Ubuntu Server 18.04 – Encrypting and decrypting disks with LUKS

How to Install Intellij IDEA on Windows 10

An important aspect of security that many people don’t even think about is encryption. As I’m sure you know, backups are essential for business continuity. If a server breaks down, or a resource stops functioning, backups will be your saving grace. But what happens if your backup medium gets stolen or somehow falls into the wrong hands? If your backup is not encrypted, then anyone will be able to view its contents. Some data isn’t sensitive, so encryption isn’t always required. But anything that contains personally identifiable information, company secrets, or anything else that would cause any kind of hardship if leaked, should be encrypted. In this section, I’ll walk you through setting up Linux Unified Key Setup (LUKS) encryption on an external backup drive.

Before we get into that though, I want to quickly mention the importance of full-disk encryption for your distribution as well. Although this section is going to go over how to encrypt external disks, it’s possible to encrypt the volume for your entire Linux installation as well. In the case of Ubuntu, full-disk encryption is an option during installation, for both the server and workstation flavors. This is especially important when it comes to mobile devices, such as laptops, which are stolen quite frequently. If a laptop is planned to store confidential data that you cannot afford to have leaked out, you should choose the option during installation to encrypt your entire Ubuntu installation. If you don’t, anyone that knows how to boot a Live OS disc and mount a hard drive will be able to view your data. I’ve seen unencrypted company laptops get stolen before, and it’s not a wonderful experience.

Anyway, back to the topic of encrypting external volumes. For the purpose of encrypting disks, we’ll need to install the cryptsetup package:

sudo apt install cryptsetup

The cryptsetup utility allows us to encrypt and unencrypt disks. To continue, you’ll need an external disk you can safely format, as encrypting the disk will remove any data stored on it. This can be an external hard disk, or a flash drive. Both can be treated the exact same way. In addition, you can also use this same process to encrypt a secondary internal hard disk attached to your virtual machine or server. I’m assuming that you don’t care about the contents saved on the drive, because the process of setting up encryption will wipe it.

If you’re using an external disk, use the fdisk -l command as root or the lsblk command to view a list of hard disks attached to your computer or server before you insert it. After you insert your external disk or flash drive, run the command again to determine the device designation for your removable media. In my examples, I used /dev/sdb, but you should use whatever designation your device was given. This is important, because you don’t want to wipe out your root partition or an existing data partition!

First, we’ll need to use cryptsetup to format our disk:

sudo cryptsetup luksFormat /dev/sdb

You’ll receive the following warning:

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes):

Type YES and press Enter to continue. Next, you’ll be asked for the passphrase. This passphrase will be required in order to unlock the drive. Make sure you use a good, randomly generated password and that you store it somewhere safe. If you lose it, you will not be able to unlock the drive. You’ll be asked to confirm the passphrase.

Once the command completes, we can format our encrypted disk. At this point, it has no filesystem. We’ll need to create one. First, open the disk with the following command:

sudo cryptsetup luksOpen /dev/sdb backup_drive

The backup_drive name can be anything you want; it’s just an arbitrary name you can refer to the disk as. At this point, the disk will be attached to /dev/mapper/disk_name, where disk_name is whatever you called your disk in the previous command (in my case, backup_drive). Next, we can format the disk. The following command will create an ext4 filesystem on the encrypted disk:

sudo mkfs.ext4 -L "backup_drive" /dev/mapper/backup_drive

The -L option allows us to add a label to the drive, so feel free to change that label to whatever you prefer to name the drive.

With the formatting out of the way, we can now mount the disk:

sudo mount /dev/mapper/backup_drive /media/backup_drive

The mount command will mount the encrypted disk located at /dev/mapper/backup_drive and attach it to a mount point, such as /media/backup_drive in my example. The target mount directory must already exist. With the disk mounted, you can now save data onto the device as you would any other volume. When finished, you can unmount the device with the following commands:

sudo umount /media/backup_drive
sudo cryptsetup luksClose /dev/mapper/backup_drive

First, we unmount the volume just like we normally would. Then, we tell cryptsetup to close the volume. To mount it again, we would issue the following commands:

sudo cryptsetup luksOpen /dev/sdb backup_drive
sudo mount /dev/mapper/backup_drive /media/backup_drive

If we wish to change the passphrase, we can use the following command. Keep in mind that you should absolutely be careful typing in the new passphrase, so you don’t lock yourself out of the drive. The disk must not be mounted or open in order for this to work:

sudo cryptsetup luksChangeKey /dev/sdb -S 0

The command will ask you for the current passphrase, and then the new one twice.

That’s basically all there is to it. With the crypsetup utility, you can set up your own LUKS-encrypted volumes for storing your most sensitive information. If the disk ever falls into the wrong hands, it won’t be as bad a situation as it would have been if the disk had been unencrypted. Breaking a LUKS-encrypted volume would take considerable effort that wouldn’t be feasible.

Comments are closed.