LUKS
Dive into full-disk encryption on Linux
Stuart Burns covers the seemingly complex world of Linux disk encryption and reveals how to use it to secure your data.
Credit: //gitlab.com/cryptsetup
OUR EXPERT
Stuart Burns is a systems administrator for a large organisation and specialises in virtualisation, scripting and automation to solve problems and make everything as efficient as possible.
QUICK TIP
If you need more information on why something may not be working as expected in crypttab, there’s a switch that’ll give verbose output rather than the short amount it outputs. To use it, just insert the “-v” into any command that’s going to be run.
Everyone who uses disk encryption benefits from the security it provides, because once the information is compromised, it’s out there forever. Stolen unencrypted laptops are a treasure trove for the nosey or potential fraudster. Most modern Linux distributions make it very easy to turn on full disk encryption at installation time, but the installer can sometimes hide the more useful features in an effort to simplify the installation process. In this feature we’ll cover how to set up encryption, how the underlying encryption system works, how to use it, any potential pitfalls and how to avoid potential encryption disasters.
Before continuing further, it’s absolutely key to mention that some of the procedures mentioned here are destructive in nature. Therefore, ensure that there’s an appropriately tested backup before following along, and always exercise caution. It’s strongly recommended to experiment in a disposable virtual machine. For this tutorial we’re using Ubuntu 22.04 desktop in a VirtualBox VM with two disks. We suggest making the two disks different sizes – this will make it easier to differentiate between them.
Broadly speaking, disk encryption falls into two categories: file-based encryption and full disk encryption (FDE). File-based encryption, as the name suggests, encrypts on a per-file basis. The problem is that it’s extremely susceptible to incorrect use or bad management oversight (which files do you want to encrypt, have you deleted the unencrypted source files, and so on) and it can leave huge clues behind – even readable copies of the data in some instances – as well as meta data in non-encrypted log files and temporary files. In short, file-based encryption potentially leaves sensitive information unencrypted.
FDE, on the other hand, fully encrypts the partition or disk at the block level, negating these issues. All those logs and temporary files are fully encrypted and the system can’t even be booted or the disk mounted without the decryption password (a key in essence). Full disk encryption is also very light on modern systems with hardware-assisted encryption, and is almost transparent to the user once booted.