This page looks best with JavaScript enabled

How to use cryptsetup to create encrypted volumes

 ·  ☕ 5 min read

On most modern Linux distributions, you have the chance during the install to tell the installer to
do a full disk encryption on your partition, which effectively encrypts your data at rest (when the
laptop is powered off) and can only be unlocked with your password. I will show you how to do this on
drives, and even files.

Install cryptsetup

There is most likely a cryptsetup package for your distribution, here is how to install it on Debian/Ubuntu:

1

$ apt-get update && apt-get install cryptsetup

Setting up

We need a volume to work on. In this article I will use a flat file. But note that whatever I do to this file
will work on a hard drive or a thumb drive. In fact, I encourage you to do the steps I am doing on an actual
thumb drive, because this is likely how you will want to use this article for.

I will start by allocating a 1G volume that will simulate the behaviour of a thumb drive

1
2
3

$ fallocate -l 1G volume
$ ls -ahl volume 
-rw-rw-r-- 1 thomas thomas 1.0G Sep  1 08:59 volume

Formatting and encrypting the volume

You have two ways of encrypting the volume, you can do it either with a passphrase, or with a keyfile. The
passphrase should be something long that you can remember, the key file can be anything, you can just generate
one like this (for a 4kb key):

1
2
3
4

$ dd if=/dev/urandom of=./encrypt.key bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.000455402 s, 9.0 MB/s

We will start by encrypting the volume with a passphrase then add the key file as an other way of opening the volume.

1
2
3
4
5
6
7
8

$ sudo cryptsetup luksFormat volume
WARNING!
========
This will overwrite data on volume irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for volume: 
Verify passphrase:

Make a mental note of the password you used, you will need it later. Now check you can actually open the volume:

1
2
3
4

$ sudo cryptsetup luksOpen ./volume crypt_volume
Enter passphrase for ./volume: # enter the password here
$ ls /dev/mapper/crypt_volume 
/dev/mapper/crypt_volume

It works. Now let’s unmount the volume and add another key to it.

1

$ sudo cryptsetup luksClose crypt_volume

Let’s add the 4kb key we generated earlier

1
2

$ sudo cryptsetup luksAddKey ./volume ./encrypt.key 
Enter any existing passphrase:

Try to open the volume using the key file:

1
2
3

$ sudo cryptsetup luksOpen ./volume crypt_volume  --key-file encrypt.key
ls /dev/mapper/crypt_volume 
/dev/mapper/crypt_volume

Amazing ! You can now open the volume either using the passphrase or the key file. Now let’s slap a filesystem on it.

Format and mount

What you did with luksOpen creates a block device in the /dev/mapper directory. The crypt_volume file is a block
device much like /dev/sda1 or what not, and as such it can be formated. So let’s format it using ext4.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ sudo mkfs.ext4 /dev/mapper/crypt_volume
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 258048 4k blocks and 64512 inodes
Filesystem UUID: fa17cbba-988f-464f-9e3b-00844369777d
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

Now let’s mount it.

1
2
3
4

$ mkdir /tmp/volume
$ sudo mount /dev/mapper/crypt_volume /tmp/volume
$ ls /tmp/volume
lost+found

Check the size

1
2
3

df -h /tmp/volume
Filesystem                Size  Used Avail Use% Mounted on
/dev/mapper/crypt_volume  977M  2.5M  908M   1% /tmp/volume

As expected it is about a gig. You can treat this filesystem like you would any other one. When you are done with the volume
you can unmount and close it:

1
2

$ sudo umount /tmp/volume
$ sudo cryptsetup luksClose crypt_volume

Done ! You have successfully created an encrypted volume!

Bonus track: 2 factor unlock with a yubikey

You will need to install the following package to make it work:

1

$ sudo apt-get install yubikey-luks

Plug in the yubikey to your computer and pop up the following command:

1
2
3
4
5
6
7

$ sudo yubikey-luks-enroll -d ./volume 
setting disk to ./volume.
This script will utilize slot 7 on drive ./volume.  If this is not what you intended, exit now!
Adding yubikey to initrd
Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer: ********                
Please enter the yubikey challenge password again: ********                
Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive: ********

You can now mount the volume by unlocking it with the yubikey challenge you just created

1
2
3
4
5

$ sudo yubikey-luks-open -d ./volume -n crypt_volume
setting disk to ./volume.
setting name to crypt_volume.
This script will try opening crypt_volume LUKS container on drive ./volume . If this is not what you intended, exit now!
Enter password created with yubikey-luks-enroll: ********

All done :)

Further readings

Thomas
WRITTEN BY
Thomas
I am a Site Reliability Engineer, currently working from London. I hate that I like computers. I try to post potentially useful stuff from time to time.

See Also