Just wanted to share a one-liner on how to encrypt a device,
partition or volume with cryptsetup (dm-crypt/luks)
and options to get you started!
The idea is simple:
You create a crypto container on a disk/partition/volume/file/whatever, you then unlock that container, and then mount that container to a folder. When you’re done working you then unmount the folder and close the container again.
Make sure you have “cryptsetup” installed and then run this command:
cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat /dev/PATH_HERE
This will format and protect /dev/PATH_HERE, of course you have to adjust the path. But note that this will destroy data on the target volume, so be sure to choose the right one! Be sure to only run this command once, when setting up the container. Afterwards you’ll just want to work with cryptsetup luksOpen and cryptsetup luksClose and nothing else! More info bellow.
Then, to unlock it, run:
cryptsetup luksOpen /dev/PATH_here name
This will prompt for your passphrase and if correct, will mount the container to
This is the command you want to run every time you want to unlock the container, to then mount it afterwards.
You can then create a filesystem on the container with:
You only have to do this once, when first setting it up. This will format (destroy data) on the target container. You can choose any filesystem you want, like BTRFS or even NTFS or FAT32, but ext4 is the recommended one for starters. Make sure to only run this command when initially setting things up! Afterwards just use cryptsetup luksOpen and cryptsetup luksClose to lock and unlock the container, to then mount and unmount it.
And then mount that container with:
mount /dev/mapper/name /mnt/name
And that’s how you get an encrypted container in Linux. Simple!
The files inside /mnt/name are protected by encryption now.
To unmount and close it again, run:
cryptsetup luksClose /dev/mapper/name
I hope this helped to get you started with using encryption in Linux.