How to Use LUKS to Encrypt a Disk Partition

You can use LUKS to encrypt a partition of a disk drive or USB. If you store sensitive information in portable drives it’s more compelling than ever to protect them using encryption since they carry a high risk of getting lost or stolen.

LUKS/dm-crypt is a good choice for encrypting Linux devices. It’s usually pre-installed in most Linux distros and if not, it’s easy to install using YUM or APT.

Here are seven easy steps to encrypt a disk partition:

Step 1. Create the disk partition you wish to encrypt. For example, let’s say you have a USB drive and it’s connected to /dev/sdb. The partition you’d want to create would be /dev/sdb1.

# fdisk -l /dev/sdb
Disk /dev/sdb: 512 MB, 512483328 bytes
255 heads, 63 sectors/track, 62 cylinders, total 1000944 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1              63     1000943      500440+  83  Linux

Step 2. Encrypt the partition

# cryptsetup -q -y luksFormat /dev/sdb1
Enter LUKS passphrase: 
Verify passphrase: 

Step 3. Map a logical partition

# cryptsetup luksOpen /dev/sdb1 sdb1_crypt
Enter passphrase for /dev/sdb1:

This will create a device mapper:

# ls -al /dev/mapper/sdb1_crypt
brw-rw---- 1 root disk 253, 5 Sep 23 11:53 /dev/mapper/sdb1_crypt

Step 5. Format the encrypted partition

# mkfs.ext3 /dev/mapper/sdb1_crypt 
mke2fs 1.42.5 (29-Jul-2012)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
124928 inodes, 498392 blocks
24919 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
61 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

Step 6. Mount the encrypted partition:

# mkdir /mnt/sdb1
# mount /dev/mapper/sdb1_crypt /mnt/sdb1

Step 7. When done unmount the logical partition and close (unlock) the encrypted partition

# unmount /mnt
# cryptsetup luksClose sdb1_crypt

How to Recover a LUKS Encrypted Disk

This morning, my Ubuntu laptop won’t boot up. My immediate reaction was shivers at the back of my neck and then down the shoulders. I don’t understand why it felt that way. It’s like one of those situations when you suddenly discovered you left your wallet, your laptop, or something valuable in a restaurant and your mind started racing trying to figure out how to get back quickly and at the same time thinking what would happen and what would you do if you can’t locateĀ it anymore… And all those thoughts happening in just two or three seconds.

In this case, my laptop won’t boot up, it uses LUKS full disk encryption, I have no idea how to recover it, I haven’t done it before, I don’t know if it can be recovered, and I’ve got tons of important data in there!

Fortunately, those were just a couple of seconds and after that you go back to your sane state and do what most everyone else does – Google your way out. Thanks again to Google, it was easy to research on how to recover an LUKS-encrypted disk.

I missed the old days when recovering a disk from a failed system was as simple as attaching the disk to another system, mounting it, and start accessing your data back. Life has changed. With most of our valuables in digital format nowadays, you need to apply the same security you do with physical valuables – you lock them up with a key. But instead of locking with a door, you lock the data by encrypting it.

Below are the steps to recover a LUKS encrypted disk. There are tons of information like this online but I thought I just need to add another document among hundreds already out there in case one poor soul can only find this one.

Summary:

  1. Boot the system from a rescue disk or Live CD. If this is not possible, attach the encrypted disk to another Linux system
  2. Identify the device name of the encrypted disk
  3. Identify the encrypted partition in the disk
  4. Unlock the encrypted partition
  5. If the partition is using logical volumes, identify the volume group(s) used
  6. If the partition is using logical volumes, enable the volume group
  7. Mount the logical volume desired. If the partition is not using logical volumes, mount the mapped device directly.
  8. Unmount and lock the encrypted partition when done

Details:

Step 1. Remove the disk from the bad system and attach it to another Linux machine. If the machine is still running fine but the problem was just the OS being corrupted or something, you can boot from a rescue or Live CD.

Step 2. Once the disk is attached to another system, identify the device name of the disk as to how it got attached. You can view this by viewing /proc/partitions. If you are booting from a rescue disk or Live CD, do the same, but you’ll discover that it is easier to identify the disk since you won’t be confusing it with other disks like when it is attached to another system.

Below is a sample output. In this case the device you need to recover is /dev/sda with partitions sda1, sda2, and sda5.

# cat /proc/partitions
major minor #blocks name

7 0 731040 loop0
8 0 58605120 sda
8 1 248832 sda1
8 2 1 sda2
8 5 58353664 sda5

It’s probably easier to use the fdisk command to get a much clearer view of the layout of the partitions.

# fdisk -l /dev/sda

Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders, total 117210240 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00089bcb

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      499711      248832   83  Linux
/dev/sda2          501758   117209087    58353665    5  Extended
/dev/sda5          501760   117209087    58353664   83  Linux

Step 3. Next, find the partition that is encrypted. This is where the actual data resides. Run the cryptsetup command on each partition and find the one that says something like “LUKS header information…”

# cryptsetup -v luksDump /dev/sda1
Device /dev/sda1 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda1 is not a valid LUKS device.

 

# cryptsetup -v luksDump /dev/sda2
Device /dev/sda2 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda2 is not a valid LUKS device.

 

# cryptsetup -v luksDump /dev/sda5
LUKS header information for /dev/sda5

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	512
MK digest:     	21 84 3e c0 3e 9e 23 1e 34 9b 39 05 8f b9 47 61 89 a6 2a 81
MK salt:       	fc ac 3d 4f 1e 3d d4 ce 66 6b d3 90 ba f4 79 a8
               	d9 c9 38 a0 c2 79 bc 47 71 c6 8f 49 23 46 f1 6b
MK iterations: 	22500
UUID:          	2c8d56ec-749f-4d95-ab39-4ea17edb4c01

Key Slot 0: ENABLED
	Iterations:         	90067
	Salt:               	e4 25 ae 7c 5d 62 81 5e ea 37 95 0f 59 7b c8 7f
	                      	13 4f bc 15 70 4e 82 e1 41 db 1d 4b 65 7a de 5c
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Command successful.

From the sample output above, the partition we need to recover is /dev/sda5.

Step 4. Unlock the encrypted partition using the cryptsetup command. You will need the passphrase of the encrypted disk. I forgot to mention, you need this password to recover the data from the disk. If you don’t know the password or you forgot, then you’re out of luck. Unless you can guess the password or do a brute force password guessing, no current technology or witchcraft on earth can help you unlock the encryption.

That’s the whole idea of encrypting a disk so that in case your laptop got stolen, got lost, or got left at a restaurant, no one but you who knows the password can see your data.

# cryptsetup -v luksOpen /dev/sda5 sda5_crypt
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Command successful.

Step 5. After unlocking the device, check if the partition is using LVM (Logical Volume Management). If your data resides in a logical volume, you’d need to identify those volumes so that you’d know what to mount. Run the lvdisplay command to see the volumes. Below is a sample output.

# lvdisplay
  --- Logical volume ---
  LV Path                /dev/ubuntu/root
  LV Name                root
  VG Name                ubuntu
  LV UUID                fy5LpG-HPX7-Spe1-C92m-nzPq-B3IB-eTjCFA
  LV Write Access        read/write
  LV Creation host, time ubuntu, XXXX
  LV Status              available
  # open                 0
  LV Size                53.61 GiB
  Current LE             13724
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:1

  --- Logical volume ---
  LV Path                /dev/ubuntu/swap_1
  LV Name                swap_1
  VG Name                ubuntu
  LV UUID                ZSwRl4-bdV1-kqJ3-V1lG-ndfZ-cdSh-P5X3kp
  LV Write Access        read/write
  LV Creation host, time ubuntu, XXXX
  LV Status              available
  # open                 0
  LV Size                1.99 GiB
  Current LE             509
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:2

Step 6. If the partition has logical volumes, enable the volume group using the vgchange command. From the sample above, the name of the volume group is ubuntu.

# vgchange -a y ubuntu
  2 logical volume(s) in volume group "ubuntu" now active

Step 7a. If the partiton is using logical volumes, mount the logical volume desired. Using the sample above, we want to mount /dev/ubuntu/root.

# mkdir /tmp/disk
# mount /dev/ubuntu/root /tmp/disk

Step 7b. If the partition does not have logical volumes, mount the mapped device directly.

# mkdir /tmp/disk
# mount /dev/mapper/sda5_crypt /tmp/disk

That’s it. You can now view your data in /tmp/disk.

Step 8. When you’re done accessing the data, don’t forget to unmount and close (lock) the encrypted partition.

# umount /tmp/disk
# cryptsetup luksClose /dev/mapper/sda5_crypt