HomeFirewall/SecurityHow to Encrypt Disk in Ubuntu via CLI

How to Encrypt Disk in Ubuntu via CLI

Learn how to boost your data security by encrypting your disk in Ubuntu using the Command Line Interface (CLI). This guide is designed for users of all technical levels, especially those who are new to disk encryption.

Preparing Ubuntu for Encryption

Verify the Disk Space: Make sure your disk has adequate room for encryption. As it organizes and protects your data, the procedure can require more space. To check disk space, use the below command:

df -h

Install the Utility for Encryption

The main encryption method we’re using is LUKS (Linux Unified Key Setup) and the software tool we use to set up encryption with LUKS is cryptsetup.
Check out more on this encryption from the link: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

To install the tool cryptsetup, open the Terminal and type:

sudo apt-get install cryptsetup

This installs the necessary tools for encryption. You’re now ready to move on to the next step!

Identify your Disk

Type sudo fdisk -l in Terminal to see all your disks. Pick the one you want to encrypt:

sudo fdisk -l
fdisk -l

Disk identification has been completed. We are now unmounting that disk partition and proceeding to the encryption phase with the command:

umount /dev/vda3

Encrypt with LUKS

Initialize Encryption:

sudo cryptsetup luksFormat /dev/vda3

This command initializes the encryption process. You will receive a warning that this action will erase all data on the partition. Confirm by typing YES in capital letters. After confirmation, you’ll be prompted to enter a passphrase. Choose a strong, memorable passphrase, as this will be required to unlock the encrypted data.

Open Encrypted Disk:

cryptsetup open /dev/vda3 my_secret_data

After this step, the encrypted partition is accessible via a new device-mapper entry located at /dev/mapper/my_secret_data.

Create a Filesystem for the Encrypted Disk

Format the Disk:

sudo mkfs.ext4 /dev/mapper/my_secret_data

This command formats the newly created mapped device with an ext4 filesystem. Remember that /dev/mapper/my_secret_data is the name you assigned in the previous step.

Mount the Disk:

sudo mount /dev/mapper/my_secret_data /mnt

Here, you’re mounting the encrypted volume to a directory (in this case, /mnt). This directory is where you’ll access the files stored in the encrypted partition. Ensure that /mnt is not already in use or choose a different mount point.

Automounting the Disk:

To mount encrypted volumes automatically at boot in a Linux system, you typically need to make entries in both /etc/fstab and /etc/crypttab. If this is not done, the file system will be unmounted when the system reboots. To automatically mount at boot, first you need to identify the UUID of the disks. This can be a bit complex, as it involves identifying the UUID of your encrypted volume and properly configuring the mount options.

To identify the UUID of disks, execute the following command in the terminal:

sudo blkid

This will list all the block devices along with their UUIDs and other information. Look for the entry corresponding to /dev/mapper/my_secret_data. It should look something like this:

The UUID will be the string inside the quotes after UUID=. You can then use this UUID of /dev/vda3 in your /etc/crypttab and UUID of /dev/mapper/my_secret_data in /etc/fstab.

To edit those files you can use editors such as VI or Nano.

An example entry for /etc/crypttab using your UUID:

This tells the system to ask for a passphrase on boot to unlock the partition with UUID a74b33ea-ea47-4da2-8e61-3623fe7a94b6, and make it available as /dev/mapper/my_secret_data. Replace the entries such as UUID and arbitary name of encrypted device (my_secret_data) with your actual values in your files.

An example entry for /etc/fstab using your UUID:

This mounts the decrypted filesystem (with UUID 9731af3e-848d-4811-87cd-5405b7ab6fd9 from /dev/mapper/my_secret_data) to /mnt (replace /mnt and UUID with your actual desired mount point and UUID).

By setting up both files correctly, during the booting process of your system, the system will prompt the passphrase to unlock the encrypted partition as per the /etc/crypttab configuration. Once unlocked, the system will then automatically mount the filesystem according to the /etc/fstab configuration and ensure that your encrypted data is readily accessible.

Congratulations! We have successfully encrypted the disk. 🥳

Scroll to Top