Encrypt your disks on Linux
Unreadable
Encrypted volumes have long since ceased to be an exception or luxury. Corporate policies and compliance rules often demand encryption for critical data. This article looks at tools for disk encryption on Linux.
It's no coincidence that portable computers have pushed desktop PCs into the background over the past 10 years. Today, users only need desktop systems for computationally intensive work such as video rendering or games. For everything else, even mid-range laptops are now perfectly adequate. But laptops also have one disadvantage: They are far easier to steal than a standalone PC. An appropriate insurance policy can cushion the cost of replacing the device in case of theft. However, it is not so easy to compensate for the loss of data.
Corporations and users can only protect themselves effectively against this kind of horror scenario by completely encrypting the data carriers in the device, from USB sticks to external hard drives. How can a Linux user best secure disk data by means of encryption? This article describes some leading encryption methods and tools for Linux.
Cryptsetup with LUKS
Just about everyone who has ever dealt with encryption on Linux will have come across the abbreviation LUKS [1], which stands for Linux Unified Key Setup. The LUKS standard describes what disk encryption should look like on Linux (Figure 1). LUKS is based on the Cryptsetup tool, which in turn uses the Dmcrypt kernel module of the Linux kernel to manage encrypted volumes.
At first glance, this sounds considerably more chaotic than it actually is – at least if you keep in mind how the Linux kernel has handled block devices and their drivers for decades. The block device layer of the kernel resorts to a trick, allowing different drivers to be connected in series in order to combine their functions.
Dmcrypt forms part of the block device layer. If the administrator instructs the device mapper (which includes LVM, for example) to prepend the Dmcrypt driver to a block device before accessing it, all Dmcrypt functions are available for the block device. In fact, Dmcrypt also implements its own basic encryption. However, these measures are not nearly enough to meet today's requirements in the eyes of the kernel developers. Accordingly, they created the LUKS format, which standardizes all the functions needed for encryption and defines them as part of a header in the partition table. This also means that the definition of encrypted drives on Linux is independent of the distribution and vendor.
Integrated into the System
Today, Cryptsetup with LUKS support is included with all distributions. Most manufacturers have also integrated the tool directly into their setup routines. You can start encrypting when installing the individual directories, such as /home
, or you can encrypt the entire non-removable disk.
Once you encrypt the disk, the operating system can no longer boot without the password. If you remove the data medium from the device and try to read it, you will only see a mess of data. It is unanimously understood that this way of using encrypted drives under Linux is by far the most secure approach today. It also uses hardware acceleration. If you don't have an Atom or another low-cost processor in the device, the CPU will probably come with built-in hardware support for various encryption algorithms.
Devices connected to the system via USB can also be encrypted with Cryptsetup and LUKS – just like a built-in NVMe drive. However, there are differences in the setup between the individual distributions, and different desktop environments also offer their own tools to operate Cryptsetup and LUKS. If you want to avoid an excursion to the command line, you will need to familiarize yourself with your system's defaults.
Of course, a combination of Cryptsetup and LUKS has one major disadvantage: It offers virtually no interoperability with other operating systems. You'll need a way to deal with a kind of chicken-and-egg problem. When LUKS and Cryptsetup were just gathering speed, there were already solutions that worked equally well on all the major operating systems. These alternative solutions are not as deeply integrated into the system, but they work across operating system boundaries, and not just on Linux.
Remembering Truecrypt
An article about disk encryption under Linux would be incomplete without mentioning Veracrypt [2] and its famous predecessor. Veracrypt emerged from Truecrypt in 2013. At that time, Truecrypt was considered by many observers in the Linux world to be the only valid alternative to the combination of Cryptsetup and LUKS on Linux.
Truecrypt development came to an end as a result of an audit in 2014, and it was the Truecrypt developers themselves who warned people not to use their own software. Shortly thereafter, the developers provided a new and final version of Truecrypt, which was massively limited in terms of its functionality. According to the developers, this final release was only intended to convert existing setups into Bitlocker setups with Microsoft's standard encryption.
The end of Truecrypt caused wild speculation in the community, which even considered the involvement of intelligence agencies. This speculation did not subside when additional audits completed retrospectively found no significant problems in the way Truecrypt worked. The actual reason for Truecrypt's end will probably never be clarified.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.