How to set up and use LUKS

LUKS is short for "Linux Unified Key Setup". It is part of dm-crypt, which is part of the Linux kernel.

https://wiki.archlinux.org/title/Dm-crypt

LUKS lets you encrypt disks so that others can't access your files if you lose or sell a disk after use. By "disk", I mean external devices like HDD's, SSD's, or USB flash drives.

Roadmap

How to set up and use an unencrypted disk

This is just for comparison to the actual roadmap in the next section. Steps marked as "(once)" are only needed during the setup; all other steps are needed every time you use a disk.

1. Plug in the disk
2. Partition the disk (once)
5. Format the partition with a file system (once)
6. Mount the file system to a mount point
7. Operate on files below the mount point
8. Unmount the file system from the mount point
10. Power off the disk
11. Unplug the disk

How to set up and use a LUKS-encrypted disk

1. Plug in the disk
2. Partition the disk (once)
3. Set up a LUKS layer on the partition (once)
4. Open (decrypt) and map the LUKS layer to a virtual partition
5. Format the virtual partition with a file system (once)
6. Mount the file system to a mount point
7. Operate on files below the mount point
8. Unmount the file system from the mount point
9. Close and unmap the LUKS layer from the virtual partition
10. Power off the disk
11. Unplug the disk

The individual steps

2. Partition the disk

Use "fdisk DISK", where DISK is the device file name, e.g. "/dev/sda". Check the device file name with lsblk.

Inside fdisk, consult the help menu and do the following steps:

Set up a new GPT partition table
Set up a new partition
Print the partition table for inspection
Check the partition table for mistakes
Wrote the partition table

3. Set up a LUKS layer on the partition

Use "cryptsetup luksFormat PARTITION", where PARTITION is the partition device file name, e.g. "/dev/sda1".

During the setup, you will be asked to choose a permanent passphrase. However, you can still change it afterwards with "cryptsetup luksChangeKey PARTITION".

4./9. Open/close and map/unmap the LUKS layer to/from a virtual partition

Use "cryptsetup open PARTITION NAME", where PARTITION is defined as above and NAME is a temporary name of your choosing. (You won't need NAME again after unmapping, so it's not really important.) The decrypted partition will be mapped to the virtual partition "/dev/mapper/NAME". (That's what the "dm" in "dm-crypt" stands for: device mapper.)

To close and unmap the virtual partition, use "cryptsetup close NAME".

5. Format the (virtual) partition with a file system

Use "mkfs.ext4 -L LABEL VIRTUAL_PARTITION", where VIRTUAL_PARTITION is the partition device file name, e.g. "/dev/sda1" (for an unencrypted partition) or "/dev/mapper/NAME" (for a decrypted LUKS partition mapped to a virtual one), and LABEL is a file system label of your choosing.

Unlike the NAME during the decryption/mapping step, the file system LABEL is permanent. Desktop environments like Xfce will show it in your file browser, and udisksctl (described below) will use it too. However, you can still change it with "e2label VIRTUAL_PARTITION LABEL".

6./8. Mount/unmount the file system

Use "mount" and "umount" and consult the man pages.

Automating the steps during use

Desktop environments like Xfce can do steps 4/6 and 8/9/10 with a simple click. To make them easier on the command line, I use udisks.

https://wiki.archlinux.org/title/Udisks

I use the following commands for the steps in question:

4. "udisksctl unlock -b PARTITION"
6. "udisksctl mount -b VIRTUAL_PARTITION" (which mounts it to "/run/media/USER/LABEL")
8. "udisksctl unmount -b VIRTUAL_PARTITION"
9. "udisksctl lock -b PARTITION"
10. "udisksctl power-off -b DISK"

PARTITION, VIRTUAL_PARTITION, LABEL, and DISK are defined as above; udisksctl tells you which name to use for VIRTUAL_PARTITION when you run "udisksctl unlock -b PARTITION". USER is the name of the user running the command.

Two facts come in handy for automation now: (a) you can use the same name for DISK that you use for PARTITION, and (b) you can use "/dev/disk/by-uuid/UUID" for PARTITION and VIRTUAL_PARTITION, where UUID is their respective UUID. (You can find them out with "lsblk -f".) Unlike temporary device file names like "/dev/sda1", the UUID of a partition is permanent. This also lets you test if a specific disk is plugged in with "test -b /dev/disk/by-uuid/UUID", where UUID is the UUID of PARTITION.

Here is a script that does this for you:

/software/simple-scripts/plug.sh

EOF