Encrypting partitions with cryptsetup
Simple Security

Modern installers offer the option of encryption with just a few clicks, but you might want to take control of the process. We show how to encrypt your partitions safely without sacrificing convenience.
The easiest time to encrypt a partition is when installing your operating system. Usually, you don't have to juggle existing partitions or even think about the process: Just click an option, and many modern installers take care of the rest. By contrast, encryption after installation is more complex, although it's still possible, as long as you work systematically.
Because modern installers routinely give the option of encryption, you might think it an unalloyed good. What could possibly go wrong with concealing your data from intruders? The simple answer is: a lot.
For one reason, all forms of encryption reduce performance, which means that encryption might not be suitable for older or less powerful machines. For another, if an encrypted filesystem becomes corrupted, recovery becomes more complicated – especially if you have encrypted the entire drive. The man page for cryptsetup [1] can give all sorts of other worries to test your nerves, ranging from corrupted headers, to problems when character encoding changes, to lingering problems caused by insufficiently wiped data.
Instead, you might want to create a partition for storing only private files, so that encryption cannot affect the ordinary functionality of the system. Such a partition, which is technically known as a container, offers less protection but is a reasonable compromise between security and convenience.
You should also consider what method of encryption to use. You might want to consider using an encrypted filesystem, such eCryptfs [2] or EncFS [3]. The alternative is to use block-level encryption, such as that offered by Loop-AES [4] or the now discontinued TrueCrypt [5].
Currently, the most popular method is block-level encryption using dm-crypt [6] combined with Linux Unified Key Setup-on-disk-format (LUKS) [7], which is configured in the kernel in all major distributions of which I am aware.
Preparing to Encrypt
Before adding any form of encryption, make a complete external backup. A backup is especially important if you want to encrypt an existing directory – particularly /home
. Even if you have no intention of touching an existing directory with data in it, accidents can still happen.
Additionally, you need to install the package cryptsetup [8] if you are running Debian, Ubuntu, Linux Mint, or any other Debian derivative. If you are running Fedora, Red Hat, or CentOS, you need to install the package cryptsetup-luks
.
As a final preparation, use parted -l
or gparted
to see what free space is available on your system. If you reformat an existing partition, install and run wipefs
to help eliminate potential problems. If you need to shrink existing partitions to provide space for a new partition, boot from a Live CD to perform the operation to minimize any problems.
If you are setting up an encrypted /home
directory, you will need a new partition at least the size of the existing /home
directory. By contrast, if you only plan an encrypted vault for essential files, make sure any partition you create is large enough to hold all its intended contents.
Once new partitions are ready, use the command mkdir
to create a mountpoint for each one under /mnt
, the traditional location for new mountpoints created during daily operations. Then, mount the partitions; for example:
mount /dev/sda4 /mnt/vault
Unless you are using an unusual filesystem format, the mount
command should not require any options.
Finally, copy the contents of any existing directory for which you intend an encrypted version to one of the new partitions. Yes, you should have made a backup, but assuming all goes well, copying from partition to partition will be faster than restoring from an external device.
Encrypting a Partition
To initialize an encrypted partition, run cryptsetup
as root with the partition unmounted. This command supports Loop-AES and TrueCrypt encryption, but unless you know the pros and cons of these choices, experts consistently recommend that you use LUKS as the encryption method that provides the greatest security with the least knowledge.
Add a device to encrypt and add the -v
option for verboseness and the -y
option so that you must enter passphrases twice. For most purposes, these requirements make the basic command structure:
cryptsetup -y -v luksFormat /dev/[DEVICE]
When you enter this command, you are warned that all data on the device will be overwritten, and you must confirm the action by typing YES (notice the uppercase). You are then asked to enter the passphrase (essentially, a longer version of a password, also known as a key) twice (Figure 1).

If the passphrase is inadequate for any reason, then the command fails and returns you to the prompt, giving you the explanation for the failure (Figure 2). However, if the passphrase is acceptable (and the normal rules apply, such as length, and a combination of characters, letters, and symbols and upper- and lowercase), then the command simply returns the message Command successful.

Partitions encrypted with LUKS can have up to eight passphrases or keys. The keys are stored in a key file. To add a key, use the command structure:
cryptsetup -y -v luksAddKey /dev/[DEVICE]
To remove a key, use
cryptsetup -y -v luksRemoveKey /dev/[DEVICE]
Similarly, luksChangeKey
replaces the specific passphrase entered with a new one.
The command can, of course, grow vastly more complicated, accommodating more sophisticated knowledge of encryption than I am assuming here. Options to consider include
--test-passphrase
, which tests the setup as a trial run without setting up the partition--timeout [SECONDS]
, which sets the interval for retrying a failed passphrase--tries [NUMBER]
, which alters the default of three attempts to enter the passphrase successfully.
Mapping Encrypted Partitions for Use
The next step is to map and open the newly encrypted partition for everyday use with LUKS. Enter the command
cryptsetup luksOpen /dev/DEVICE
and enter the passphrase for the device. The device is now listed as a subdirectory of /dev/mapper
, ready for use.
From this point on, refer to the device mapping name, rather than the device's partition, when entering commands (Figure 3). For example, to view information about an encrypted partition (Figure 4), run:


cryptsetup -v status /dev/DEVICE [MAPPED NAME]
Sometimes, a useful option can be --readonly
, which gives a passphrase limited access to the mapped partition.
You will still need to mount the device to copy files to and from it, to create additional filesystems on the encrypted device, or to unmount it when you are finished working with it – just remember to use the mapped name. When you finish using the encrypted partition, run the command:
cryptsetup luksClose [MAPPED NAME]
This command also removes the mapped name from kernel memory, so that information about your system cannot be obtained even when the partition is unavailable. Whether you are in the mounted partition does not affect the command, so be sure you remain aware of what you are doing.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.
-
Experimental Wayland Support Planned for Linux Mint 21.3
As with most Linux distributions, the migration to Wayland is in full force. While some distributions have already made the move, Linux Mint has been a bit slower to do so.