Encrypt your disks on Linux
Unreadable

Encrypted volumes have long since ceased to be an exception or luxury. Corporate policies and compliance rules often demand encryption for critical data. This article looks at tools for disk encryption on Linux.
It's no coincidence that portable computers have pushed desktop PCs into the background over the past 10 years. Today, users only need desktop systems for computationally intensive work such as video rendering or games. For everything else, even mid-range laptops are now perfectly adequate. But laptops also have one disadvantage: They are far easier to steal than a standalone PC. An appropriate insurance policy can cushion the cost of replacing the device in case of theft. However, it is not so easy to compensate for the loss of data.
Corporations and users can only protect themselves effectively against this kind of horror scenario by completely encrypting the data carriers in the device, from USB sticks to external hard drives. How can a Linux user best secure disk data by means of encryption? This article describes some leading encryption methods and tools for Linux.
Cryptsetup with LUKS
Just about everyone who has ever dealt with encryption on Linux will have come across the abbreviation LUKS [1], which stands for Linux Unified Key Setup. The LUKS standard describes what disk encryption should look like on Linux (Figure 1). LUKS is based on the Cryptsetup tool, which in turn uses the Dmcrypt kernel module of the Linux kernel to manage encrypted volumes.

At first glance, this sounds considerably more chaotic than it actually is – at least if you keep in mind how the Linux kernel has handled block devices and their drivers for decades. The block device layer of the kernel resorts to a trick, allowing different drivers to be connected in series in order to combine their functions.
Dmcrypt forms part of the block device layer. If the administrator instructs the device mapper (which includes LVM, for example) to prepend the Dmcrypt driver to a block device before accessing it, all Dmcrypt functions are available for the block device. In fact, Dmcrypt also implements its own basic encryption. However, these measures are not nearly enough to meet today's requirements in the eyes of the kernel developers. Accordingly, they created the LUKS format, which standardizes all the functions needed for encryption and defines them as part of a header in the partition table. This also means that the definition of encrypted drives on Linux is independent of the distribution and vendor.
Integrated into the System
Today, Cryptsetup with LUKS support is included with all distributions. Most manufacturers have also integrated the tool directly into their setup routines. You can start encrypting when installing the individual directories, such as /home
, or you can encrypt the entire non-removable disk.
Once you encrypt the disk, the operating system can no longer boot without the password. If you remove the data medium from the device and try to read it, you will only see a mess of data. It is unanimously understood that this way of using encrypted drives under Linux is by far the most secure approach today. It also uses hardware acceleration. If you don't have an Atom or another low-cost processor in the device, the CPU will probably come with built-in hardware support for various encryption algorithms.
Devices connected to the system via USB can also be encrypted with Cryptsetup and LUKS – just like a built-in NVMe drive. However, there are differences in the setup between the individual distributions, and different desktop environments also offer their own tools to operate Cryptsetup and LUKS. If you want to avoid an excursion to the command line, you will need to familiarize yourself with your system's defaults.
Of course, a combination of Cryptsetup and LUKS has one major disadvantage: It offers virtually no interoperability with other operating systems. You'll need a way to deal with a kind of chicken-and-egg problem. When LUKS and Cryptsetup were just gathering speed, there were already solutions that worked equally well on all the major operating systems. These alternative solutions are not as deeply integrated into the system, but they work across operating system boundaries, and not just on Linux.
Remembering Truecrypt
An article about disk encryption under Linux would be incomplete without mentioning Veracrypt [2] and its famous predecessor. Veracrypt emerged from Truecrypt in 2013. At that time, Truecrypt was considered by many observers in the Linux world to be the only valid alternative to the combination of Cryptsetup and LUKS on Linux.
Truecrypt development came to an end as a result of an audit in 2014, and it was the Truecrypt developers themselves who warned people not to use their own software. Shortly thereafter, the developers provided a new and final version of Truecrypt, which was massively limited in terms of its functionality. According to the developers, this final release was only intended to convert existing setups into Bitlocker setups with Microsoft's standard encryption.
The end of Truecrypt caused wild speculation in the community, which even considered the involvement of intelligence agencies. This speculation did not subside when additional audits completed retrospectively found no significant problems in the way Truecrypt worked. The actual reason for Truecrypt's end will probably never be clarified.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
OpenMandriva Lx 23.03 Rolling Release is Now Available
OpenMandriva "ROME" is the latest point update for the rolling release Linux distribution and offers the latest updates for a number of important applications and tools.
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.