Servers Tip of the Trade: Cryptsetup

Tip of the Trade: Cryptsetup

cryptsetup is a slick, easy-to-use encryption utility that works at the block device level. This means you can mix encrypted and unencrypted
partitions on the same drive. It’s a great way to protect laptops, sensitive
data on workstations and removable media, such as backup drives and USB
drives. All those headlines about “Lost laptop/backup media puts millions at
risk!” could have easily been prevented with a bit of strong encryption because as
long as the encrypted partitions are not mounted, they are unreadable.

Cryptsetup is an easy and secure Linux disk encryption utility. It runs at the
block device level, which makes it possible to mix encrypted and unencrypted
partitions on the same drive.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary


The easiest way to implement cryptsetup is to encrypt only data
partitions, such as /home. You can encrypt partitions containing
system files, but it is tricky and complex. It requires a modified
initramfs so the system can boot. Never try to encrypt your boot
partition; it is impossible to do this and still have a bootable system.

cryptsetup cannot encrypt an existing data partition, so you must
create a new partition, set it up with cryptsetup and then move your
data onto it. The partition is password-protected, and then you are asked for the
password at boot. From that point, it operates like any other partition: no muss, no
fuss. Be careful with your password, because if you lose it you are out of
luck — there is no way to recover it or your data. You can set more than one
password, however, so when setting this up for your users you can give yourself
a backdoor.

You’re bound to run into some naming confusion, since cryptsetup on
Debian and its derivatives is actually the userspace utility for
dm-cryptsetup. Fedora calls it cryptsetup-luks.
dm-cryptsetup includes Linux Unified Key Setup (LUKs) extensions.
Any documentation that details separate LUKS commands is therefore
obsolete. Protect
Your Stuff With Encrypted Linux Partitions
and Protect Your Stuff With Encrypted Linux Partitions,
Part 2
are good how-tos and offer links to additional resources.

Latest Posts

Compare HP’s iLo & Dell’s iDRAC Server Management Tools

Most servers shipped from the major manufacturers today come with some type of out-of-band management tool or baseboard management controller (BMC). Two of the...

Get-MsolUser PowerShell Attributes & Properties

This article has been updated for 2020. Please note that WAAD was retired in 2018, but the cmdlets listed in this article are still...

Microsoft Azure PowerShell Scripts and Commands

Using PowerShell scripts and commands for quickly executing tasks in Windows operating systems offers a number of benefits over traditional scripting languages, such as...

Microsoft Hyper V Review

Microsoft Hyper-V: The Bottom line Microsoft Hyper-V lagged behind VMware's virtualization tool, one of the most popular tools in the space, when it was first...

Best Cloud Based Services & Companies

Any company that’s delayed introducing cloud-based software into their infrastructure needs to consider leveraging these new technologies to reap all the benefits cloud computing...

Related Stories