How to Encrypt data in Hard Disk with LUKS and NTFS
To Encrypt the data in Linux Hard Disk with LUKS and NTFS Support in Linux
LUKS is Linux Unified Key Setup, which is a widely used Disk-encryption method by Linux Kernel and is implemented with the cryptsetup package. Encrypting the data in Linux Hard Disk with NTFS Support is explained in this article.
We have added a new hard-disk on Ubuntu 15.10 box. It will be divided in two partitions.
1. First partition - LUKS encryption
2. Second partition - Format NTFS to access data on both Windows and Linux based systems.
To Create Disk Partitions using fdisk
Hard disk is physically added and check using ls command to list all devices.
root@linuxhelp:~# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sda3 /dev/sdb
Next test your HDD using fdisk command.
root@linuxhelp:~# fdisk &ndash l
Disk /dev/sda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8e1afac
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 976895 974848 476M 83 Linux
/dev/sda2 976896 4976639 3999744 1.9G 82 Linux swap / Solaris
/dev/sda3 4976640 62912511 57935872 27.6G 83 Linux
Disk /dev/sdb: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
root@linuxhelp:~# fdisk -l /dev/sdb
Disk /dev/sdb: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Separate the hard-disk for a two partition result with the help of fdisk utility. Create the first partition as primary for data encryption as follows.
root@linuxhelp:~# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.26.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x7a4ee50b.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p):
Using default response p.
Partition number (1-4, default 1):
First sector (2048-41943039, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-41943039, default 41943039): +10G
Created a new partition 1 of type ' Linux' and of size 10 GiB.
Command (m for help): p
Disk /dev/sdb: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7a4ee50b
Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 20973567 20971520 10G 83 Linux
Now create second NTFS partition as an extended partition in fdisk command as follows.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): e
Partition number (2-4, default 2):
First sector (20973568-41943039, default 20973568):
Last sector, +sectors or +size{K,M,G,T,P} (20973568-41943039, default 41943039):
Created a new partition 2 of type ' Extended' and of size 10 GiB.
Command (m for help): n
All space for primary partitions is in use.
Adding logical partition 5
First sector (20975616-41943039, default 20975616):
Last sector, +sectors or +size{K,M,G,T,P} (20975616-41943039, default 41943039):
Created a new partition 5 of type ' Linux' and of size 10 GiB.
Command (m for help): l
0 Empty 24 NEC DOS 81 Minix / old Lin bf Solaris
1 FAT12 27 Hidden NTFS Win 82 Linux swap / So c1 DRDOS/sec (FAT-
2 XENIX root 39 Plan 9 83 Linux c4 DRDOS/sec (FAT-
3 XENIX usr 3c PartitionMagic 84 OS/2 hidden C: c6 DRDOS/sec (FAT-
4 FAT16
Run the partprobe command to take effect for the changes made.
root@linuxhelp:~# partprobe /dev/sdb
Now list the hard disk partitions by using fdisk command.
root@linuxhelp:~# fdisk &ndash l /dev/sdb
Disk /dev/sdb: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7a4ee50b
Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 20973567 20971520 10G 83 Linux
/dev/sdb2 20973568 41943039 20969472 10G 5 Extended
/dev/sdb5 20975616 41943039 20967424 10G 86 NTFS volume set
Now set the filesystem for NTFS partition.
root@linuxhelp:~# mkfs.ntfs /dev/sdb5
Cluster size has been automatically set to 4096 bytes.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
Now the NTFS partition is ready to mount. Lets mount and check it.
root@linuxhelp:~# mount /dev/sdb5 /opt
root@linuxhelp:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 476M 0 476M 0% /dev
tmpfs 99M 5.4M 94M 6% /run
/dev/sda3 28G 4.0G 22G 16% /
tmpfs 493M 156K 492M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 493M 0 493M 0% /sys/fs/cgroup
/dev/sda1 453M 54M 373M 13% /boot
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 99M 52K 99M 1% /run/user/1000
/dev/sdb5 10G 52M 10G 1% /opt
Using cat command, test whether the partition is available and listed in /etc/mtab file.
root@linuxhelp:~# cat /etc/mtab | grep /dev/sdb5
/dev/sdb5 /opt fuseblk rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096 0 0
By using the following command, unmount the partition.
root@linuxhelp:~# umount /opt
root@linuxhelp:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 476M 0 476M 0% /dev
tmpfs 99M 5.4M 94M 6% /run
/dev/sda3 28G 4.0G 22G 16% /
tmpfs 493M 156K 492M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 493M 0 493M 0% /sys/fs/cgroup
/dev/sda1 453M 54M 373M 13% /boot
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 99M 52K 99M 1% /run/user/1000
For EXT4 LUKS
Confirm whether the cryptsetup package is installed on your computer.
Or you can install using apt-get install command.
root@linuxhelp:~# apt-get install cryptsetup
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libavahi-client-dev libavahi-common-dev libavahi-compat-libdnssd1
libdbus-1-dev libjs-jquery libruby2.1 libyaml-0-2 ruby2.1
.
.
.
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (225-1ubuntu9) ...
Processing triggers for initramfs-tools (0.120ubuntu6) ...
update-initramfs: Generating /boot/initrd.img-4.2.0-16-generic
Format the first partition with ext4 filesystem on the respective hard-disk using luksformat command.
root@linuxhelp:~# luksformat -t ext4 /dev/sdb1
Creating encrypted device on /dev/sdb1...
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Please enter your passphrase again to verify it
Enter passphrase for /dev/sdb1:
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 2620928 4k blocks and 655360 inodes
Filesystem UUID: 9e39c623-dceb-446e-8234-e0ebd711a037
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Important: The creation of a filesystem can take a while, based on the partition size and HDD speed.
To verify the status of partition device
root@linuxhelp:~# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 99 5b d8 0b 7b b1 60 19 0d 0c 09 cb 9c a6 5b 41 7b 42 a8 75
MK salt: 1f d0 36 af 89 ed 96 c1 5c 61 c5 04 79 e6 a6 a3
66 8c 38 99 4b b7 9f c3 f9 21 8b 0d 88 bc 7b b6
MK iterations: 118500
UUID: 29f17104-89c5-435c-b036-49b552094de9
Key Slot 0: ENABLED
Iterations: 470587
Salt: a5 cc 75 14 81 33 32 58 eb e0 3e b3 11 81 f8 10
81 4d 5c 16 f3 3a 29 90 11 b8 d2 ad 2d 71 ae f2
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Maximum 8 key slots can be enabled, which is supported by the LUKS. We have enabled the first key slot so now to enable the next use the luksAddkey command.
root@linuxhelp:~# cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:
It will ask for the first key slot password to enable the second one. To check the new key slot run the luksDump command again.
root@linuxhelp:~# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 99 5b d8 0b 7b b1 60 19 0d 0c 09 cb 9c a6 5b 41 7b 42 a8 75
MK salt: 1f d0 36 af 89 ed 96 c1 5c 61 c5 04 79 e6 a6 a3
66 8c 38 99 4b b7 9f c3 f9 21 8b 0d 88 bc 7b b6
MK iterations: 118500
UUID: 29f17104-89c5-435c-b036-49b552094de9
Key Slot 0: ENABLED
Iterations: 470587
Salt: a5 cc 75 14 81 33 32 58 eb e0 3e b3 11 81 f8 10
81 4d 5c 16 f3 3a 29 90 11 b8 d2 ad 2d 71 ae f2
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 470587
Salt: 5c 50 ea a6 34 26 39 fd d5 0a 57 18 8d 5d 32 35
92 a4 38 19 05 a4 53 8a f7 97 30 b4 0a a0 29 c0
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
To Remove the use of a password
root@linuxhelp:~# cryptsetup luksRemoveKey /dev/sdb1
Enter passphrase to be deleted:
The Encrypted partition should have a name entry to /dev/mapper directory, for being active with the use of cryptsetup package. For that use luksOpen command followed by device name and descriptive name
root@linuxhelp:~# cryptsetup luksOpen /dev/sdb1 encrypted_partition
Enter passphrase for /dev/sdb1:
Next verify the device list
root@linuxhelp:~# ls /dev/mapper/ control encrypted_partition root@linuxhelp:~# ls -all /dev/mapper/encrypted_partition lrwxrwxrwx 1 root root 7 May 12 05:34 /dev/mapper/encrypted_partition -> ../dm-0
To check the partition status
To check the status of the partition use cryptsetup command with ' -v' option.
root@linuxhelp:~# cryptsetup -v status encrypted_partition
/dev/mapper/encrypted_partition is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/sdb1
offset: 4096 sectors
size: 20967424 sectors
mode: read/write
Command successful.
Mount the partition device on your computer using mount command.
root@linuxhelp:~# mount /dev/mapper/encrypted_partition /mnt
root@linuxhelp:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 476M 0 476M 0% /dev
tmpfs 99M 5.4M 94M 6% /run
/dev/sda3 28G 4.0G 22G 16% /
tmpfs 493M 156K 492M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 493M 0 493M 0% /sys/fs/cgroup
/dev/sda1 453M 54M 373M 13% /boot
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 99M 52K 99M 1% /run/user/1000
/dev/mapper/encrypted_partition 9.8G 23M 9.2G 1% /mnt
Now unmount the partition from the computer.
root@linuxhelp:~# umount /mnt
root@linuxhelp:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 476M 0 476M 0% /dev
tmpfs 99M 5.4M 94M 6% /run
/dev/sda3 28G 4.0G 22G 16% /
tmpfs 493M 156K 492M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 493M 0 493M 0% /sys/fs/cgroup
/dev/sda1 453M 54M 373M 13% /boot
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 99M 52K 99M 1% /run/user/1000
To mount Partition Automatically
After rebooting your system follow the below mentioned steps:
Open /etc/crypttab file and insert the following data.
root@linuxhelp:~# vim /etc/crypttab
Source drive, which is the hard-disk partition formatted for LUKS.
Target name, which is a descriptive name for your device.
Options: Specify luks
Key file: Choose none
The final line looks like this
encrypted_partition /dev/sdb1 none luks
Now Edit /etc/fstab and enter your device name, filesystem type, mount point, and other options.
root@linuxhelp:~# vim /etc/fstab
.
.
/dev/mapper/encrypted_partition /mnt ext4 defaults,errors=remount-ro 0 0
/dev/sdb5 /opt ntfs defaults 0 0
.
.
Now mount the partitions by using mount command.
root@linuxhelp:~# mount -a
root@linuxhelp:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 476M 0 476M 0% /dev
tmpfs 99M 5.4M 94M 6% /run
/dev/sda3 28G 4.0G 22G 16% /
tmpfs 493M 156K 492M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 493M 0 493M 0% /sys/fs/cgroup
/dev/sda1 453M 54M 373M 13% /boot
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 99M 52K 99M 1% /run/user/1000
/dev/mapper/encrypted_partition 9.8G 23M 9.2G 1% /mnt
/dev/sdb5 10G 52M 10G 1% /opt
Q
How to check the status of encrypted_partition?
A
Check the status of encrypted_partition by following command
# cryptsetup -v status encrypted_partition
# cryptsetup -v status encrypted_partition
Q
What is the package to be installed to encrypt the hard disk in LUKS?
A
Encrypt the hard disk by installing the following package
# apt-get install cryptsetup
# apt-get install cryptsetup
Q
How to verify the status of the partition device in LUKS?
A
use by the following command to Verify the status of partition br />
# cryptsetup luksDump /dev/sdb1
# cryptsetup luksDump /dev/sdb1
Q
which command to mount the encrypted partition permanently?
A
you can mount the encrypted partition permanently by following command
vim /etc/crypttab
encrypted_partition /dev/sdb1 none luks
vim /etc/crypttab
encrypted_partition /dev/sdb1 none luks
cryptsetup luksRemoveKey /dev/sdb1