You have data on your machines. Some of that data might be in the form of sensitive company or client information. Should that particular information fall into the wrong hands, well, you know that particular endgame: Secrets are stolen, jobs are lost, etc. To avoid that we go to great lengths, such as employing decryption.
With Linux you have a number of ways to add encryption to your servers and desktops. One of the more secure routes is encrypting an entire partition (as opposed to folder-level encryption). By encrypting an entire partition, you no longer have to worry that you might left one of those crucial directories unencrypted. If the folder lives on partition X, you know it’s safe under a layer of encryption.
But how do you go about that? Believe it or not, it’s actually quite easy. I’m going to walk you through the process of encrypting an empty partition that you can then move your data into. Yes, it is important to understand that this method will irrevocably delete anything on that partition — so back it up or move it out first.
With that said, let’s encrypt.
Before we get to the encryption, we have to install the tool to take care of the process. I will demonstrating on the Ubuntu 16.10 platform, to encrypt the partition sdb1. The tool we have to install can be added with a single command; so open up a terminal window and issue the command:
sudo apt-get install cryptsetup-bin
That’s all the installation necessary. Now we move on to the encryption.
Encrypting your partition
Before we encrypt, let’s ensure we have the right partition. From the terminal window, issue the command sudo lsblk. This command will list all block devices attached to the machine (Figure A).
Listing the block devices on the machine.
Before you can encrypt the partition, it must be unmounted. You can do this from your file manager or from the command line. Say, for example, /dev/sdb1 is mounted to the /data directory. To unmount that from the command line, you would issue:
Now that we are certain the partition we want to encrypt is sdb1 (and it isn’t mounted), we issue the command:
sudo cryptsetup luksFormat /dev/sdb1
You will be given a warning and asked to type YES to continue (Figure B).
If you’re sure, type uppercase YES.
Next you’ll be asked to type and verify a passphrase for the encryption. Remember to make this challenging.
That’s it. The /dev/sdb1 partition has been encrypted. You can check on that by opening up your file manager. If you see the tiny lock icon associated with the drive (Figure C), you know the partition has been encrypted.
Congrats, /dev/sdb1 is encrypted.
Mounting the partition
In most cases, the best way to mount the partition is from the command line. Here’s how (adjust these commands as needed):
- Issue the command sudo cryptsetup luksOpen /dev/sdb1/ crypthome
- Create a directory to mount the partition with the command sudo mkdir /mnt/crypthome
- Mount the encrypted partition to the new directory with the command sudo mount /dev/mapper/crypthome /mnt/crypthome
You will probably have to adjust the permissions of the /mnt/crypthome directory, depending upon your needs (otherwise, your encrypted partition is now available).
If you need to lock the encrypted partition, you can do so with the following commands:
- sudo umount /mnt/crypthome
- sudo cryptsetup luksClose crypthome
That partition, of course, is nothing but a LUKS-encapsulated partition and must be formatted. The best way to format the partition is to use a tool like GNOME Disks (Figure D). When formatting with GNOME Disks, I suggest using LUKS + Ext4. NOTE: You cannot do this with Gparted, as it does not yet fully support LUKS-encrypted partitions.
Formatting a LUKS-encrypted partition with GNOME Disks.
Once you’ve formatted the partition, it will now easily be accessible (as opposed to having to go through command line hoops).
Encryption made easy
You’ve encrypted your first partition in Linux. Wasn’t that easy? I highly recommend you taking these very simple steps to protect your data. It’ll only take a moment and will give you some peace of mind that sensitive information won’t easily fall into the wrong hands. Of course, nothing is perfect, but adding encryption to a partition is one more step that ne’er do wells would have to take, in order to obtain that data.