LUKS Encryption

[ ← Back Home ]


Last modified on July 7, 2024

Table of Contents

LUKS (Linux Unified Key Setup) is a libre and free disk encryption standard which allows for the encryption of external and internal disks on Linux. Everything from an SD card to your root partition can be encrypted with LUKS, allowing you to keep your data secure.

LUKS works by utilizing a master encryption key protected by a user key, which in most cases will be a password.

External USB Drive

Suppose the device /dev/sdb1 is a USB flash stick partition we wish to encrypt. To do so, simply run:

cryptsetup luksFormat /dev/sdb1

You will be prompted to enter a password and verify it. Make sure to pick a secure one!

Accessing the external drive

To decrypt the partition, simply run:

cryptsetup open /dev/sdb1 cryptusb

This will make the partition device accessible in /dev/mapper/cryptusb. To use it properly, it must have a formatted filesystem:

mkfs.ext4 /dev/mapper/cryptusb

Now it may be mounted:

mount /dev/mapper/cryptusb /mnt

Note: A filesystem daemon like GVFS will automatically know how to handle encrypted drives and prompt you for a password when accessing them.

Encrypted Root Partition

Many Linux distributions with GUI installers like Linux Mint and Artix offer an an encrypted root partition option. Simply enable encryption and set a password in their GUI to be prompted at boot.

The rest of this guide will follow all the steps necessary to set up an encrypted root partition on a manual install distribution like Archlinux or Gentoo.

Partition Setup

Begin by setting up an encrypted partition as normal:

cryptsetup luksFormat /dev/sda2
# You will now be prompted for a password...

# Make note of where you open the encrypted partition!
cryptsetup open /dev/sda2 cryptroot
# You will once again be prompted for a password

# Format and mount the partition
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

Installing Linux

When installing Linux, make sure to install the packages containing the cryptroot and lvm2 commands.

You may now install Linux to the partition mounted to /mnt as normal. However, the partition will not boot if you leave it like this! Make sure to follow these steps:

mknitcpio setup

If you are using dracut or booster for your initcpio, you can ignore this step!

If you are using Archlinux or Artix, the default initcpio software included with your distribution is mkinitcpio. This software does not support encryption by default. This can be corrected by editing /etc/mkinitcpio.conf and editing the HOOKS=(... line to include the following:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

After modifying the config, make sure to re-generate the initcpio:

mkinitcpio -P

Bootloader setup

Your bootloader needs to be aware of your encrypted partition setup, or it won’t know where to look for your root partition.

Obtaining UUIDs

To set up encryption, you must obtain the UUIDs for both your encrypted partition (cryptdevice) and your unencrypted partition (root). To see these, use the blkid command with some special parameters:

## Obtain the UUID for cryptdevice:
blkid /dev/sda2 -o value -s UUID
## In this example, we'll use f4f9f9f6-222a-4018-b45a-9b86544890e4

## Obain the UUID for root:
blkid /dev/mapper/cryptroot -o value -s UUID
## In this example, we'll use 83276439-f9fa-4429-a2e2-91c072c02c4f

GRUB Setup

Set the following in /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=f4f9f9f6-222a-4018-b45a-9b86544890e4:cryptroot root=UUID=83276439-f9fa-4429-a2e2-91c072c02c4f"

rEFInd Setup

Set the following in /boot/refind_linux.conf:

"Boot with standard options"    "root=UUID=83276439-f9fa-4429-a2e2-91c072c02c4f ro cryptdevice=UUID=f4f9f9f6-222a-4018-b45a-9b86544890e4:cryptroot:allow-discards loglevel=3"
"Boot to single-user mode"      "root=UUID=83276439-f9fa-4429-a2e2-91c072c02c4f ro cryptdevice=UUID=f4f9f9f6-222a-4018-b45a-9b86544890e4:cryptroot:allow-discards quiet single"
"Boot with minimal options"     "root=UUID=83276439-f9fa-4429-a2e2-91c072c02c4f ro cryptdevice=UUID=f4f9f9f6-222a-4018-b45a-9b86544890e4:cryptroot:allow-discards

Congratulations! You should now be able to reboot and run your system with LUKS encryption!