How to encrypt disk in Linux environment
With the growing number of data theft threats, it is important to ensure the information is properly protected. Though Linux is known to be the one of the most secure systems, it has its weak points which may open the door to hackers.
To secure the data on the disc you nominated to store the database you need to encrypt the disc. Encryption is the process of converting a plain text into ciphertext. You can encrypt a single disc, several partitions or the whole hard drive with help of a special algorithm. After encryption, it will be possible to access the disc only by using special password.
The main purpose of the hard drive encryption is to keep your information secure in case of devices being stolen or lost. However, if you host apps on your own server, encryption will help you feel more confident about your data security.
In Linux environment Linux Unified Key Setup (LUKS) is used for encrypting entire block devices, hard drive, SSDs and even removable storage drives. Full hard drive encryption is possible only during the installation of the Linux operating system. In this case it will encrypt both the swap space and system partitions. Post-installation encryption with help of the command line will help you encrypt your home directory and swap spaces separately.
Why it is necessary to encrypt swap spaces?
Encryption of swap spaces is necessary to keep secure sensitive information such as passwords. Swap space is the space on the hard drive used for virtual memory. When a Linux system is running out of RAM, the inactive pages are pushed to the swap space. The information moved there may contain such sensitive information as user names and passwords and thus it is necessary to have swap spaces encrypted as well.
Full hard drive encryption during installation of Ubuntu 22.10
The easiest way to encrypt the hard drive is to do this while installing Linux. This will ensure that everything runs without errors and all partitions get encrypted correctly.
To achieve full encryption of the hard drive you need to start encryption process during the Ubuntu system installation:
- After following the preliminary installation steps such as memory selection, keyboard layout, disk space, etc., you need to pay attention to the "Installation Type" step. Select there "Erase disk and install Ubuntu"
- Click "Advanced Features" button
- Select an option "Use LVM with new Ubuntu installation"
- Check a box "Encrypt the new Ubuntu installation for security"
- On the next step enter a security key and confirm it
- Optionally you can enable a recovery key and save it to the safe place elsewhere
- After clicking "Install Now" the disc will be encrypted during the installation
- To complete the installation reboot the system. Upon booting you will be prompted to provide the decryption key, the one you specified on Step 5 of this guide
- Type it in and press "Enter". After this your disc will be unlocked
Post installation encryption for Ubuntu 22.10
The recommended method of encryption of full disc space is LUKS encryption during the installation. However, if you already have the operating system installed, it is possible to encrypt home directory and swap spaces without reinstalling the operating system.
By default, home directory is the directory where all your files and documents are stored. Swap space is the space on the hard drive used for virtual memory. It can contain such sensitive information as user names and passwords, and thus it is also recommended to encrypt it.
Ubuntu provides a command-line tool to encrypt both swap spaces and home directory:
Home directory encryption
- Launch the terminal
-
Install the software packages which provide encryption on Linux: ecrypt-utils
and cryptsetup by running the following command:
$ sudo apt install ecryptfs-utils cryptsetup
-
Some of the files in your home directory might be rendered inaccessible if you
are performing encryption while logged in with your own account. Thus it is
necessary to create another privileged user to encrypt the home directory. For
this purpose execute the following command:
$ sudo adduser e_user
wheree_user
is the name of your new user account -
Assign root privileges to
e_user
:
$ sudo usermod -aG sudo e_user
-
Log out and then log in with a new user
e_user
, which you created for encryption. Do not reboot! -
To take a look at the contents of the directory you are going to encrypt you can
use the command:
$ sudo ls -l ~directory_name
wheredirectory_name
should be replaced with the name of the directory you are going to encrypt -
Start the encryption process by executing the following command:
$ sudo ecryptfs-migrate-home -u directory_name
wheredirectory_name
is the name of your home directory - When you are prompted for the passphrase, provide the user account's login password and hit "ENTER"
- After the encryption has finished you need to log out of privileged user profile and log into your main profile and check if you can read and write files
- After logging into your regular profile and checking if you can read and write files you, you will need to record the encryption passphrase in the appeared pop up window and confirm it by clicking "Run this action now" button. This will open a Terminal window, where you will require to enter your password, after which a passphrase for your home directory will appear
-
You can also reveal the recovery passphrase by executing the following command:
$ sudo ecryptfs-unwrap-passphrase
- Save the recovery passphrase and keep it somewhere safe
Swap space encryption
-
Check if you have swap space by executing the command
$ swapon -s
-
Then execute the command to encrypt the swap space:
$ sudo ecryptfs-setup-swap
- That's it, the encryption has been completed
You will no longer need the privileged user you created for your home directory encryption.
Thus you can remove it by following this command:
$ sudo deluser --remove-home e_user
We provided you with instructions for two encryption scenarios - during Linux installation and the post-installation one. We strongly recommend to use the first scenario as it's more easy and reliable. But if you need to encrypt an existing Linux installation, the second scenario will do the trick for you.