Tip of the Trade: Cryptsetup

by Carla Schroder

Cryptsetup is an easy and secure Linux disk encryption utility. It runs at the block device level, which makes it possible to mix encrypted and unencrypted partitions on the same drive.

cryptsetup is a slick, easy-to-use encryption utility that works at the block device level. This means you can mix encrypted and unencrypted partitions on the same drive. It's a great way to protect laptops, sensitive data on workstations and removable media, such as backup drives and USB drives. All those headlines about "Lost laptop/backup media puts millions at risk!" could have easily been prevented with a bit of strong encryption because as long as the encrypted partitions are not mounted, they are unreadable.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

The easiest way to implement cryptsetup is to encrypt only data partitions, such as /home. You can encrypt partitions containing system files, but it is tricky and complex. It requires a modified initramfs so the system can boot. Never try to encrypt your boot partition; it is impossible to do this and still have a bootable system.

cryptsetup cannot encrypt an existing data partition, so you must create a new partition, set it up with cryptsetup and then move your data onto it. The partition is password-protected, and then you are asked for the password at boot. From that point, it operates like any other partition: no muss, no fuss. Be careful with your password, because if you lose it you are out of luck — there is no way to recover it or your data. You can set more than one password, however, so when setting this up for your users you can give yourself a backdoor.

You're bound to run into some naming confusion, since cryptsetup on Debian and its derivatives is actually the userspace utility for dm-cryptsetup. Fedora calls it cryptsetup-luks. dm-cryptsetup includes Linux Unified Key Setup (LUKs) extensions. Any documentation that details separate LUKS commands is therefore obsolete. Protect Your Stuff With Encrypted Linux Partitions and Protect Your Stuff With Encrypted Linux Partitions, Part 2 are good how-tos and offer links to additional resources.

This article was originally published on Monday Nov 26th 2007
Mobile Site | Full Site