How to encrypt a hard drive using LUKS

Since a long time ago and through the hard way, I’ve learned how important it is to back-up periodically my files. Without any doubts the easiest is using an external hard drive and the command rsync (later I’ll write a post about this). If you have the /home folder in a different partition it becomes incredibly easy to recover from a disaster (voluntary as changing computers, or involuntary as the death of the drive.) External hard drives became fundamental with new laptops that only possess SSD drives and the available space is insufficient. However there is an inherent risk of having an external drive: we expose our information to anyone who has access to the device (for instance, if we forget it or if it gets stolen.) Or if, as in my case, we wish to make backups to a remote location and the disk is not even under our supervision (for instance, a Raspberry Pi connected in the house of a friend.) The solution to all this problems is to encrypt the information.

Encriptar disco duro

To encrypt means hiding the information behind a password. Without it, it becomes almost impossible to discover the content of a file or of an entire drive (sadly, all the steps here suggested ar not NSA-safe.) Generally speaking, there are two ways of achieving it: the first consists in encrypting documents individually. This allows to share them and send them around but will need a password to know what is in them. This is a good solution for saving small amounts of data to put in a pendrive, SD memory, etc. It is also what Ubuntu implements natively for its encryption, and I will come back to this one later.

Another way is to encrypt completely the disk (or a partition), making it impossible even to mount before introducing a password. This is the preferred way for backups or disks that we carry with us all the time. For this type of encryption we are going to use dm-crypt+LUKS. The steps I present here are for being executed from the command line, but as it is explained at the end, with a user interface as the one provided by Ubuntu it is really easy all the process.

For installing, the first step (in Ubuntu and similar) is to run the following commands in the terminal:

sudo apt-get install cryptsetup

Fedora y similares deberán ejecutar (como root)

yum install cryptsetup-luks

Then we should encrypt the partition that we wish. WARNING!: we will lose all the information that exists in that partition. Before executing the command, if you are not doing it on a clean disk is to have a back-up and to be sure that it is actually what you wish to do. For this example I will use the disk sdz1 (it’s up to you to find out the disk on which you are going to perform the steps.) Remember not to mount the unit when you are about to execute the command:

cryptsetup -y -v luksFormat /dev/sdz1

And we will get as an answer:

This will overwrite data on /dev/sdz1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Remember that once you introduce the password, the disk will be encrypted and there is no way of recovering it. You have to memorize it! Once you are ready, you can create a mapping of the disk with the name that you wish. I will name it backup; the command is:

cryptsetup luksOpen /dev/sdz1 backup

And then it will ask you for the password that you established at the beginning. If you want to check that everything is working fine, you can execute:

ls -l /dev/mapper/backup 

Or to see the status of the mapping:

cryptsetup -v status backup

A common recommendation is to fill the disk with zeros, in this way no one will even know what portion of the disk is really full or empty. It is a bit extreme and may take several hours to complete. This step is up to you; the command is:

dd if=/dev/zero of=/dev/mapper/backup

Once finished, we have to format the partition, for instance with the following command:

mkfs.ext4 /dev/mapper/backup

And finally we can mount it wherever we want, for instance:

mkdir /backup
mount /dev/mapper/backup /backup
df -H
cd /backup
ls -l

To unmount the partition, we just need to execute

umount /backup
cryptsetup luksClose backup

and to mount it back:

cryptsetup luksOpen /dev/sdz1 backup
mount /dev/mapper/backup /backup

Another of the advantages that LUKS has is the possibility of storing up to 8 different passwords to access to the partition. In case of being a shared drive between several users, there is no need to have a common password. To add a new password, one can execute:

cryptsetup luksDump /dev/sdz1
cryptsetup luksAddKey /dev/sdz1

First it will ask one of the passwords provided in the past and that is working. Then it will ask for the new password. To delete on of the old ones, you can execute:

cryptsetup luksRemoveKey /dev/sdz1

The advantage of using LUKS is that becomes really handy to protect information in removable media such as external hard drives, pendrives, memory cards, etc. It also allows to encrypt the swap partition, making possible a safe hibernation. The disadvantage is that anyone with access to the PC where the disk is mounted will be able to see the content of the drive (it’s not encrypted at the file-level but at disk-level).

If the Silk Road’s website would have been encrypted as described here, in the moment the FBI took the hard drive from the server they would have ended up with a useless piece of metal. Just few more minutes of work would have ended up in a complete different story for Dread Pirate Roberts.

In Ubuntu it works great; as soon as you plug-in the unit, the operating system detects that it is encrypted. If we click on it, it will ask for the password and that is it, as any other disk. This is great for carrying around our encrypted pendrives and avoid that in the case of lost anyone can see our photos from the holidays.

%d bloggers like this: