Linux: Creating encrypted partition using cryptsetup

In order to protect sensitive data in case your storage is lost or stolen, one usually encrypts the drive using trusted/safe encryption algorithms. Under Linux one can use e.g. cryptsetup - available in standard Ubuntu repository (I guess for other distros it should be also available in standard repos). Since it works on the block level, one can mix unencrypted partitions with encrypted ones. It also used in most of the distros (e.g. Ubuntu alternate installer) as a tooling providing disk encryption.
 
Creating/mounting encrypted partition


First of all I did not want to experiment with my HDD and decided to use the USB stick for this experiment. One needs to partition the disk - I created two partitions sdb1 and sdb2 using the fdisk. The partition table has been presented below:

root@krystianek:~# fdisk -l /dev/sdb

Disk /dev/sdb: 4156 MB, 4156555264 bytes
255 heads, 63 sectors/track, 505 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000e56eb

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         132     1060258+  83  Linux
/dev/sdb2             133         505     2996122+  83  Linux
Now you need to format the partition as shown below (I used the 256-bit key length for encryption). Please type the uppercase 'YES' as prompted below. Also you will have to provide the encryption password.

root@krystianek:~# cryptsetup --verbose --key-size 256 luksFormat /dev/sdb2

WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.


That's it now you can open the encrypted partition. As a parameter you will provide the alias to which the device will be mapped as presented below:

root@krystianek:~# cryptsetup --verbose luksOpen /dev/sdb2 usbencrypted
Enter passphrase for /dev/sdb2:
Key slot 0 unlocked.
Command successful.

root@krystianek:~# ls -l /dev/mapper/usbencrypted
lrwxrwxrwx 1 root root 7 2011-10-16 20:06 /dev/mapper/usbencrypted -> ../dm-3

root@krystianek:~# cryptsetup status usbencrypted
/dev/mapper/usbencrypted is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sdb2
  offset:  2056 sectors
  size:    5990189 sectors
  mode:    read/write

Next you can create the filesystem - I created the ext4 and mounted it under /mnt/hd1:

root@krystianek:~# mkfs.ext4 /dev/mapper/usbencrypted
mke2fs 1.41.14 (22-Dec-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
187312 inodes, 748773 blocks
37438 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=767557632
23 block groups
32768 blocks per group, 32768 fragments per group
8144 inodes per group
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912

Writing inode tables: done                           
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
root@krystianek:~# mount /dev/mapper/usbencrypted /mnt/hd1/
root@krystianek:~# ls -l /mnt/hd1/
total 16
drwx------ 2 root root 16384 2011-10-16 20:12 lost+found

Now you can start copying files to that filesystem.

Unmounting/closing the encrypted partition

In order unmount and close the encrypted partition one needs to:

root@krystianek:~# umount /mnt/hd1/

root@krystianek:~# cryptsetup --verbose luksClose usbencrypted
Command successful.

Next time when you attach the usb stick you should be automatically prompted for password.