Linux encrypt all disk

10 Best File and Disk Encryption Tools for Linux

It wasn’t too long ago that we published a list of 10 cool command line tools for your Linux terminal. Today, we turn our focus to encryption methods as we bring you a list of the best file and disk encryption software for your Linux machine.

1. Tomb

Tomb is a free and open source tool for easily encrypting and backing up files on GNU/Linux systems. It consists of a simple shell script that implements standard GNU tools alongside cryptsetup and LUKS (the Linux kernel’s cryptographic API).

Tomb aims to improve safety by adopting a handful of well-tested standards and implementations, applying good practices for key storage, and a minimalist design consisting of concise readable code.

Learn more about Tomb encryption software from our review here.

Create a New Tomb

2. Cryptmount

Cryptmount is an open source utility created for GNU/Linux Operating Systems to enable users to mount encrypted files without root privileges.

It works using the newer devmapper mechanism which offers several advantages including improved functionality in the kernel, support for encrypted swap partitions for superusers, support for crypto-swap at system boot, storing multiple encrypted filesystems in a single disk, etc.

Learn more about Cryptmount from our review here.

Create Encrypted Filesystem in Linux

3. CryFS

CryFS is a free and open source cloud-based encryption tool for safely storing files anywhere. It is easy to set up, runs in the background, and works nicely with any popular cloud service not excluding Dropbox, OneDrive, and iCloud.

CryFS ensures that no data, including directory structure, metadata, and file content, leave your computer in an unencrypted format.

4. GnuPG

GnuPG, often referred to as GPG, stands for GNU Privacy Guard and it is a free and open source collection of cryptographic tools created as a replacement for Symantec’s PGP cryptographic software suite.

It is compliant with the IETF standards-track specification of OpenPGP and RFC 4889. We have covered GPG in a little more detail here.

Encrypt File in Linux

5. VeraCrypt

VeraCrypt is a multi-platform, freeware open source tool created to provide users with on-the-fly encryption. You can use it to encrypt entire storage devices or only selected partitions using pre-boot authentication.

VeraCrypt’s features include the ability to create virtual encrypted disks and mount them as if they’re real, provision of plausible deniability, pipelining and parallelization, etc.

6. EncFS

EncFS is a free and mostly open source tool for mounting EncFS folders on Mac and Windows. You can use it to create, edit, change and export the password of EncFS folders and it is 100% compatible with EncFS 1.7.4 on GNU/Linux platforms.

7. 7-zip

7-zip is a popular, free and mostly open source multi-platform file archiving utility for compressing files (or file groups) into containers referred to as archives.

7-zip is among the most popular archiving utilities because of its high compression ratio in 7z format with LZMA and LZMA2 compression’s, plugin for FAR manager, integration with Windows Shell, AES-256 encryption in 7z and ZIP formats, among other features.

8. dm-crypt

dm-crypt is a disk encryption subsystem for encrypting disks, partitions, and portable containers. It was created to address certain reliability problems in cryptoloop and can be used to back up several volume types.

9. ecryptfs

eCryptfs is a free and open source all-in-one collection of software for disk encryption on Linux. It aims to mirror GnuPG’s functionality by implementing a POSIX-compliant filesystem-level encryption layer and it is been part of the Linux kernel since its 2.6.19 version release.

ecryptfs is cool because you can use it to encrypt directories and partitions irrespective of their underlying file system.

10. cryptsetup

cryptsetup is an open source utility created to enable users easily encrypt files based on the DMCrypt kernel module with emphasis on LUKS design.

LUKS stands for Linux Unified Key Setup and has since become the standard for Linux hard disk encryption thanks to its ability to facilitate distro compatibility, seamless data transport and/or migration, and secure management of multiple user passwords.

How useful are encryption tools to you and which utilities are your favourite to use? Feel free to drop your comments, questions, and suggestions below.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Источник

Installation With Full Disk Encryption

Based on Artix Linux: Full Disk Encryption with UEFI with the fixes for some new problems, and — since I’m using AMD PC with an opensource coreboot+SeaBIOS to avoid the proprietary UEFI holes/backdoors (more system info) — I had to replace the UEFI/GPT disk commands with the BIOS/MBR ones.

LiveCD/LiveUSB

Get an Artix Live ISO with your favorite Desktop Environment and OpenRC. Burn it to CD/DVD with Brasero/Xfburn — or write to USB flash drive: after inserting it to your PC, use a

terminal command to learn your drive letter from a Linux kernel log, then write to this USB with

where X in sdX is a letter of your USB flash drive, and pv helps to see a progress. If your dd from Coreutils is new enough, pv may be substituted with a status=progress option:

After executing a dd command, run

and wait until it completes — to flush the filesystem buffers and make sure that the image writing has been physically done.

While booting from your live media, choose From CD/DVD/ISO option regardless of if you are using a CD/DVD or USB. Those who dared to use the forbidden From Stick/HDD option, experienced problems with polkit and other issues, examples of which can be found: here, here, here etc.

After booting from a LiveCD/LiveUSB, open a terminal and write

to run the subsequent commands under root.

Disk Partitioning

Here is a disk partitioning scheme we are going to get:

Erase a Disk

Learn the X of your desired drive:

Print its’ partition table with

Check there’s nothing important on it, then erase its’ partition table and some/all of contents with

Let it run for a minute and interrupt with Ctrl+C/Ctrl+Z if you are in a hurry — or wait until it ends — then

to flush the disk operations.

Create the Partitions

Create a new MBR partition table:

Set up a /dev/sdX1 partition for /boot — 1GB should be enough — and set a boot flag:

Print the partition table of a drive and see if the alignment of your first partition is optimal:

Make a /dev/sdX2 partition which will take the rest of free space — after 1GB of /boot — and set a lvm flag:

Setup the Logical Volumes

The disk encryption will utilize the Linux Unified Key Setup (LUKS), which is now part of an enhanced version of cryptsetup, using dm-crypt (device-mapper crypt) as the disk encryption backend.

To force loading the Linux kernel modules related to Serpent and other strong encryptions from your LiveCD/LiveUSB, run

and, after it completes, use a command like

to create and format the LUKS partition with your custom encryption flags. Open and mount it using the device mapper — into i.e. lvm-system :

Note: later you will encounter the following warnings — they happen because /run is not available inside the chroot — so you can ignore them:

Now it is possible to create a physical volume using the Logical Volume Manager (LVM) and the previously used id lvm-system as follows:

Having the physical volume, it is possible to create a logical volume group named lvmSystem as follows:

And having the logical volume group, the logical volumes can be created as follows. As an example, a 16GB for swap (volSwap) and the rest for the root partition (volRoot):

Format the Partitions

Having all physical and virtual disk partitions ready, now it is possible to format them.

Format a boot partition with

Format a swap partition with

This command will print a message like

Copy your swap UUID somewhere — you will need it later.

Format a root partition with

Mount the Partitions

Having each partition formatted, they can be mounted as follows:

Artix Installation

With a partition scheme configured above, there is a high chance of getting a GRUB-related error

during an Artix Linux installation with a Calamares graphical installer. Since there doesn’t seem to be an option to disable the GRUB installation at Calamares, we have to do it by manually editing a related script. Open it with

and comment out this line near the end of file at def run() function:

This is fine, since we’re going to install GRUB manually a bit later.

Instead of double clicking a Calamares shortcut on a Desktop, I recommend you to launch Calamares from a console — to get more logs, which could be really useful if any problems arise. Extract a launch command from this shortcut with

It should look like

however, my command could be outdated, so don’t just copy-paste it. Extract your own! Then use it.

While installing with Calamares: at «Partitions / Select storage device» screen — choose «lvmSystem (/dev/lvmSystem)» and «Manual partitioning», and at the next screen — set a mount point / for /dev/lvmSystem/volRoot. «Install bootloader on» — could be anything: it will be ignored thanks to our earlier change of a Calamares script. And the «Option to use GPT on BIOS» popup could be closed.

After completing the installation, simply close a Calamares window without choosing a «Restart now»: we need to install and configure the packages and also a bootloader.

Configure the Packages

fstab

Open /mnt/etc/fstab with

and remove all the uncommented lines — they have been created by the Calamares installer. Now, generate the new lines with

Optionally, all solid-state disk (SSD) mountpoints can be updated with the discard option to enable TRIM:

However, there are opinions that recommend against TRIM. If in doubt about the hardware, the Periodic TRIM can be applied instead.

As the order of options at the configuration files might change, double check the results of all the sed commands to make sure that they really worked!

Optionally, to change the size of the TMPFS partition (e.g. of size 8GB, i.e. half RAM size), open a /mnt/etc/fstab

and insert this line to the end of it, making sure that the TAB whitespace separators haven’t been converted to the regular spaces (TABs should be everywhere except a space between two last zeroes) and without a front space:

chroot

Now, it is time to change root (chroot) to the newly installed environment:

Set up a root password with

Update the database of packages by running:

locale, timezone, hostname

System-wide locale (e.g. en_US.UTF-8), timezone and hostname — should have been configured by Calamares. Check it by doing

If not, configure a locale with

a timezone with

and a hostname (e.g. 4rt1x) with

mkinitcpio.conf

The /etc/mkinitcpio.conf file enables to set up various kernel parameters. Within the HOOKS part, the encrypt lvm2 needs to be put between block and filesystems keywords in order to enable the Full Disk Encryption. It may also be useful to include the resume keyword to enable suspend to disk options. However, this may not work at all times, such as with hardened kernels.

As the sed might be unreliable because of the possible changes to the options’ order, open /etc/mkinitcpio.conf with

and insert encrypt and resume options manually to the following places:

should become

GRUB — Installation

To avoid a GRUB configuration problem described at the end of this post, remove an artix-grub-theme package with its’ dependencies:

Now, you could install these packages:

During that, initramfs should be re-generated automatically with the encrypt/resume hooks. If not, re-generate initramfs manually:

After that, a grub package could be installed with

GRUB — Configuration

In order for a GRUB to find the LUKS-encrypted partitions, you’ll need to configure it:

Personally I’ve changed the following lines — without the front spaces:

1) Added a

to the top of a file

2) Increased a GRUB timeout from 3 to 15:

3) Expanded a GRUB default command line:

should become

where »’xxx UUID could be found out with

and yyy UUID — swap UUID — is already known by you from the previous steps.

4) Added

5) Changed GRUB_GFXMODE:

should become

6) Moved up the

7) Commented out

and added the quote « symbols around the options.

Here’s a final /etc/default/grub from artix-xfce-openrc-20200506-x86_64.iso . If this config isn’t outdated — you could use it as a template, just remember to replace the UUID’s with your own:

you already wrote it down on the previous steps,

find it out with

Install these optional dependencies:

Then, you can install GRUB to MBR and generate its’ config:

Other Packages

In order to decrypt and use the LUKS/LVM volumes, the following services need to be installed and activated:

The udev service (eudev/eudev-openrc) should be started by default in the sysinit runlevel. Its activation can be confirmed as follows:

should print this output:

The dbus service should be installed and activated. Should it not, it can be done as follows:

The systemd project’s logind should be installed as part of the base meta package. Should it not be activated, it can be done as follows:

The haveged service is a simple entropy daemon useful for unpredictable random number generation, which can be installed and activated as follows:

Cron job daemons (cronie, fcron etc.) can be installed and activated as follows (e.g. cronie):

If Network Manager GUI is the desired choice to manage network interfaces, the following needs to be run in order to install and activate the service:

NTP, ACPI, Syslog-NG daemons can be installed and activated as follows:

Useful packages (will include samba, samba client):

In order to access AUR, yaourt can be installed:

Exit the chroot and unmount the volumes:

Источник