Disk encryption on Linux

View source | View history | Atom feed for this file

Creation date: 2017-01-28
Last substantive revision date: 2017-01-28
Last modification date: 2022-05-03
Generated on: 2024-04-30

Clarifying the terminology

As of Ubuntu 16.10, the default disk encryption method used when selecting “Encrypt the new Ubuntu installation for security” during installation seems to be dm-crypt with LUKS. Here:

dm-crypt is “the standard device-mapper encryption functionality provided by the Linux kernel” (ArchWiki).
LUKS (Linux Unified Key Setup) is “an additional convenience layer which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security” (ArchWiki).
cryptsetup is the actual utility that you run as a user.

The flow of choices (if Ubuntu hadn’t chosen everything for you) goes like this (ArchWiki):

Decide to use block device encryption (rather than, say, stacked filesystem encryption).
Decide to use dm-crypt (rather than, say, loop-AES or TrueCrypt).
Decide to use LUKS (rather than, say, plain dm-crypt mode).

Note that I’m pretty sure LUKS is a specification so it’s possible to use LUKS without using dm-crypt, i.e. you can reverse the order of (2) and (3) by deciding to use LUKS, and only then deciding on dm-crypt (rather than some other implementation of LUKS – I’m not aware of any others).

Backing up the LUKS header

Check that the device is a LUKS device:

$ sudo cryptsetup isLuks -v /dev/sda5
Command successful.

Then back up the header:

sudo cryptsetup luksHeaderBackup /dev/sda5 \
    --header-backup-file luks-header.bin.crypt

See also the cryptsetup FAQ §6 Backup and Data Recovery

External links

What’s the difference between LUKS, cryptsetup, and dm-crypt? on /r/linuxquestions