Disk Encryption User Guide (2024)

Table of Contents
Contents What is block device encryption? Encrypting block devices using dm-crypt/LUKS Creating Encrypted Block Devices in Anaconda Creating Encrypted Block Devices on the Installed System After Installation Common Post-Installation Tasks FAQs

Contents

  1. What is block device encryption?

  2. Encrypting block devices using dm-crypt/LUKS

    1. Overview of LUKS

    2. How will I access the encrypted devices after installation? (System Startup)

    3. Choosing a Good Passphrase

  3. Creating Encrypted Block Devices in Anaconda

    1. What Kinds of Block Devices Can Be Encrypted?

    2. Limitations of Anaconda&.adoc#8217;s Block Device Encryption Support

      1. Filling the Device with Random Data Before Encrypting

      2. Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices

  4. Creating Encrypted Block Devices on the Installed System After Installation

    1. Create the block devices

    2. Optional: Fill the device with random data

    3. Format the device as a dm-crypt/LUKS encrypted device

    4. Create a mapping to allow access to the device&.adoc#8217;s decrypted contents

    5. or continue to build complex storage structures using the mapped device

    6. Add the mapping information to /etc/crypttab

    7. [Add an entry to /etc/fstab]

  5. Common Post-Installation Tasks

    1. Backup LUKS headers

    2. Set a randomly generated key as an additional way to access an encrypted block device

      1. Generate a key

      2. Add the key to an available keyslot on the encrypted device

    3. Add a new passphrase to an existing device

    4. Remove a passphrase or key from a device

What is block device encryption?

Block device encryption encrypts/decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data.

To mount encrypted block devices the sysadmin (or user, depending on context) must provide a passphrase to activate the decryption key.

Encryption provides additional security beyond existing OS security mechanisms in that it protects the device’s contents even if it has been physically removed from the system. Some systems require the encryption key to be the same as for decryption, and other systems require a specific key for encryption and specific second key for enabling decryption.

Encrypting block devices using dm-crypt/LUKS

LUKS (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.

LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device’s data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

Overview of LUKS

How will I access the encrypted devices after installation? (System Startup)

During system startup you will be presented with a passphrase prompt. After the correct passphrase has been provided the system will continue to boot normally. If you used different passphrases for multiple encrypted devices you may need to enter more than one passphrase during the startup.

Consider using the same passphrase for all encrypted block devices within a given system. This will simplify system startup and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!

Choosing a Good Passphrase

While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.

LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional. Providing a phrase containing multiple words to increase the security of your data is important.

Creating Encrypted Block Devices in Anaconda

You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions.

To enable block device encryption, check the "Encrypt System" checkbox when selecting automatic partitioning or the "Encrypt" checkbox when creating an individual partition, software RAID array, or logical volume. After you finish partitioning, you will be prompted for an encryption passphrase. This passphrase will be required to access the encrypted devices. If you have pre-existing LUKS devices and provided correct passphrases for them earlier in the install process the passphrase entry dialog will also contain a checkbox. Checking this checkbox indicates that you would like the new passphrase to be added to an available slot in each of the pre-existing encrypted block devices.

Checking the "Encrypt System" checkbox on the "Automatic Partitioning" screen and then choosing "Create custom layout" does not cause any block devices to be encrypted automatically.
You can use kickstart to set a separate passphrase for each new encrypted block device.

What Kinds of Block Devices Can Be Encrypted?

Most types of block devices can be encrypted using LUKS. From anaconda you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.

Limitations of Anaconda’s Block Device Encryption Support

Filling the Device with Random Data Before Encrypting

Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. It is because of those time requirements that anaconda does not offer this option. This step can be performed manually, using a kickstart %pre script. Instructions can be found here.

Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices

In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Setting up one or more keys to access the encrypted devices can be done on the installed system or through the use of a kickstart %post script. Instructions can be found here.

Creating Encrypted Block Devices on the Installed System After Installation

Encrypted block devices can be created and configured after installation.

See Also
how to mount a luks-encrypted file?

Create the block devices

Create the block devices you want to encrypt by using parted, pvcreate, lvcreate and mdadm.

Optional: Fill the device with random data

Filling <device> (eg: /dev/sda3) with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.

The commands below will destroy any existing data on the device.

  • The best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)

dd if=/dev/urandom of=<device>

  • Fastest way, which provides lower quality random data

badblocks -c 10240 -s -w -t random -v <device>

Format the device as a dm-crypt/LUKS encrypted device

The commands below will destroy any existing data on the device.
cryptsetup luksFormat <device>
For more information, read the cryptsetup(8) man page.

After supplying the passphrase twice the device will be formatted for use. To verify, use the following command:

cryptsetup isLuks <device> && echo Success

To see a summary of the encryption information for the device, use the following command:

cryptsetup luksDump <device>

Create a mapping to allow access to the device’s decrypted contents

To access the device’s decrypted contents, a mapping must be established using the kernel device-mapper.

It is useful to choose a meaningful name for this mapping. LUKS provides a UUID (Universally Unique Identifier) for each device. This, unlike the device name (eg: /dev/sda3), is guaranteed to remain constant as long as the LUKS header remains intact. To find a LUKS device’s UUID, run the following command:

cryptsetup luksUUID <device>

An example of a reliable, informative and unique mapping name would be luks-<uuid>, where <uuid> is replaced with the device’s LUKS UUID (eg: luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8). This naming convention might seem unwieldy but is it not necessary to type it often.

cryptsetup luksOpen <device> <name>

There should now be a device node, /dev/mapper/<name>, which represents the decrypted device. This block device can be read from and written to like any other unencrypted block device.

To see some information about the mapped device, use the following command:

dmsetup info <name>
For more information, read the dmsetup(8) man page.

Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device

Use the mapped device node (/dev/mapper/<name>) as any other block device. To create an ext2 filesystem on the mapped device, use the following command:

mke2fs /dev/mapper/<name>

To mount this filesystem on /mnt/test, use the following command:

The directory /mnt/test must exist before executing this command.
mount /dev/mapper/<name> /mnt/test

Add the mapping information to /etc/crypttab

In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn’t exist, create it and change the owner and group to root (root:root) and change the mode to 0744. Add a line to the file with the following format:

<name> <device> none

The <device> field should be given in the form "UUID=<luks_uuid>", where <luks_uuid> is the LUKS uuid as given by the command cryptsetup luksUUID <device>. This ensures the correct device will be identified and used even if the device node (eg: /dev/sda5) changes.

For details on the format of the /etc/crypttab file, read the crypttab(5) man page.

Add an entry to /etc/fstab

Add an entry to /etc/fstab file. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, /dev/mapper/<name> in the /etc/fstab file.

In many cases it is desirable to list devices in /etc/fstab by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: /dev/sda4) changes. LUKS device names in the form of /dev/mapper/luks-<luks_uuid> are based only on the device’s LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in /etc/fstab.

For details on the format of the /etc/fstab file, read the fstab(5) man page.

Common Post-Installation Tasks

Backup LUKS headers

If the sectors containing the LUKS headers are damaged - by user error or HW failure - all data in the encrypted block device is lost. Backing up the headers can help recovering data in such cases.

To backup the LUKS headers, use the following command:

cryptsetup luksHeaderBackup --header-backup-file <file> <device>

To restore the LUKS headers, use the following command:

The command below can destroy data, if wrong headers are applied or wrong device is selected! Be sure to backup headers from recovering device first.
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

Set a randomly generated key as an additional way to access an encrypted block device

Generate a key

This will generate a 256-bit key in the file $HOME/keyfile.

dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1chmod 600 $HOME/keyfile
Add the key to an available keyslot on the encrypted device
cryptsetup luksAddKey <device> ~/keyfile
Add a new passphrase to an existing device
cryptsetup luksAddKey <device>

After being prompted for any one of the existing passprases for authentication, you will be prompted to enter the new passphrase.

Remove a passphrase or key from a device

cryptsetup luksRemoveKey <device>

You will be prompted for the passphrase you wish to remove and then for any one of the remaining passphrases for authentication.

Disk Encryption User Guide (2024)

FAQs

How does disk encryption work? ›

Whole disk encryption encrypts the entire disk including swap files, system files, and hibernation files. If an encrypted disk is lost, stolen, or placed into another computer, the encrypted state of the drive remains unchanged, and only an authorized user can access its contents.

Read On
How do I encrypt a disc? ›

How to Encrypt Your Hard Drive in Windows 10
  1. Locate the hard drive you want to encrypt under “This PC” in Windows Explorer.
  2. Right-click the target drive and choose “Turn on BitLocker.”
  3. Choose “Enter a Password.”
  4. Enter a secure password.

Discover More Details
How do I decrypt a full disk encryption? ›

To access Recovery Console using Repair CD:
  1. Log into the Recovery Console CD. If the Device ID is editable, check the correct DeviceID from the PolicyServer.
  2. Click Recovery Console.
  3. In the left pane, click Decrypt Disk.
  4. Click Decrypt found on the bottom right. Wait until the decryption process completes.

Continue Reading
When should I use full disk encryption? ›

Full disk encryption protects the data on your device in the event it is lost or stolen. Without full disk encryption, if the data drive in the computer is removed, the data can be easily read and accessed.

See Details
How encryption works step by step? ›

Encryption uses complex mathematical algorithms and digital keys to encrypt data. An encryption algorithm (cipher) and an encryption key encode data into ciphertext. Once the ciphertext is transmitted to the recipient, the same or different key (cipher) is used to decode the ciphertext back into the original value.

Find Out More
What is full disk encryption for dummies? ›

What is full-disk encryption (FDE)? Full-disk encryption (FDE) is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive. FDE automatically encrypts data and operating systems (OSes) to prevent unauthorized access.

Tell Me More
Can encrypted disk be hacked? ›

The simple answer is yes, encrypted data can be hacked. However, the situation is not as straightforward or as simple as that. Truthfully, hacking encrypted data is extremely difficult, time-intensive and involves a huge amount of technical knowledge on the hacker's part.

Show Me More
What is the best way to encrypt data? ›

The two most widely used methods for data encryption are public key, also known as asymmetric encryption and private key, or symmetric encryption. Both rely on key pairs, but they differ in the way the sending and receiving parties share the keys and handle the encrypt/decrypt process.

Explore More
How do I unlock encrypted data? ›

Try using the file properties to unlock the file. Go into File Explorer, select Advanced, and clear the Encrypt Contents to Secure Data checkbox. Sometimes this will work to get the file decrypted.

Continue Reading
Is decrypting a 256 bit key Impossible? ›

256-bit encryption is refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers.

Show Me More

How do I know if full disk encryption is enabled? ›

Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption doesn't appear, it isn't available. If device encryption is turned off, select Turn on.

Read The Full Story
What is a disadvantage of encrypting a drive? ›

The main drawback with full disk encryption is that it can ensure data security only when the device is at rest. This means that the data is encrypted only when the device is locked. When the device is unlocked, anyone can open and access any files in the device.

See Details
What are the three 3 types of modern encryption? ›

3 Types of Encryption to Protect Your Data
  • Symmetric. The symmetric encryption method uses a single key both to encrypt and decrypt the data. ...
  • Asymmetric. The second major encryption method is asymmetric encryption, also sometimes known as public key encryption. ...
  • Hashing.

Get More Info Here
How long does it take to encrypt 1tb? ›

So how long will encryption take?
New disk1-5 minutes
1 TB / 300 GB used10 hours
2 TB / 1.5 TB used50 hours

Continue Reading
What is encryption for dummies? ›

Encryption takes plain text, like a text message or email, and scrambles it into an unreadable format — called “cipher text.” This helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network like the Internet.

View More
What are the 3 major components of encryption system? ›

Encryption schemes have the following three components: a key generation algorithm, an encryption algorithm, and a decryption algorithm. The encryption algorithm takes plaintext and an encryption key as input and returns a ciphertext.

View Details
Which is the simplest encryption algorithm? ›

Caesar's cypher is the simplest encryption algorithm.

See More
What is the difference between 128 and 256-bit encryption? ›

The main difference between 128 and 256-bit encryption algorithms is the length of the secret key that they use. The 128 and 256 in AES-128 and AES-256 means that the two algorithms use 128-bit and 256-bit keys respectively. The longer the secret key, the harder it is for an attacker to guess via brute force attack.

Learn More
What are the two main types of encryption? ›

There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.

Discover More Details
How does SSD encryption work? ›

In most cases on system boot, the encryption key is stored in the SSD onboard memory which increases the complexity of retrieving it; making it less vulnerable to low-level attacks. This hardware-based encryption method offers a high level of data security as it is invisible to the user.

Show Me More

What are the dangers of encryption? ›

Encryption adds complexity and, depending on how it is implemented, may introduce additional dependencies that increase the complexity of change processes and the risk of infrastructure failure. Think about possible failure scenarios and the dependencies, then test component failure and recovery.

Learn More Now
Can police get into encrypted hard drive? ›

If a court order gives them access to your harddrive and your harddrive is encrypted the order could include you needing (by law) to give up the password to law enforcement. You're protecting yourself against unauthorized or malicious actors.

Explore More
Can police access encrypted data? ›

Accessing your device

If your phone is locked or you only use encrypted messaging apps, police can use mobile device forensic tools to break the encryption or bypass your lock screens if they are armed with a warrant.

Explore More
Which is the best disk encryption? ›

Top Full Disk Encryption Software of 2021
  • Apple.
  • Check Point.
  • ESET.
  • McAfee.
  • Micro Focus.
  • Microsoft.
  • R&S Trusted Disk.
  • Sophos.

Continue Reading
How do I fully encrypt my computer? ›

Turn on device encryption
  1. Sign in to Windows with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows.
  2. Select Start > Settings > Privacy & security > Device encryption. ...
  3. If Device encryption is turned off, turn it On.

Read The Full Story
Which encryption mode is most secure? ›

Out of 128-bit, 192-bit, and 256-bit AES encryption, 256-bit AES encryption is technically the most secure because of its key length size. Some go as far as to label 256-bit AES encryption overkill because it, based on some estimations, would take trillions of years to crack using a brute-force attack.

Keep Reading
Can hackers steal encrypted data? ›

No, hackers cannot see encrypted data, as it is scrambled and unreadable until the encryption key (or passphrase) is used to decrypt it. However, if a hacker manages to obtain the encryption key or crack the encryption algorithm, then they can gain access to the data.

Explore More
Which encryption method is most widely used and why? ›

Public key encryption is fast becoming the most widely used type of encryption because there are no issues to deal with concerning distribution of keys. PGP involves only private key encryption.

See Details
Should I encrypt my hard drive? ›

The Importance of Encryption

Encryption is the key to protecting the data on your hard drives. You can choose an encryption program that will make it more difficult for the thief to access the information, and prevent anyone who might find your portable drive from accessing it easily.

See More
Can you crack encrypted drive? ›

So an encrypted hard disk could be cracked only if: the user has a weak enough password to brute force, or. the encryption uses a weak algorithm. the attacker is willing to wait billions of years.

Explore More

Can FBI read encrypted messages? ›

Maximum of seven days' worth of specified users' text chats (Only when end-to-end encryption has not been elected and applied and only when receiving an effective warrant; however, video, picture, files, location, phone call audio and other such data will not be disclosed).

See Details
Can data be recovered from an encrypted drive? ›

There is even a common belief that encrypted data cannot be restored. But in fact, though encryption adds complexity to the recovery process, in most cases, it doesn't prevent it entirely.

Keep Reading
Can the FBI see encrypted messages? ›

Encrypted messaging apps aren't completely safe from the FBI

According to the FBI document, law enforcement can gain access to basic subscriber information.

Explore More
Can hackers see encrypted data? ›

No, hackers cannot see encrypted data, as it is scrambled and unreadable until the encryption key (or passphrase) is used to decrypt it. However, if a hacker manages to obtain the encryption key or crack the encryption algorithm, then they can gain access to the data.

Know More
What is the hardest encryption to break? ›

AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. While it is theoretically true that AES 256-bit encryption is harder to crack than AES 128-bit encryption, AES 128-bit encryption has never been cracked.

See More
Will encrypting a drive delete everything? ›

Using Encryption to Erase an SSD. By using whole disk encryption on an SSD, all of the data on the drive will become unreadable without the decryption key. By formatting the drive and removing the encryption key, the SSD can be securely disposed of without the risk of data remaining on the drive.

Discover More Details
Top Articles
Does GPS Work Without Internet Access? - March 12, 2024
15 Real Ways To Save Money On A Tight Budget - Tuppennys Fireplace
21 CFR Part 830 -- Unique Device Identification
49 CFR Part 830 -- Notification and Reporting of Aircraft Accidents or Incidents and Overdue Aircraft, and Preservation of Aircraft Wreckage, Mail, Cargo, and Records
Latest Posts
Convert US Dollar to Solana (USD to SOL) - BeInCrypto
How to Make Money with AI for Beginners in 2024 - The Small Business Blog
Article information

Author: Rueben Jacobs

Last Updated:

Views: 5724

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.