debian-luks

LUKS (Linux Unified Key Setup) is a disk encryption specification intended for Linux.

In this guide we will see how to work with LUKS encryption on Debian.

Debian full system encryption

You can choose to encrypt your whole Debian installation during the OS setup process. To do this, when the Partition disks screen is displayed, select the Guided - use entire disk and setup encrypted LVM option:

You will then be asked for the passphrase later in the process; it will be required at every boot (just like VeraCrypt's full-disk encryption).

Creating an encrypted partition

There are a lot of graphical partitioning tools that support creating LUKS encrypted partitions. Example with KDE Partition Manager on Lubuntu live:

Also GNOME Disks supports creating encrypted partitions.

Mounting an encrypted partition

To mount an encrypted partition, you can use one of the GUI tools mentioned above.

If you want to use the command line instead (e.g. for systems without a graphical interface):

1
2
3

sudo cryptsetup luksOpen /dev/sdb1 sdb1-crypt
sudo mkdir /mnt/sdb1-crypt
sudo mount /dev/mapper/sdb1-crypt /mnt/sdb1-crypt

Note: the cryptsetup luksOpen command will interactively ask you for the passphrase.

Note: the name sdb1-crypt is just an example; you can choose any name you want.

To unmount the partition:

1
2
3

sudo umount /mnt/sdb1-crypt
sudo rm -r /mnt/sdb1-crypt
sudo cryptsetup luksClose sdb1-crypt

Mounting at system startup

You can have a LUKS encrypted partition mounted automatically at system boot. Here's how to do it.

Let's assume that our encrypted partition is /dev/sdb1.

First of all, obtain the UUID of the partition:

1

sudo blkid -sUUID -ovalue /dev/sdb1

Create the mountpoint:

1

sudo mkdir /mnt/sdb1-crypt

Add the following line to /etc/crypttab, replacing the UUID with the correct value:

1

sdb1-crypt   UUID=a1b2c3d4-a1b2-c3d4-e5f6-a1b2c3d4e5f6   none   luks,discard

Note (from crypttab docs): discard allows discard requests to be passed through the encrypted block device. This improves performance on SSD storage but has security implications.

Add the following line to /etc/fstab:

1

/dev/mapper/sdb1-crypt   /mnt/sdb1-crypt   ext4   defaults   0   0

Then reboot the system for the changes to take effect.

The passphrase of the encrypted partition will now be asked at every boot:

Note: if you set up N encrypted partitions in /etc/crypttab, you will be asked for N passphrases at boot, even if some of the partitions share the same passphrase.

If the /dev/sdb1 partition is not found at boot (e.g. it is on an external hard-drive that is not connected to the system), the operating system won't start:

Links

• Mount encrypted volumes from command line - Ask Ubuntu
• How to auto mount LUKS device (encrypted partition) using fstab in Linux - GoLinuxCloud
• Find UUID of Storage Devices in Linux - Linux Hint
• crypttab - Configuration for encrypted block devices
• Using a single passphrase to unlock multiple encrypted disks at boot - Unix and Linux Stack Exchange
• /mnt: Mount point for a temporarily mounted filesystem - Filesystem Hierarchy Standard