Tags Archives: LUKS

How To Create a dm-crypt LUKS Volume Without LVM

 The following details the procedure for creating an encrypted 32GB dmcrypt LUKS volume on Ubuntu without using LVM.



Create an empty file to serve as storage device


To store our encrypted data, we need to create a file which will act as our storage device.


root@asus:/media/kevin# fallocate -l 32G /media/kevin/newvol


root@asus:/media/kevin# ll -h
total 33G
drwxr-x—+ 8 root root 4,0K Jul 19 23:05 ./
drwxr-xr-x 3 root root 4,0K Jul 11 17:42 ../
drwxrwxr-x 43 kevin kevin 4,0K Jul 19 22:06 DATA/
drwxrwxr-x 37 kevin kevin 4,0K Jun 16 08:35 DATAVOLUMELUKS/
drwxr-xr-x 2 kevin kevin 4,0K Jun 15 16:13 Downloads/
-rw-r–r– 1 root root 32G Jul 19 23:05 newvol
drwxrwxrwx 10 kevin kevin 4,0K Jul 11 19:11 PRIMARY_BACKUP/
drwxrwxrwx 6 kevin kevin 4,0K Jun 20 21:02 PRIMARY_MEDIA/
drwxr-xr-x 2 root root 4,0K Jun 15 19:55 USBSTICK/



Create a dm-crypt LUKS Container inside the File


Before formatting the file we created above, we need to create a LUKS partition within the file. LUKS – the Linux Unified Key Setup, is a standard used for disk encryption.


create the container with this command:


root@asus:/media/kevin# cryptsetup -y luksFormat /media/kevin/newvol


This will overwrite data on /media/kevin/newvol irrevocably.

Are you sure? (Type ‘yes’ in capital letters): YES
Enter passphrase for /media/kevin/newvol:
Verify passphrase:


use “file” to check that this is now a LUKS encrypted file:


file /media/kevin/newvol



root@asus:/media/kevin# file /media/kevin/newvol
/media/kevin/newvol: LUKS encrypted file, ver 2 [, , sha256] UUID: 15affa5e-c600-4a40-86e7-4a7d91fee29e


Now we have the container in our file, we can open the container:


cryptsetup luksOpen /media/kevin/newvol DATAVOLUMELUKSNEW



This opens the LUKS device and maps it to a name we specify. In this case /dev/mapper/DATAVOLUMELUKSNEW. This opens the file as a local loopback device so the file system can handle the file as if it were a real device.



Create and Mount the File System


Now that we have created a LUKS container opened as a regular device on the system, we can format and create a filesystem on the device.



We will use:


mkfs.ext4 -j /dev/mapper/DATAVOLUMELUKSNEW



root@asus:/media/kevin# mkfs.ext4 -j /dev/mapper/DATAVOLUMELUKSNEW
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 8384512 4k blocks and 2097152 inodes
Filesystem UUID: 3d2880eb-dd75-4542-97d1-b69240101931
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624


Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done





then mount the volume:



root@asus:/media/kevin# mkdir DATAVOLUMELUKSNEW
root@asus:/media/kevin# mount /dev/mapper/DATAVOLUMELUKSNEW /media/kevin/DATAVOLUMELUKSNEW
root@asus:/media/kevin# df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 1844344 2176 1842168 1% /run
/dev/nvme0n1p4 413839584 197374804 195373196 51% /
tmpfs 9221708 335416 8886292 4% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4096 0 4096 0% /sys/fs/cgroup
/dev/nvme0n1p1 98304 33565 64739 35% /boot/efi
tmpfs 1844340 80 1844260 1% /run/user/1000
geminivpn:/export/DATA 56721408 37371392 16450048 70% /media/kevin/DATA
intelvpn:/media/kevin/PRIMARY_MEDIA 2063187968 1228222464 730091520 63% /media/kevin/PRIMARY_MEDIA
intelvpn:/media/kevin/PRIMARY_BACKUP 1031070720 231892992 746732544 24% /media/kevin/PRIMARY_BACKUP
tmpfs 1844340 60 1844280 1% /run/user/131
tmpfs 1844340 60 1844280 1% /run/user/0
/dev/mapper/DATAVOLUMELUKSNEW 32880400 49176 31137940 1% /media/kevin/DATAVOLUMELUKSNEW




We are mounting the volume as DATAVOLUMELUKSNEW as we want to move the data from the old DATAVOLUMELUKS to DATAVOLUMELUKSNEW


then we will unmount and delete the old DATAVOLUMELUKS and rename the new DATAVOLUMELUKSNEW as DATAVOLUMELUKS


root@asus:/media/kevin# mountdata
Enter passphrase for /home/kevin/BACKUP/DATAVOLUMELUKS:
Filesystem Size Used Avail Use% Mounted on
tmpfs 1,8G 2,2M 1,8G 1% /run
/dev/nvme0n1p4 395G 189G 187G 51% /
tmpfs 8,8G 328M 8,5G 4% /dev/shm
tmpfs 5,0M 4,0K 5,0M 1% /run/lock
tmpfs 4,0M 0 4,0M 0% /sys/fs/cgroup
/dev/nvme0n1p1 96M 33M 64M 35% /boot/efi
tmpfs 1,8G 80K 1,8G 1% /run/user/1000
geminivpn:/export/DATA 55G 36G 16G 70% /media/kevin/DATA
intelvpn:/media/kevin/PRIMARY_MEDIA 2,0T 1,2T 697G 63% /media/kevin/PRIMARY_MEDIA
intelvpn:/media/kevin/PRIMARY_BACKUP 984G 222G 713G 24% /media/kevin/PRIMARY_BACKUP
tmpfs 1,8G 60K 1,8G 1% /run/user/131
/dev/mapper/DATAVOLUMELUKSNEW 32G 49M 30G 1% /media/kevin/DATAVOLUMELUKSNEW
/dev/mapper/DATAVOLUMELUKS 20G 12G 6,6G 64% /media/kevin/DATAVOLUMELUKS





rsync -av /media/kevin/DATAVOLUMELUKS/ /media/kevin/DATAVOLUMELUKSNEW/


we can then delete the old DATAVOLUMELUKS and switch to the new one:


umount /media/kevin/DATAVOLUMELUKS


cryptsetup luksClose DATAVOLUMELUKS


root@intel:/home/kevin/BACKUP# rm /home/kevin/BACKUP/DATAVOLUMELUKS


root@intel:/media/kevin# mv /media/kevin/newvol /home/kevin/BACKUP/DATAVOLUMELUKS



umount the new volume:


umount /media/kevin/DATAVOLUMELUKSNEW


cryptsetup luksClose DATAVOLUMELUKSNEW


and remount the new one:




mount /dev/mapper/DATAVOLUMELUKS /media/kevin/DATAVOLUMELUKS



root@intel:/media/kevin# df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 785M 2,0M 783M 1% /run
/dev/sdb5 153G 51G 95G 35% /
tmpfs 3,9G 89M 3,8G 3% /dev/shm
tmpfs 5,0M 4,0K 5,0M 1% /run/lock
tmpfs 4,0M 0 4,0M 0% /sys/fs/cgroup
tmpfs 785M 104K 785M 1% /run/user/1000
/dev/sdd2 984G 222G 713G 24% /media/kevin/PRIMARY_BACKUP
/dev/sdd1 2,0T 1,2T 697G 63% /media/kevin/PRIMARY_MEDIA
geminivpn:/export/DATA 55G 37G 15G 71% /media/kevin/DATA
/dev/sda1 112G 108M 112G 1% /media/kevin/New Volume
/dev/sdc1 1,8T 1,5T 217G 88% /media/kevin/SECONDARY_MEDIA
tmpfs 785M 72K 785M 1% /run/user/0
/dev/mapper/DATAVOLUMELUKS 32G 7,9G 22G 27% /media/kevin/DATAVOLUMELUKS



the temporary new mount point can now also be removed:


root@intel:/media/kevin# rmdir DATAVOLUMELUKSNEW







Continue Reading

How To Install LUKS on LVM

LUKS stands for Linux Unified Key System. It’s a kernel-level encryption utility for Linux which is based on the dm-crypt system.


LUKS provides for transparent disk and volume encryption. This means that the files on the encrypted disk or volume can be accessed directly as usual after mounting just as with unencrypted disks.


It can be deployed at the partition level or by creating a file which serves as a container or volume which can then be mounted on the system just the same as mounting a disk drive.

It can also be used together with the disk management system LVM or Logical Volume Manager.  LVM provides an easy way to add, remove and resize disk drive partitions without having to lose data. One of the biggest advantages of LVM is that you can carry out these operations without having to reboot.


LVM operates by creating a layer of abstraction between the operating system and the disks or existing disk partitions. You assign your drives to LVM, creating “volume groups” (VGs) and then create LVM partitions known as “logical volumes” (LVs) according to your requirements.


Another advantage of LVM is that the logical volumes you create can span more than one disk, something which isn’t possible with conventional hardware drive level partitioning.


LVM presents these logical volumes to the operating system in just the same way as conventional hard drives. It also gives you the option to create snapshots of your logical volumes without having to first unmount the disk.


LVM is included in many distributions as standard.


LUKS can be deployed with LVM in two different ways.


The first way is by encrypting the disk with LUKS and then installing LVM on the encrypted disk after opening it for use. This is known as “LVM on LVM”.


Or the second way, known as “LUKS on LVM” which is to install LVM on the disk, and then install LUKS on selected logical volumes.


This page describes the second method, ie LUKS on LVM.

We assume that LVM is already installed and configured and that the logical volume you wish to encrypt with LUKS is available for use.


For detailed instructions on installing and configuring disks with LVM and creating logical volumes, see the article “How To Install LVM”.


Installing LUKS on LVM


LUKS uses a system called crypt-dm. This needs to be installed on your system if not already present.


On Debian/Ubuntu systems it can be installed with:


apt-get install cryptsetup


NEXT, install on the logical volume:


first, make sure the volume is unmounted.


Then enter:


cryptsetup luksFormat /dev/lvmvolgroup/PRIMARY_BACKUP


You will be prompted to set a password for the volume encryption. Make sure you remember this password else you will not be able to access your data!


root@len:/media/kevin# cryptsetup luksFormat /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
WARNING: Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP already contains a ‘ext4’ superblock signature.

This will overwrite data on /dev/mapper/lvmvolgroup-PRIMARY_BACKUP irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/mapper/lvmvolgroup-PRIMARY_BACKUP:
Verify passphrase:




How to Unlock LUKS Partition


Having created the LUKS logical volume or partition, let us unlock it:


root@len:/media/kevin# cryptsetup open /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:


Next you need to format ie create a file system, on the encrypted disk. Here we are creating an ext4 file system.


mkfs.ext4 /dev/mapper/PRIMARY_BACKUP


root@yoga:/home/kevin# mkfs.ext4 /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 1302528 4k blocks and 325760 inodes
Filesystem UUID: 2ff2e594-86d2-4fa5-ab93-afa51ef3975e
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done


Then you can mount the volume:


mount -t ext4 /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP


It needs to look like this:


root@len:/home/kevin# lsblk -f /dev/sdb
└─sdb1 LVM2_mem bQlzkd-il4L-aZBq-wcOD-NTCA-Zwod-mwhm1J
├─lvmvolgroup-PRIMARY_MEDIA ext4 136f78a6-0aaf-47fc-9509-db182db94c41
├─lvmvolgroup-PRIMARY_ARCHIVE ext4 3ce12992-7189-4e6e-8088-b41201b88efc
└─lvmvolgroup-PRIMARY_BACKUP crypto_L efe57d86-a9a9-4279-8c21-33e5d11eb42d
└─PRIMARY_BACKUP ext4 413c3e6b-3cc1-4ed5-be6c-0d4518f740fb 139.1G 0% /home/kevi


Note that the PRIMARY_BACKUP device is ext4, whilst the lvmvolgroup-PRIMARY_BACKUP is crypto_L (ie crypto luks), which is correct.


Important: you have to open the device first using cryptosetup BEFORE you can apply the mkfs.ext4, as you are creating the file system on the device which belongs to the lvmvolgroup. It is not actually mounted in the OS at that point, it is only known to the luks cryptosetup system!


Another command for opening a LUKS volume is luksOpen:


root@len:/home/kevin# cryptsetup luksOpen /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:


mount /dev/lvmvolgroup/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP


You can use cryptsetup -v status to see the status for the mapping:


The LUKS volume can be dismounted and closed this way:


umount /media/kevin/PRIMARY_BACKUP
cryptsetup luksClose PRIMARY_BACKUP


if you try to close before unmounting, you get this:


root@yoga:~# cryptsetup luksClose
Device PRIMARY_BACKUP is still in use.


So, first unmount, then close LUKS!


root@len:/dev/mapper# blkid | grep PRIMARY_BACKUP
/dev/mapper/lvmvolgroup-PRIMARY_BACKUP: UUID=”efe57d86-a9a9-4279-8c21-33e5d11eb42d” TYPE=”crypto_LUKS”


How To Mount and Unmount LUKS Volumes


Note the difference between mount and unmount: you umount first then close cryptsetup,


To mount you open cryptsetup then mount.


NOTE also the difference between the mount path and cryptsetup path between opening:


cryptsetup uses /dev/mapper/lvmvolgroup-PRIMARY_BACKUP


whereas the mount command uses /dev/mapper/PRIMARY_BACKUP – ie NOT the logical volume designation!


To mount:


cryptsetup open /dev/mapper/lvmvolgroup-PRIMARY_BACKUP PRIMARY_BACKUP


mount /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP


To unmount:


umount /media/kevin/PRIMARY_BACKUP


cryptsetup close /dev/mapper/PRIMARY_BACKUP PRIMARY_BACKUP


root@len:/home/kevin# dmsetup info -C
Name Maj Min Stat Open Targ Event UUID
lvmvolgroup-PRIMARY_BACKUP 253 2 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAI1KzVECV1YHxyc2QlJMUnW1MMq12rBx7T
PRIMARY_BACKUP 253 3 L–w 0 1 0 CRYPT-LUKS2-6fbfecd4fa2c480bbf5ecd108c418680-PRIMARY_BACKUP
lvmvolgroup-PRIMARY_MEDIA 253 0 L–w 0 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAINq13O1AixaoG1l5VzuHpVFVmjZ11XkIF
lvmvolgroup-PRIMARY_ARCHIVE 253 1 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAIgkipEkwcdtML6GLmeLXYjEhjlf36BjMZ


root@len:/home/kevin# ll /dev/mapper
total 0
drwxr-xr-x 2 root root 140 Aug 6 22:25 ./
drwxr-xr-x 23 root root 4920 Aug 6 22:25 ../
crw——- 1 root root 10, 236 Aug 6 2020 control
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_ARCHIVE -> ../dm-1
lrwxrwxrwx 1 root root 7 Aug 6 22:25 lvmvolgroup-PRIMARY_BACKUP -> ../dm-2
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_MEDIA -> ../dm-0
lrwxrwxrwx 1 root root 7 Aug 6 22:25 PRIMARY_BACKUP -> ../dm-3


root@len:/home/kevin# cryptsetup close /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP is still in use.




Continue Reading