How to encrypt several partitions on Ubuntu or Debian with cryptsetup & LVM

Hello everybody,

In this tutorial, I will show you how you can encrypt your system on Debian. Here, I’ll make 5 partitions :

• One not encrypted in EXT4 for system (programs, etc) mounted in /
• One encrypted for user files in EXT4 mounted in /home
• One encrypted for logs in EXT4 mounted in /var
• One encrypted for temporary files in EXT4 mounted in /tmp
• A last one encrypted for swap

In this tutorial I won’t encrypt the system partition, because I don’t put personal files inside and because it can do a lot of problems. If you search on the internet, you could find several people who say that encrypt the system partition is a bad idea.

The 4 encrypted partitions are grouped in a parent cryptsetup partition. This way we don’t have to encrypt each of them separately. To make it possible, we will use LVM.

1. Backup data

We have to copy our data to another disk. This disk has to be in EXT4 too.

sudo cp -r --preserve=all / /media/backup/

/media/backup should be a folder in your external disk.

2. Securely wide hard drive

To make sure that nobody could restore our data, we will write random data above:

shred --verbose -n 3 /dev/sdx

The -n 3 parameter is to do that three times.

3. Make partitions

For simplicity, I suggest to use GParted even I know that it’s generally better to use the command line. Make at least 2 partitions: one in EXT4 for the system and another one empty that we will format later. In my case, I also make a FAT partition for personal reasons. Don’t forget to add the boot flag to the EXT4 partition.

EDIT:

Personal reminder: “Don’t use parted, use fdisk on command line”

4. Make an encrypted partition

To do so, you need to install cryptsetup:

apt install cryptsetup

Then, run:

sudo cryptsetup --hash sha512 --verbose --cipher aes-xts-plain --key-size 512 luksFormat /dev/sdxy

Of course, /dev/sdxy must be replaced by device of the right partition.

WARNING!!! Triple check that the partition is the right one.

Then run:

sudo cryptsetup open /dev/sdxy <part. name>

You can choose what ever <part. name> that you want, it’s just to be able to call the device later. For example, you will be able to unmount the partition like this:

sudo cryptsetup close <part. name>

5. Split the encrypted partition with LVM

Install LVM like this:

sudo apt install lvm2

Now, we have to make what is called a “physical volume” for LVM:

sudo pvcreate --dataalignmentoffset 512 /dev/mapper/<part. name>

Replace <part. name> by device that we just open before. Here, I don’t know why, but I have to put --dataalignmentoffset to 512. If someone have the answer, it would be kind to give it to me ;-).

Make a “volume group” for LVM too:

sudo vgcreate <VG name> /dev/mapper/<part. name>

We can finally make our 4 partitions:

sudo lvcreate -n swapLV -L 16go <VG name>
sudo lvcreate -n varLV -L 30go <VG name>
sudo lvcreate -n tmpLV -L 15go <VG name>
sudo lvcreate -n homeLV -l 100%FREE <VG name>

You can list them like that:

lvdisplay

Format them like this:

sudo mkswap /dev/mapper/<VG name>-swapLV
sudo mkfs -t ext4 /dev/mapper/<VG name>-homeLV
sudo mkfs -t ext4 /dev/mapper/<VG name>-varLV
sudo mkfs -t ext4 /dev/mapper/<VG name>-tmpLV

6. Copy data

Finally, copy data that you had backup before.

Here’s an article:

How to copy Linux Ubuntu / Debian / other to another hard drive