Cryptsetup reference for full disk encryption
cryptsetup provides an interface to dm-crypt (including LUKS) and can be used to easily encrypt, decrypt, and otherwise manage encrypted disks and partitions.
Formatting
cryptsetup -y -v luksFormat /dev/<some device>
This will create a LUKS device that can be formatted as usual after it is unlocked. This will also erase the device.
Mapping/unlocking
cryptsetup luksOpen /dev/<some device> <some mapping name>
Viewing status
cryptsetup -v status <some mapping name>
Dumping LUKS header
cryptsetup luksDump /dev/<some device>
Mounting
mount /dev/mapper/<some mapping name> <some mount point>
Locking
umount <some mount point>
cryptsetup luksClose <some mapping name>
Adding a passphrase
cryptsetup luksAddKey /dev/<some device>
Removing a passphrase
cryptsetup luksRemoveKey /dev/<some device>
To change the passphrase, simply add a new one and then remove the old one.
Typical workflow
In most cases the following steps take place:
- Unlock/map the LUKS device.
- Mount the mapper device.
- Access the data at will.
- Unmount the mapper device.
- Lock the LUKS device.
Gnome on Ubuntu (and most probably other distributions) includes support for performing most of these tasks through a GUI. It also offers the option of saving the encryption passphrase in the system keychain.
Links
Anything to add? Let's talk @kgoutsos.
Share this page on
Twitter,
Facebook,
LinkedIn or use the permalink.