Using Linux to Generate an Encrypted Partition Using LUKS

Operating systems of the Linux family provide the function of encrypting hard drives through special utilities. Consider one of them called LUKS.  Server 18.04 is used as an example.

Preliminary preparation

The LUKS utility is used as the standard for disk protection in Linux systems. Its advantages:

  • ’s free.
  • Compatible with 99% operating systems.
  • Allows you to reset your password or passphrase in case of loss or compromise.

Before encrypting a drive, you need to make a choice. Run the following utility in the terminal:

sudo fdisk –l

It will display information about free volumes, as well as partitions that are available for protection:

List of free logical drives

Screenshot #1. List of free logical drives.

Select one from the list and proceed to editing. Let’s use the //sdb partition as an example.

Let’s run the parted program, specifying the selected volume:

sudo parted /dev/sdb

The administrator will have to the functionality of the utility through the terminal.

Important! For detailed information about the parted utility, type help.

Having gained access to parted, mark the selected partition accordingly. Let’s edit under GPT:

mklabel gpt

The program will display a warning that all information will be deleted during the operation. Enter “Yes”:

Deleting data from a volume

Screenshot #2. Deleting data from a volume.

After the operation is completed, create a new volume as the main one:

mkpart primary 1 -1

Its label will be displayed as “1”. When finished, exit the program with the quit command.

Key generation

Let’s create an encryption key using the DD command:

sudo dd if=/dev/urandom of=/root/secret.key bs=1024 count=2

, where /root/secret.key is the name of the generated key. The user specifies it himself.

Now let’s edit the file permissions:

sudo chmod 0400 /root/secret.key

Let’s assign it the function to read “without editing”.

Partition encryption

The next step is data encryption. By default, LUKS is integrated into most distributions. If the utility is not available, install it using standard installation tools. For the Ubuntu Server example:

sudo apt-get install cryptsetup

After installation, create an encrypted volume using the generated key:

cryptsetup luksFormat /dev/sdb1 /root/secret.key

The program will display a warning message that the information will be deleted after formatting. Enter “Yes”:

Erasing a disc

Screenshot #3. Erasing a disk.

Now let’s associate the generated key with the /dev/sdb1 volume. This will allow you to skip the authorization procedure in the future each time you access the section, and will also hide password hints from other users:

cryptsetup luksAddKey /dev/sdb1 /root/secret.key --key-file=/root/secret.key

After the operation is completed, let’s move on to configuring. First, let’s create an intermediate option for connecting to an encrypted object. To do this, we use the LuksOpen function:

cryptsetup luksOpen /dev/sdb1 secret --key-file=/root/secret.key

When finished, the device will be available at /dev/mapper/secret.

The next step is to specify the size of the volume that you want to encrypt:

cryptsetup resize secret

In our example, the volume name is secret. If no additional flags are specified for the resize option, it occupies the entire partition. Let’s mount the access point for the ext4 file structure with the volume name secret:

mkfs.ext4 /dev/mapper/secret

To check the correctness of the actions performed, enter:

cryptsetup -v status secret

Volume Mount

The partition is encrypted – let’s mount it for the operating system. Specify the entry point for the secret volume, and then set the access rights:

sudo mkdir -p /secret
sudo chmod 755 /secret

Through the mount command, connect the partition to the OS:

mount /dev/mapper/secret /secret

After that, we will check the execution of the operation:

df –h

In order not to permanently connect the LUKS partition to the operating system, we activate volume automounting.

Important! Using automatic mount mode also automatically decrypts the volume the moment it is attached to the OS.

Let’s determine the identifier of the protected disk:

ls -l /dev/disk/by-uuid

It is denoted by the term UUID. Since the name is difficult to remember, let’s upload its name to a separate file:

export UUID="dc8dbc18-adb0-4258-bac8-73860ec12d50"

Important! The “=” sign is followed by an identifier, which is used in the example.

Let’s create a link to the secret.key generated earlier:

sudo echo "secret UUID=${UUID} /root/secret.key luks" >> /etc/crypttab

The last step is to add the appropriate lines to the fstab partition mount file:

sudo echo "/dev/mapper/secret /secret auto" >> /etc/fstab

Specifying the sudo mount –a command in the terminal will automatically mount the encrypted partition when the operating system starts.


Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!