{"id":21165082,"url":"https://github.com/denbonte/linux_enc","last_synced_at":"2026-05-19T08:05:34.788Z","repository":{"id":81595331,"uuid":"291955359","full_name":"denbonte/linux_enc","owner":"denbonte","description":"Notes on volumes encryption on Linux/UNIX systems for future lazy me.","archived":false,"fork":false,"pushed_at":"2020-09-01T13:11:56.000Z","size":4,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-01T03:11:23.487Z","etag":null,"topics":["encryption","linux","sysadmin","unix"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/denbonte.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-01T09:31:29.000Z","updated_at":"2021-09-09T09:00:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"9301c3fd-7435-453e-8333-43675992bedc","html_url":"https://github.com/denbonte/linux_enc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/denbonte/linux_enc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denbonte%2Flinux_enc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denbonte%2Flinux_enc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denbonte%2Flinux_enc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denbonte%2Flinux_enc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/denbonte","download_url":"https://codeload.github.com/denbonte/linux_enc/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denbonte%2Flinux_enc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33207582,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-19T07:54:09.561Z","status":"ssl_error","status_checked_at":"2026-05-19T07:54:08.508Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","linux","sysadmin","unix"],"created_at":"2024-11-20T14:19:09.607Z","updated_at":"2026-05-19T08:05:34.773Z","avatar_url":"https://github.com/denbonte.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Linux Volumes Encryption\n\nVolumes encryption on Linux using [cryptsetup](https://linux.die.net/man/8/cryptsetup)/LUKS.\n\nMake sure cryptsetup is installed on the system, otherwise run `sudo apt install cryptsetup`.\n\n## Setting-up a New Encrypted Volume\nFirst thing first, check how your OS labelled the volume you want to encrypt by running `sudo fdisk -l`. As the process will clear all the data you have stored on that volume, make sure you backed up everything you need from the drive you want to encrypt (and, of course, that the drive/partition you're trying to encrypt is not the one where the OS is stored).\n\nLet's assume we want to encrypt the volume at `/dev/sdb`. We can check the status of the volume running `sudo fdisk -l /dev/sdb`. The output should look similar to:\n\n\n```\nDisk /dev/sdb: 7,3 TiB, 8001563222016 bytes, 15628053168 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 4096 bytes\nI/O size (minimum/optimal): 4096 bytes / 4096 bytes\nDisklabel type: gpt\nDisk identifier: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\n\nDevice     Start         End     Sectors  Size Type\n/dev/sdb1   2048 15628052479 15628050432  7,3T Microsoft basic data\n```\n\nAt this stage, run the command `sudo cryptsetup -y -v luksFormat /dev/sdb` to start the encryption process. The flag `-y` makes sure the user verifies the encryption password before proceding, wjile the `-v` flag makes the process verbose. For other options, run `cryptsetup --help` or visit the cryptsetup man page (either from terminal or [online](https://linux.die.net/man/8/cryptsetup)). The output should look similar to:\n\n```\nsudo cryptsetup -y -v luksFormat /dev/sdb\n\nWARNING!\n========\nThis will overwrite data on /dev/sdb irrevocably.\n\nAre you sure? (Type uppercase yes): YES\nEnter passphrase for /dev/sdb: ********* \nVerify passphrase: *********\nCommand successful.\n```\n\nEverything needed to encrypt the volume has been generated.\n\n## Opening an Encrypted Drive (and Other Useful Commands)\nThe next command needed to set up the encrypted volume is `sudo cryptsetup luksOpen /dev/sdb $VOLNAME`, where `$VOLNAME` is the name we want to map our encrypted drive to:\n\n```\nsudo cryptsetup luksOpen /dev/sdb sdb_enc\nEnter passphrase for /dev/sdb: *********\n```\n\nThe mapping is then enstablished such that `/dev/sdb` is now found at `/dev/mapper/` (as one may check by running `ll /dev/mapper`). We can verify the status of the volume by running `sudo cryptsetup -v status sdb_enc`:\n\n```\n/dev/mapper/sdb_enc is active.\n  type:    LUKS1\n  cipher:  aes-xts-plain64\n  keysize: 256 bits\n  key location: dm-crypt\n  device:  /dev/sdb\n  sector size:  512\n  offset:  4096 sectors\n  size:    15628049072 sectors\n  mode:    read/write\nCommand successful.\n```\n\nAnother very useful command that one may wants to run is `sudo cryptsetup luksDump /dev/sdb`. In fact, from `man cryptsetup`:\n\n\u003e LUKS  header:  If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header-backup.  If a key-slot is damaged, it can only be  restored  from  a  header-backup  or  if  another  active key-slot with known passphrase is undamaged.  Damaging the LUKS header is something people manage to do with surprising frequency. This risk is the result of a trade-off  between  security and safety, as LUKS is designed for fast and secure wiping by just overwriting header and key-slot area.\n\nTo back-up the LUKS header, run:\n\n`sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file /path/to/luks_backup_sdb`\n\nOnce the mapping is done, a file system needs to be initialised on it for the latter to be used. To do so, simply run `sudo mkfs.ext4 /dev/mapper/sdb_enc`\n*N.B. This needs to be done only the first time, after the volume is created.*\n\nThe output should look like the following:\n\n```\nsudo mkfs.ext4 /dev/mapper/sdb_enc \nmke2fs 1.44.1 (24-Mar-2018)\nCreating filesystem with 1953506134 4k blocks and 244191232 inodes\nFilesystem UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\nSuperblock backups stored on blocks: \n\t32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, \n\t4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, \n\t102400000, 214990848, 512000000, 550731776, 644972544, 1934917632\n\nAllocating group tables: done                            \nWriting inode tables: done                            \nCreating journal (262144 blocks): done\nWriting superblocks and filesystem accounting information: done\n```\n\nThe only thing left to be done is to mount the encrypted hard drive (already opened with luks). First, let's create a mount point where we like the best, e.g., under `/mnt`: `sudo mkdir /mnt/data1`. Once that is done, just mount the drive running `sudo mount /dev/mapper/sdb_enc /mnt/data1/`.\n\n## Checking if a Drive Got Encrypted\n\nTo check if everything went allright, one can run the command `sudo blkid | grep sd`. The correct output should look like:\n\n```\nsudo blkid | grep sd\n/dev/sdb: UUID=\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" TYPE=\"crypto_LUKS\"\n/dev/mapper/encsdb: UUID=\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" TYPE=\"ext4\"\n```\n\nAs proven by the different UUID, `/dev/sdb` and `/dev/mapper/encsdb` are different volumes: the former is the volume \"as seen from the outside\" (e.g., before it is mounted - so non-accessible, as it is encrypted), while the latter is the result of the opening+mounting commands (which is a not-anymore-encrypted drive, with an ext4 file system, we can write to and read from).\n\n### Sources\n\n[Linux hard disk encryption with cryptsetup](https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/)\n\n[Linux hard disk encryption using LUKS](https://www.tecmint.com/linux-hard-disk-encryption-using-luks/)\n\n[How secure is an encrypted LUKS filesystem?](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem)\n\n[How to backup or restore LUKS header](https://blog.sleeplessbeastie.eu/2019/01/09/how-to-backup-or-restore-luks-header/)\n\n[How to check volume encryption on Linux](https://unix.stackexchange.com/questions/108537/verify-if-a-hard-drive-is-encrypted-on-linux)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenbonte%2Flinux_enc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdenbonte%2Flinux_enc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenbonte%2Flinux_enc/lists"}