Learn how to boost your data security by encrypting your disk in Ubuntu using the Command Line Interface (CLI). This guide is designed for users of all technical levels, especially those who are new to disk encryption.
Preparing Ubuntu for Encryption
General Precaution: It's important to make a complete backup of your data before encrypting it. Eventhough you'll need to format the disk during encryption, erasing all existing data. There's also a risk of mistakenly encrypting the wrong disk or partition, potentially making important data inaccessible, especially if the encryption password is forgotten.
Verify the Disk Space: Make sure your disk has adequate room for encryption. As it organizes and protects your data, the procedure can require more space. To check disk space, use the below command:
Install the Utility for Encryption
The main encryption method we’re using is LUKS (Linux Unified Key Setup) and the software tool we use to set up encryption with LUKS is cryptsetup.
Check out more on this encryption from the link: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
To install the tool cryptsetup, open the Terminal and type:
sudo apt-get install cryptsetup
This installs the necessary tools for encryption. You’re now ready to move on to the next step!
Identify your Disk
sudo fdisk -l in Terminal to see all your disks. Pick the one you want to encrypt:
sudo fdisk -l
Disk identification has been completed. We are now unmounting that disk partition and proceeding to the encryption phase with the command:
Encrypt with LUKS
sudo cryptsetup luksFormat /dev/vda3
This command initializes the encryption process. You will receive a warning that this action will erase all data on the partition. Confirm by typing
YES in capital letters. After confirmation, you’ll be prompted to enter a passphrase. Choose a strong, memorable passphrase, as this will be required to unlock the encrypted data.
Open Encrypted Disk:
cryptsetup open /dev/vda3 my_secret_data
After this step, the encrypted partition is accessible via a new device-mapper entry located at
Create a Filesystem for the Encrypted Disk
Format the Disk:
sudo mkfs.ext4 /dev/mapper/my_secret_data
This command formats the newly created mapped device with an ext4 filesystem. Remember that
/dev/mapper/my_secret_data is the name you assigned in the previous step.
Mount the Disk:
sudo mount /dev/mapper/my_secret_data /mnt
Here, you’re mounting the encrypted volume to a directory (in this case,
/mnt). This directory is where you’ll access the files stored in the encrypted partition. Ensure that
/mnt is not already in use or choose a different mount point.
Automounting the Disk:
To mount encrypted volumes automatically at boot in a Linux system, you typically need to make entries in both
/etc/crypttab. If this is not done, the file system will be unmounted when the system reboots. To automatically mount at boot, first you need to identify the UUID of the disks. This can be a bit complex, as it involves identifying the UUID of your encrypted volume and properly configuring the mount options.
To identify the UUID of disks, execute the following command in the terminal:
This will list all the block devices along with their UUIDs and other information. Look for the entry corresponding to
/dev/mapper/my_secret_data. It should look something like this:
The UUID will be the string inside the quotes after
UUID=. You can then use this UUID of
/dev/vda3 in your
/etc/crypttab and UUID of
An example entry for
/etc/crypttab using your UUID:
This tells the system to ask for a passphrase on boot to unlock the partition with UUID
a74b33ea-ea47-4da2-8e61-3623fe7a94b6, and make it available as
/dev/mapper/my_secret_data. Replace the entries such as UUID and arbitary name of encrypted device (
my_secret_data) with your actual values in your files.
An example entry for
/etc/fstab using your UUID:
This mounts the decrypted filesystem (with UUID
/mnt and UUID with your actual desired mount point and UUID).
By setting up both files correctly, during the booting process of your system, the system will prompt the passphrase to unlock the encrypted partition as per the
/etc/crypttab configuration. Once unlocked, the system will then automatically mount the filesystem according to the
/etc/fstab configuration and ensure that your encrypted data is readily accessible.
Congratulations! We have successfully encrypted the disk. 🥳