Whole Disk Encryption with One Command - Linux

Plain Mode

cryptsetup --type=plain open /dev/sdX myCrypt

It’s that simple! What we’ve done is create a device at /dev/mapper/myCrypt that we can now add a partition. In plain mode there is no key on the device so in order to open the device, we use the same command. Let’s have a look at a more advanced plain mode example.

cryptsetup --hash=ripemd160 --cipher=aes-cbc-essiv:sha256 --offset=0 --key-size=256 open --type=plain /dev/sdX myCrypt

These are the defaults (Consider using more secure options) for more advanced whole disk encryption. The hash is used to create a key from your passphrase. The cipher consists of three parts, the cipher, the chainmode, and an IV generator. The key size is dependant on the cipher and chainmode used. Run a benchmark to determine the applicable hash and cipher values

cryptsetup benchmark

!!Caution!!

When using plain mode, no error will be displayed if an incorrect passphrase has been used. If any data is written to the device while using an incorrect passphrase, it will corrupt any data previously written. It is recommended to always create a filesystem inside the newly created device. This will throw an error when trying to mount the encrypted device with an incorrect password.

Step by Step

# Let's clean our drive
dd if=/dev/urandom of=/dev/sdX
# Now create an encrypted device
cryptsetup --type=plain open /dev/sdX myCrypt

# Create a filesystem on the device
mkfs -t ext4 /dev/mapper/myCrypt

# Mount the newly created device
mount /dev/mapper/myCrypt /mnt/nothingToSeeHere

# Write a file to the device
echo "This file is inside a filesystem that is inside an encrypted device." > /mnt/nothingToSeeHere/helloWorld.txt

# Umount the partition
umount /mnt/nothingToSeeHere

# Close the encrypted device
cryptsetup close myCrypt

# Now, let's verify everything is in working order
cryptsetup --type=plain open /dev/sdX myCrypt
mount /dev/mapper/myCrypt /mnt/plainPartition
cat /mnt/nothingToSeeHere/helloWorld.txt

Advanced - RAID

Now let’s use multiple drives to create a RAID1 array with BTRFS.

# create two encrypted devices from our disks
cryptsetup --type=plain open /dev/sdb first
cryptsetup --type=plain open /dev/sdc second

# create a BTRFS RAID1 setup with the two devices
mkfs.btrfs -m raid1 -d raid1 /dev/mapper/first /dev/mapper/second

# mount our RAID array
mount /dev/mapper/first /mnt/myRAID

# We're done! Now let's close it down
umount /mnt/myRAID
cryptsetup close first
cryptsetup close second

You are able to add more devices to the array by creating more encrypted devices with cryptsetup then adding them to the array with plain btrfs commands.

More Information

https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions