Skip to content

cryptsetup

Really, knowing how to encrypt your drive just adds completion to your linux skill set.

Encrypting root partition

First partition the device using gdisk: 1G for boot, the rest for boot.

Now setup encryption on the root partition. 

cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 root
lsblk # see the "drive" under /dev/sda
# Note: The format operation isn't on /dev/sda2 but on /dev/mapper/drive
mkfs.ext4 /dev/mapper/root
mount /dev/mapper/root /mnt

After everything's done. 

umount /mnt
cryptsetup close root

mkinitcpio.conf

Without disk encryption: 

HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck)

With disk encryption: 

HOOKS=(base systemd autodetect microcode modconf kms keyboard block sd-encrypt filesystems fsck)

configuring the bootloader

kernel parameters:

rd.luks.name=device-UUID=root root=/dev/mapper/root

"The device-UUID refers to the UUID of the LUKS superblock, in this example it is the UUID of /dev/sda2" ~ ArchWiki

So /boot/loader/entries/arch.conf will end up looking like:

title   Arch Linux
linux   /vmlinuz-linux-xanmod-anbox
initrd  /amd-ucode.img
initrd  /initramfs-linux-xanmod-anbox.img
options rd.luks.name=e9950cbc-a374-492a-813c-aa02bc3bc501=root root=/dev/mapper/root rw psi=1

Encrypting a USB drive

source: LukeSmith

3 commands in cryptsetup that we need to know:

  1. to setup : cryptsetup luksFormat
  2. to open : cryptsetup open
  3. to close : cryptsetup close

the setup: cryptsetup luksFormat

First, just prepare the device with the right partition. I did using # fdisk /dev/sdc where /dev/sdc is the device as it appears in lsblk. After preparation lsblk looks like

[root@resonyze vector]# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sdb           8:16   0 465.8G  0 disk
└─sdb1        8:17   0 465.8G  0 part
sdc           8:32   1  28.6G  0 disk
└─sdc1        8:33   1  28.6G  0 part
nvme0n1     259:0    0 476.9G  0 disk
├─nvme0n1p1 259:1    0     1G  0 part /boot
├─nvme0n1p2 259:2    0     8G  0 part [SWAP]
└─nvme0n1p3 259:3    0 467.9G  0 part /

Now we do cryptsetup luksFormat /dev/sdc1

open: cryptsetup oppn

cryptsetup open /dev/sdc1 drive

"drive" is just some name.

[root@resonyze vector]# cryptsetup open /dev/sdc1 drive
Enter passphrase for /dev/sdc1:
[root@resonyze vector]# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sdb           8:16   0 465.8G  0 disk
└─sdb1        8:17   0 465.8G  0 part
sdc           8:32   1  28.6G  0 disk
└─sdc1        8:33   1  28.6G  0 part
  └─drive   253:0    0  28.6G  0 crypt
nvme0n1     259:0    0 476.9G  0 disk
├─nvme0n1p1 259:1    0     1G  0 part  /boot
├─nvme0n1p2 259:2    0     8G  0 part  [SWAP]
└─nvme0n1p3 259:3    0 467.9G  0 part  /

# mkfs.btrfs /dev/mapper/drive

Note that we formatted /dev/mapper/drive as opposed to /dev/sdc1 as the latter represents the encrypted drive.

# mount /dev/mapper/drive /mnt

# echo 'Testing. Some file being written' >  /mnt/testing.txt

close: cryptsetup close

# umount /mnt
# cryptsetup close drive

Comments