Difference between revisions of "Ubuntu 22.04 LVM encryption using LUKS"
From Notes_Wiki
(Created page with "Home > Ubuntu > Ubuntu 22.04 > Ubuntu 22.04 LVM encryption using LUKS") |
m |
||
| (19 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu 22.04]] > [[Ubuntu 22.04 LVM encryption using LUKS]] | [[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu 22.04]] > [[Ubuntu 22.04 LVM encryption using LUKS]] | ||
To configure encryption on an empty LVM logical volume in Ubuntu 22.04 '''(Also works on Ubuntu 24.04)''' after OS installation, follow these steps: | |||
== Encrypting and Mounting a Logical Volume with LUKS == | |||
* If the logical volume is already mounted, unmount it: | |||
<pre> | |||
sudo umount <mount-point> | |||
</pre> | |||
=== Format the Volume with LUKS Encryption === | |||
Use '''cryptsetup''' to encrypt the logical volume: | |||
<pre> | |||
sudo cryptsetup luksFormat <lvm-path> | |||
</pre> | |||
=== Open the Encrypted Volume === | |||
Open the LUKS volume and map it to a device name (e.g., `data_crypt`): | |||
<pre> | |||
sudo cryptsetup open <lvm-path> data_crypt | |||
</pre> | |||
=== Create Filesystem === | |||
Format the mapped encrypted volume with the ext4 filesystem: | |||
<pre> | |||
sudo mkfs.ext4 /dev/mapper/data_crypt | |||
</pre> | |||
== Configure crypttab == | |||
* Find the '''UUID''' of the encrypted device: | |||
<pre> | |||
sudo blkid <lvm-path> | |||
</pre> | |||
* Edit '''/etc/crypttab''' and add an entry like the following: | |||
<pre> | |||
sudo nano /etc/crypttab | |||
</pre> | |||
Example content: | |||
<pre> | |||
data_crypt UUID=82e544db-2c86-46ad-86cd-081e61d9d48c none luks | |||
</pre> | |||
== Configure fstab == | |||
Edit '''/etc/fstab''' to mount the decrypted volume at boot: | |||
<pre> | |||
sudo nano /etc/fstab | |||
</pre> | |||
Example content: | |||
<pre> | |||
/dev/mapper/data_crypt /mnt/data1 ext4 defaults 0 2 | |||
</pre> | |||
== Update Initramfs == | |||
Update the initramfs so the system can unlock the volume during boot: | |||
<pre> | |||
sudo update-initramfs -u | |||
</pre> | |||
== Modify GRUB == | |||
<pre> | |||
sudo nano /etc/default/grub | |||
</pre> | |||
* remove '''quiet splash''' parameters in the following line: | |||
<pre> | |||
GRUB_CMDLINE_LINUX_DEFAULT="" | |||
</pre> | |||
* Update GRUB: | |||
<pre> | |||
sudo update-grub | |||
</pre> | |||
* After updating GRUB, the system now prompts for the LUKS passphrase in the command-line interface during boot | |||
== Reboot == | |||
Reboot the system to test if the encrypted volume mounts correctly and asks for the passphrase: | |||
<pre> | |||
sudo reboot | |||
</pre> | |||
==Change encryption password== | |||
To change encryption password use: | |||
# Use following command to list devices and see which device is being used by crypt for LUKS based encryption: | |||
#:<pre> | |||
#:: lsblk -f | |||
#:</pre> | |||
# Change password using: | |||
#:<pre> | |||
#:: sudo cryptsetup luksChangeKey <device-name> | |||
#:</pre> | |||
===Other option=== | |||
# Other option is to look at LUKS keyslots via: | |||
#:<pre> | |||
#:: sudo cryptsetup luksDump <device-name> | |||
#:</pre> | |||
# Add a new passphrase in new key slot: | |||
#:<pre> | |||
#:: sudo cryptsetup luksAddKey <device-name> | |||
#:</pre> | |||
# Test the new password via reboot (or umount / mount) | |||
# Remove old passphrase via: | |||
#:<pre> | |||
#:: sudo cryptsetup luksRemoveKey <device-name> | |||
#:</pre> | |||
Latest revision as of 04:25, 11 August 2025
Home > Ubuntu > Ubuntu 22.04 > Ubuntu 22.04 LVM encryption using LUKS
To configure encryption on an empty LVM logical volume in Ubuntu 22.04 (Also works on Ubuntu 24.04) after OS installation, follow these steps:
Encrypting and Mounting a Logical Volume with LUKS
- If the logical volume is already mounted, unmount it:
sudo umount <mount-point>
Format the Volume with LUKS Encryption
Use cryptsetup to encrypt the logical volume:
sudo cryptsetup luksFormat <lvm-path>
Open the Encrypted Volume
Open the LUKS volume and map it to a device name (e.g., `data_crypt`):
sudo cryptsetup open <lvm-path> data_crypt
Create Filesystem
Format the mapped encrypted volume with the ext4 filesystem:
sudo mkfs.ext4 /dev/mapper/data_crypt
Configure crypttab
- Find the UUID of the encrypted device:
sudo blkid <lvm-path>
- Edit /etc/crypttab and add an entry like the following:
sudo nano /etc/crypttab
Example content:
data_crypt UUID=82e544db-2c86-46ad-86cd-081e61d9d48c none luks
Configure fstab
Edit /etc/fstab to mount the decrypted volume at boot:
sudo nano /etc/fstab
Example content:
/dev/mapper/data_crypt /mnt/data1 ext4 defaults 0 2
Update Initramfs
Update the initramfs so the system can unlock the volume during boot:
sudo update-initramfs -u
Modify GRUB
sudo nano /etc/default/grub
- remove quiet splash parameters in the following line:
GRUB_CMDLINE_LINUX_DEFAULT=""
- Update GRUB:
sudo update-grub
- After updating GRUB, the system now prompts for the LUKS passphrase in the command-line interface during boot
Reboot
Reboot the system to test if the encrypted volume mounts correctly and asks for the passphrase:
sudo reboot
Change encryption password
To change encryption password use:
- Use following command to list devices and see which device is being used by crypt for LUKS based encryption:
- lsblk -f
- Change password using:
- sudo cryptsetup luksChangeKey <device-name>
Other option
- Other option is to look at LUKS keyslots via:
- sudo cryptsetup luksDump <device-name>
- Add a new passphrase in new key slot:
- sudo cryptsetup luksAddKey <device-name>
- Test the new password via reboot (or umount / mount)
- Remove old passphrase via:
- sudo cryptsetup luksRemoveKey <device-name>
