda6 enc-disk

Enter LUKS passphrase for /dev/sda6: <-- input "yourpassword" here

key slot 0 unlocked.
Command successful.
[root@techpulp mark]#

If the above command is successful, you should see a new file created in “/dev/mapper” directory with the symbolic name you have given with luksOpen operation. In this case I used “enc-disk” so there will be a special block device created as /dev/mapper/enc-disk.

[root@techpulp mark]# ls -l /dev/mapper
total 0
crw-rw---- 1 root root  10, 63 2009-01-07 16:02 control
brw-rw---- 1 root disk 253,  1 2009-01-07 16:39 enc-disk
[root@techpulp mark]#

Now format the partition as EXT3 file system. It is not mandatory that EXT3 file system must be used. You can choose any file system type.

[root@techpulp mark]# mkfs.ext3 /dev/mapper/enc-disk
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)

2101232 inodes, 8389809 blocks
419490 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
257 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group

Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624
Writing inode tables: done

Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 36 mounts or

180 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@techpulp mark]#

Now you can mount the partition and start using it.

[root@techpulp mark]# mkdir /enc-disk
[root@techpulp mark]# mount /dev/mapper/enc-disk /enc-disk
[root@techpulp mark]#

You can see the encrypted disk mounted using “df” command. Remember that “/dev/mapper/enc-disk” is a logical device that is actually mapped to /dev/sda6. So what ever is written in to this logical device is encrypted and written to physical partition /dev/sda6.

[root@techpulp mark]# df /enc-disk
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/enc-disk  33031680    180236  31173484   1% /enc-disk
[root@techpulp mark]#

This procedure of formatting physical partition and formatting logical device are needed only once while setting it up. The following section tells you about daily usage.

Daily Usage

It is not advised to mount the encrypted partition by default. You can manully mount the partition when you need it and unmount it once you are done with it.

How to open and mount:
Open the partition using password and map it to a logical device.

[root@techpulp mark]# cryptsetup luksOpen /dev/sda6 enc-disk

Enter LUKS passphrase for /dev/sda6: <-- input "yourpassword" here

key slot 0 unlocked.
Command successful.
[root@techpulp mark]#

Now mount the partition

[root@techpulp mark]# mount /dev/mapper/enc-disk /enc-disk
[root@techpulp mark]#

How to unmount and close:

[root@techpulp mark]# umount /enc-disk
[root@techpulp mark]# cryptsetup luksClose enc-disk