Disk Encryption


Disabling Control Alt Delete

The course is part of this learning path

Linux Security and Hardening
Start course

In this course, you'll learn about the importance of physical security and the threats posed by attackers who gain unauthorized physical access to your Linux system. We'll cover a range of points to consider when securing your Linux systems and the best strategies to take.

Learning Objectives

  • Understand the security challenges you'll face both when in direct control of your physical systems and when you use a third party to host them
  • Understand what to look for when choosing a third-party provider
  • Understand the physical security implications of using cloud environments
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service

Intended Audience

This course is intended for anyone who wants a solid grasp of physical security considerations for their Linux system.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


If you don't want someone to easily read or alter the data on your system's disk, then you should encrypt it. When you encrypt your data it looks like a large blob of random data. For example, if you were to encrypt the text, letmein123 it might look like the seemingly random series of letters and numbers displayed on your screen. The OS can operate on this nonsensical data. So after you encrypt your data you need to allow the operating system and its applications access to that data in a way that can be understood by them. In short, the OS needs access to the decrypted or unlocked form of that data. To unlock the encrypted data, a user needs to supply some sort of secret information. This can be a passphrase or a key file. In some cases, this passphrase or key is used to encrypt and decrypt the data. In other cases, it's used to unlock the master key that is used to do the actual encryption and decryption. In any case, it's stored in memory for as long as the encrypted device is mounted. If you're going to use a passphrase, it's important to point out the significance of that passphrase. This passphrase or password is the weak link. If it's an easily guessed password then the encryption is useless. So don't write the passphrase on a sticky note and post it on the front of your server. And don't use easy to guess and common passwords like one, two, three, four, five, six and let me in. Dm-crypt which stands for device mapper crypt is a kernel level encryption subsystem that provides transparent disk encryption. That means that the files are available immediately after mounting a file system that resides on a dm-crypted device. Dm-crypt creates a new block device in /dev/mapper. Any writes to that device will be encrypted and any reads will be decrypted because dm-crypt encrypts blocked devices the encryption is happening below the file system layer. This means that you can use a dm-crypted device just like you would any other block device. You can put a file system directly on that block device or you can use it as part of an LVM, Logical Volume Manager setup. You don't have to worry about encrypting or decrypting. It's transparent to you as a user or system administrator once the initial setup is performed. Here is a diagram that illustrates this concept. Starting at the bottom, the physical block device, the disk is accessed through its device file located at /dev/sda2. If you configure that device to be a dm-crypted device, a new virtual block device file would be created. And this example that devices /dev/mapper/home. That virtual block device could be used like any other block device. Here we created an EXT4 file system directly on that device. Finally, that file system was mounted on /home. When you create a file in /home the file system will take care of all the details of how to store that file on the underlying block device of /dev/mapper/home. Any writes to /dev/mapper/home are encrypted by dm-crypt and written to the underlying physical disk. This is totally transparent. The file system doesn't need to know anything about the encryption. It just used a virtual block device like any other block device. The encryption and decryption is taken care of by dm-crypt. Writes are encrypted by dm-crypt and reads are decrypted by it. LUKS which stands for Linux Unified Key Setup is a standard for Linux disk encryption and is compatible across different distributions. LUKS is really a front-end for dm-crypt. Instead of using dm-crypt directly to set up disk encryption, you'll want to use LUKS. LUKS allows you to use multiple, up to eight at the time of this recording passphrases. These passphrases are used to decrypt the master key which is actually used to perform the encryption. These passphrases can be changed as well as revoked without having to reencrypt all the data stored on the encrypted device. LUKS stores all the required setup information in the partition header of the encrypted device which enables you to transport or migrate data seamlessly from one Linux distribution to another. If you would like to encrypt a USB drive or some other removable media, LUKS can be used to protect those devices. You don't have to just use LUKS on permanent storage devices. If your chosen distro has an option to set up encryption during install, this can be the easiest way to go. The price you pay for this convenience is not having complete configuration control over the process. However, the defaults are usually good and work for the overwhelming majority of situations. The CentOS and Red Hat installers have a checkbox to encrypt data on the disk during the installation process. You can see the little check box on the lower left-hand side of the screen. After you've clicked that check box, you'll need to provide a passphrase. It also asks you to confirm your passphrase. Here's what it looks like after the installation is done and when you boot the system. You have to provide that passphrase or the system will not boot. The process for Ubuntu is very similar. Here you select the option to set up encryption. Next you'll need to enter a passphrase. Ubuntu does a really great job of telling you how important this passphrase is. You'll want to use a strong passphrase and remember it. On boot, you'll be prompted for the passphrase in order to unlock your data and finish booting the system.

About the Author
Jason Cannon
Founder, Linux Training Academy
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.