ServersTip of the Trade: Cryptsetup

Tip of the Trade: Cryptsetup

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

cryptsetup is a slick, easy-to-use encryption utility that works at the block device level. This means you can mix encrypted and unencrypted
partitions on the same drive. It’s a great way to protect laptops, sensitive
data on workstations and removable media, such as backup drives and USB
drives. All those headlines about “Lost laptop/backup media puts millions at
risk!” could have easily been prevented with a bit of strong encryption because as
long as the encrypted partitions are not mounted, they are unreadable.

Cryptsetup is an easy and secure Linux disk encryption utility. It runs at the
block device level, which makes it possible to mix encrypted and unencrypted
partitions on the same drive.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary


The easiest way to implement cryptsetup is to encrypt only data
partitions, such as /home. You can encrypt partitions containing
system files, but it is tricky and complex. It requires a modified
initramfs so the system can boot. Never try to encrypt your boot
partition; it is impossible to do this and still have a bootable system.

cryptsetup cannot encrypt an existing data partition, so you must
create a new partition, set it up with cryptsetup and then move your
data onto it. The partition is password-protected, and then you are asked for the
password at boot. From that point, it operates like any other partition: no muss, no
fuss. Be careful with your password, because if you lose it you are out of
luck — there is no way to recover it or your data. You can set more than one
password, however, so when setting this up for your users you can give yourself
a backdoor.

You’re bound to run into some naming confusion, since cryptsetup on
Debian and its derivatives is actually the userspace utility for
dm-cryptsetup. Fedora calls it cryptsetup-luks.
dm-cryptsetup includes Linux Unified Key Setup (LUKs) extensions.
Any documentation that details separate LUKS commands is therefore
obsolete. Protect
Your Stuff With Encrypted Linux Partitions
and Protect Your Stuff With Encrypted Linux Partitions,
Part 2
are good how-tos and offer links to additional resources.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories