= Drive encryption

:Author: Seth Kenlon
:Email: [email protected]

Many people consider hard drives secure due to physical ownership.
It's difficult to read the data on a hard drive that you don't have, and many people think that because their computer is protected with a passphrase, the data on their drive is unreadable.
In fact, this isn't always the case, partly because in some cases a passphrase serves only to unlock a user session.
In other words, you can power on a computer, but because you don't have its passphrase, you can't get to the desktop and so you have no way to open files to look at them.
The problem, as many a computer technician understands, is that hard drives can be extracted from computers, and some drives are already external by design (USB thumb drives, for instance), so they can be attached to any computer for full access to data.
You don't have to physically separate a drive from its computer host for this trick to work, either.
https://opensource.com/article/19/6/linux-distros-to-try[Computers can be booted from a portable boot drive], which separates a drive from its host OS and turns it into, virtually, an external drive available for reading.

The answer is to place the data on a drive into a digital vault that can't be opened without information only you have access to.

== Drive encryption

LUKS (Linux Unified Key Setup) is a disk encryption system.
It provides a generic key store (and associated metadata and recovery aids) in a dedicated area on a disk, with the ability to use multiple passphrases (or key files) to unlock a stored key.
It's designed to be flexible, and can even store metadata externally so it can be integrated with other tools.
The result is full-drive encryption, so you can store all of your data in confidence that it's safe even if your drive is separated, either physically or through software, from your computer.

=== Encryption during installation

The easiest way to implement full drive encryption is to select the option during installation.
Most modern Linux distributions offer this as an option now, so it's usually a trivial process.

image: centos8-install-encrypt.jpg

This establishes everything you need: an ecrypted drive requiring a passphrase before your system can boot.
If the drive is extracted from your computer or accessed from another OS running on your computer, the drive must be decrypted by LUKS before it can be mounted.

== Encrypting an external drive

Separating an internal hard drive from its computer is relatively uncommon, but external drives are designed to travel.
As technology gets smaller and smaller, it's easier to put a portable drive on your keychain and carry it around with you every day.
The obvious danger, however, is that these are also pretty easy to misplace.
I've found abandoned drives in the USB ports of hotel lobby computers, business center printers, classrooms, and in one case a laundromat.
Most of these didn't include personal information, but it's an easy mistake to make.

You can mitigate against misplacing important data by encrypting your external drives.

LUKS, and its front-end `cryptsetup`, is one way to do this on Linux.
You can, as Linux does during installation, encrypt the entire drive so that a passphrase is required to mount it.

=== Encrypt an external drive with LUKS

First, you need an empty external drive (or a drive with contents you're willing to erase).
This process overwrites all data on a drive, so if you have data you want to keep on the drive, _back it up first_.

1. Find your drive

For this article, I used a small USB thumb drive.
To protect you from accidentally erasing data, the drive in this article is located at the imaginary location `/dev/sdX`.
Attach your drive and find its location:

[source,bash]
----
$ lsblk
sda    8:0    0 111.8G  0 disk
sda1   8:1    0 111.8G  0 part /
sdb    8:112  1  57.6G  0 disk
sdb1   8:113  1  57.6G  0 part /mydrive
sdX    8:128  1   1.8G  0 disk
sdX1   8:129  1   1.8G  0 part
----

I know that my demo drive is located at `/dev/sdX` because I recognise its size (1.8G), and it's also the latest drive I've attached (with `sda` being the first, `sdb` the second, `sdc` the third, and so on).
If you're unsure, remove your drive and look at the output of `lsblk`, and then attach your drive and look at `lsblk` again.

Make sure you have identified the correct drive, because encrypting it overwrites _everything on it_.
In this case, my drive is not empty, but it only contains copies of some documents I have copies of elsewhere, so losing this data isn't significant to me.

2. Clear the drive

To proceed, destroy the partition table of the drive by overwriting the head of the drive with zeros.
This step isn't strictly necessary, but I like to start with a clean slate.

[source,bash]
----
$ sudo dd if=/dev/zero of=/dev/sdX count=4096
----

3. Format your drive for LUKS

The `cryptsetup` command is a front-end for managing LUKS volumes.
The `luksFormat` subcommand creates a sort of LUKS vault that's password-protected and can house a secured filesystem.

When you create a LUKS partition, you're warned about overwriting data, and then prompted to create a passphrase for your drive:

[source,bash]
----
$ sudo cryptsetup luksFormat /dev/sdX
WARNING!
========
This will overwrite data on /dev/sdX irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
----

4. Open the LUKS volume

Now you have a fully encrypted vault on your drive.
Prying eyes, including your own right now, are kept out of this LUKS partition, so to use it you must open it with your passphrase.
Open the LUKS vault with `cryptsetup open`, along with the device location (`/dev/sdX` in my example) and an arbitrary name for your opened vault.
I use `vaultdrive` in my example, but you can name your vault anything you want, and you can give it a different name every time you open it.

[source,bash]
----
$ cryptsetup open /dev/sdX vaultdrive
----

LUKS volumes are opened in a special device location called `/dev/mapper`.
You can list the files there to see that your vault has been added:

[source,bash]
----
$ ls /dev/mapper\
control  vaultdrive
----

You can close a LUKS volume at any time using the `close` subcommand:

[source,bash]
----
$ cryptsetup close vaultdrive
----

This removes the volume from `/dev/mapper`.

5. Create a filesystem

Now that you have your LUKS volume decrypted and open, you must create a filesystem there so you can store data in it.
In my example, I use XFS but you can use ext4 or JFS or any filesystem you want:

[source,bash]
----
$ sudo mkfs.xfs -f -L myvault /dev/mapper/vaultdrive
----

=== Mounting and unmounting a LUKS volume

You can mount a LUKS volume from a terminal as usual with the `mount` command.
Assume you have a directory called `/mnt/hd` and want to mount your LUKS volume there:

[source,bash]
----
$ sudo cryptsetup open /dev/sdX vaultdrive
$ sudo mount /dev/mapper/vaultdrive /mnt/hd
----

Alternately, LUKS integrates into popular Linux desktops.
For instance, when I attach an encrypted drive to my workstation running KDE or my laptop running GNOME, my file manager prompts me for a passphrase before it mounts the drive.

image: luks-mount-gui.png

== Encryption is protection

Linux makes encryption easier than ever.
It's so easy, in fact, that it's nearly unnoticeable.
The next time you https://opensource.com/article/18/11/partition-format-drive-linux[format an external drive for Linux], consider using LUKS first.
It integrates seamlessly with your Linux desktop, and protects your important data from accidental exposure.

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.