Hard drive encryption on Linux

We are required to use hard drive encryption on all devices allocated to members of the department, so that if the device is lost or stolen, the data is inaccessible. Unlike on Windows and Mac, with Linux it is necessary to set a passphrase to decrypt the hard drive on boot-up. Your Linux PC/laptop will have come with one. The support team also keeps a spreadsheet of all the passphrases so we can access the hard drive in the event of a problem or the user losing the passphrase.

These passphrases are randomly generated so are hard to remember. It is possible, however, to add your own passphrase to the drive encryption, so it can be unlocked with something that's easy to remember. It could even be the same passphrase as your DCS login, although re-using passphrases is generally discouraged.

To achieve this, you need to know the device name of the encrypted partition on the drive. If you run sudo cat /etc/crypttab it lists the encrypted volumes. For example:

user@computer:~$ sudo cat /etc/crypttab
nvme0n1p3_crypt UUID=fd11d274-d095-4a29-a5aa-9e06514a18fe none luks,discard

Copy the UUID it shows you and use it in this command:

sudo cryptsetup luksAddKey UUID=fd11d274-d095-4a29-a5aa-9e06514a18fe

Make sure you use your own UUID instead of the one in the example. It will ask for the currently set passphrase, and then you can enter your own that you want to use. To check you can use it, reboot the computer and enter your new passphrase when it asks to unlock the drive.

Assuming it works, the final stage is to dispose of any hard copies you may have of the original hard-to-remember passphrase!

managing_hard_drive_encryption_on_linux.txt · Last modified: 2023/10/23 13:42 by ac1mde
Public Domain
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0