How to encrypt your Fedora file system

What is encryption?

In cryptography, encryption is encoding information so that only authorized parties can read it. Encryption doesn’t necessarily prevent someone else from getting access to your data. However, if they do, it can prevent that data’s content from being read. Encryption transforms the intended information, referred to as plaintext, using an algorithm into ciphertext that’s only readable if decrypted.

Why should I encrypt?

Encryption is important because it allows you to securely protect data you don’t want anyone else to access. Businesses use encryption to protect corporate secrets. Governments use it to secure classified information. And many individuals use encryption to protect personal information, guard against identity theft, or wipe media before replacing it.

By default Fedora and most Linux Distribution come with LUKS, the Linux Unified Key Setup system. LUKS manages encryption on storage devices such as hard disks.

Cryptography lesson: Why use a strong passphrase?

This part’s for cryptography geeks. You need to set a strong passphrase because Fedora’s default implementation of LUKS uses AES-256 with a SHA-256 hashing to encrypt the disk volume. It also has a cipher feedback to help protect it from frequency attacks and others attacks that target statically encrypted data. As an algorithm, AES has been proven by cryptanalysis testing as secure. The weakness actually lies within the cipher and the software that passes keys to the cipher. Specifically, the risk lies in the keystore, which is stored in the header of the volume. The keystore is secured by a passphrase, which is open to things like dictionary or brute force attacks. If such an attack was successful at guessing your passphrase, it would decrypt the keystore. Using longer, more complex, non-word passwords reduces the chance of this happening.

Encrypting your Fedora system

Step One: Install Fedora 24 on 32 and 64-bit AMD and Intel

If you decide to encrypt your Fedora system’s storage, you can do so with the Anaconda installer during setup. Check the option for Encrypt my data.

After you confirm, you must create a an encryption passphrase. Note: The best encryption can be easily broken if you choose a weak password! Choose one easy for you to remember, but difficult for others to guess. Consider using a tool like KeePass or the pwgen command-line tool, which is described later.

Screenshot_generic_2016-07-23_17:18:21

Step Two: Change your passphrase

If you’re unable to copy and paste a strong password, such as when using Virtual Machine Manager, choose a simple one and change it immediately after the first reboot. To replace your temporary password with a random passphrase, you can use the KeePass tool; alternatively, use the pwgen utility by running the following commands:

# dnf install pwgen -y
# pwgen -C 10

Once you have your strong passphrase, run:

# cryptsetup luksAddKey /dev/sda2

The result should look something like this:

Screenshot from 2016-07-23 19-13-31

After you’ve added the new passphrase, kill the old/weak passphrase slot:

# cryptsetup luksKillSlot /dev/sda2 0

Then, to confirm, enter the strong passphrase you just added:

Screenshot from 2016-07-23 19-14-32

Learning more

For more information about encrypting your Fedora system at installation time, consider reviewing the official Installation Guide and the Disk Encryption User Guide on the Fedora Wiki.

Fedora Project community For System Administrators Using Software

10 Comments

  1. It would also be interesting if you showed how to encrypt your system if you have fedora already installed. if that’s even possible.
    regards.

    • Andre Gompel

      “Interesting if you showed how to encrypt your system if you have fedora already installed.”

      Yes, you can,.
      When done, in MATE’s CAJA (File manager) just click on the volume, etc..
      Please post, if you find some innacuracy, or need to comment.

      ——————— HERE IS THE PROCEDURE ———–

      == Create the block devices ==
      Create the block devices you want to encrypt by using parted, pvcreate, lvcreate and mdadm.

      == Optional: Fill the device with random data ==
      dd if=/dev/urandom of=

      Fastest way, which provides lower quality random data:
      badblocks -c 10240 -s -w -t random -v

      == Format the device as a dm-crypt/LUKS encrypted device == (Destructive)
      cryptsetup luksFormat

      == After supplying the passphrase twice the device will be formatted for use. To verify, use the following command: ==
      cryptsetup isLuks && echo Success

      == To see a summary of the encryption information for the device, use the following command: ==

      sudo cryptsetup luksDump /dev/sda4
      LUKS header information for /dev/sda4

      Version: 1
      Cipher name: aes
      Cipher mode: xts-plain64
      Hash spec: sha1
      Payload offset: 4096
      MK bits: 256
      MK digest: 69 dd 64 20 55 fc 15 d7 58 d4 29 10 dc 85 b1 7f b5 62 06 1b
      MK salt: 21 38 e0 d0 14 54 b6 eb 9e 43 a4 e3 6b df dc ef
      5d e5 2b ff 63 eb 53 a6 f4 57 a2 9d 10 0e 01 19
      MK iterations: 61750
      UUID: 36aaabd9-c7fc-420a-8b57-316636428e44

      Key Slot 0: ENABLED
      Iterations: 251226
      Salt: ea 3b a4 1a d1 31 6e 34 c0 33 88 0e 20 80 e0 df
      ad 87 ae 15 3e 56 b5 ee c9 75 09 d0 82 90 2a 6d
      Key material offset: 8
      AF stripes: 4000
      Key Slot 1: DISABLED
      Key Slot 2: DISABLED
      Key Slot 3: DISABLED
      Key Slot 4: DISABLED
      Key Slot 5: DISABLED
      Key Slot 6: DISABLED
      Key Slot 7: DISABLED

      == Create a mapping to allow access to the device’s decrypted contents ==d
      sudo cryptsetup luksUUID /dev/sda4
      36aaabd9-c7fc-420a-8b57-316636428e44

       (cryptsetup luksOpen <device> <name>)

      sudo cryptsetup luksOpen /dev/sda4 MyLongPassPhrase
      Enter passphrase for /dev/sda4:
      <the paraphrase.

      == Verify there is device info ==
      There should now be a device node, /dev/mapper/, which represents the decrypted device. This block device can be read from and written to like any other unencrypted block device.
      To see some information about the mapped device, use the following command:

        (dmsetup info &lt;name&gt;)

      sudo dmsetup info MyLongPassPhrase

      == Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device ==
      sudo mkfs.xfs -f /dev/mapper/MyLongPassPhrase ## -f to force overwriting existing fs

      == Mount on existing directory ==
      sudo mount /dev/mapper/MyLongPassPhrase /mnt/test/

      == Add the mapping information to /etc/crypttab ==
      In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn’t exist, create it and change the owner and group to root (root:root) and change the mode to 0744. Add a line to the file with the following format:

       (&lt;name&gt;  &lt;device&gt;  none)

      vivreHeureux 36aaabd9-c7fc-420a-8b57-316636428e44 none

      == Add an entry to /etc/fstab ==
      Add an entry to /etc/fstab. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, /dev/mapper/ in the /etc/fstab file.

      In many cases it is desirable to list devices in /etc/fstab by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: /dev/sda4) changes. LUKS device names in the form of /dev/mapper/luks- are based only on the device’s LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in /etc/fstab.

  2. Do keep in mind that it’s also very hard to recover data from an encrypted system. Be sure to also configure system and user data backups of any encrypted system. The GNOME Backup utility (Déjà Dup) can help you create encrypted backups on a schedule.

    • wigust

      It’s a pain to recover in either way. Do backups whatever you use

    • PhotoRec (testdisk package or qphotorec for the GUI) can recover lost files from an unlocked encrypted LUKS filesystem. Instead of selecting the LUKS partition (ie. /dev/sda2), select the unlocked device (ie. /dev/mapper/home)

  3. Andre Gompel

    == Create the block devices ==
    Create the block devices you want to encrypt by using parted, pvcreate, lvcreate and mdadm.

    == Optional: Fill the device with random data ==
    dd if=/dev/urandom of=

    Fastest way, which provides lower quality random data:
    badblocks -c 10240 -s -w -t random -v

    == Format the device as a dm-crypt/LUKS encrypted device == (Destructive)
    cryptsetup luksFormat

    == After supplying the passphrase twice the device will be formatted for use. To verify, use the following command: ==
    cryptsetup isLuks && echo Success

    == To see a summary of the encryption information for the device, use the following command: ==

    sudo cryptsetup luksDump /dev/sda4
    LUKS header information for /dev/sda4

    Version: 1
    Cipher name: aes
    Cipher mode: xts-plain64
    Hash spec: sha1
    Payload offset: 4096
    MK bits: 256
    MK digest: 69 dd 64 20 55 fc 15 d7 58 d4 29 10 dc 85 b1 7f b5 62 06 1b
    MK salt: 21 38 e0 d0 14 54 b6 eb 9e 43 a4 e3 6b df dc ef
    5d e5 2b ff 63 eb 53 a6 f4 57 a2 9d 10 0e 01 19
    MK iterations: 61750
    UUID: 36aaabd9-c7fc-420a-8b57-316636428e44

    Key Slot 0: ENABLED
    Iterations: 251226
    Salt: ea 3b a4 1a d1 31 6e 34 c0 33 88 0e 20 80 e0 df
    ad 87 ae 15 3e 56 b5 ee c9 75 09 d0 82 90 2a 6d
    Key material offset: 8
    AF stripes: 4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

    == Create a mapping to allow access to the device’s decrypted contents ==d
    sudo cryptsetup luksUUID /dev/sda4
    36aaabd9-c7fc-420a-8b57-316636428e44

     (cryptsetup luksOpen &lt;device&gt; &lt;name&gt;)

    sudo cryptsetup luksOpen /dev/sda4 vivreHeureux
    Enter passphrase for /dev/sda4:
    <the paraphrase.

    == Verify there is device info ==
    There should now be a device node, /dev/mapper/, which represents the decrypted device. This block device can be read from and written to like any other unencrypted block device.
    To see some information about the mapped device, use the following command:

      (dmsetup info &lt;name&gt;)

    sudo dmsetup info vivreHeureux

    == Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device ==
    sudo mkfs.xfs -f /dev/mapper/vivreHeureux ## -f to force overwriting existing fs

    == Mount on existing directory ==
    sudo mount /dev/mapper/vivreHeureux /mnt/test/

    == Add the mapping information to /etc/crypttab ==
    In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn’t exist, create it and change the owner and group to root (root:root) and change the mode to 0744. Add a line to the file with the following format:

     (&lt;name&gt;  &lt;device&gt;  none)

    vivreHeureux 36aaabd9-c7fc-420a-8b57-316636428e44 none

    == Add an entry to /etc/fstab ==
    Add an entry to /etc/fstab. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, /dev/mapper/ in the /etc/fstab file.

    In many cases it is desirable to list devices in /etc/fstab by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: /dev/sda4) changes. LUKS device names in the form of /dev/mapper/luks- are based only on the device’s LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in /etc/fstab.

  4. someone

    You should be recommending diceware for secure, memorable passphrases:

    https://en.wikipedia.org/wiki/Diceware

  5. Also just know, the master key sits in memory on a running live system, watch out for DMA attacks.

  6. Hugo

    Very interesting article. The issue of encryption today is very important, but fedora follows must deliver good documentation to use it properly in different combinations. For example, the article recommended at the end is obsolete (shows a warning when entering the Wiki).

    Related topics I’d like to see in Fedora Magazine:
    • Encrypting drives in older installations
    • Encrypt external drives
    • Use gnome-disk-utility to encrypt partitions and external devices (and use custom file systems)

    Cheers

  7. Joe

    Folks;
    The nomenclature for fsck operations on lvm installations seems a bit rough. I recently lost access to a device used to store Evolution backups that are locked behind LUKS and found myself fumbling!

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions