Difference between revisions of "Ubuntu 22.04 LVM encryption using LUKS"

From Notes_Wiki
m
 
(7 intermediate revisions by one other user not shown)
Line 8: Line 8:


<pre>
<pre>
# sudo umount <mount-point>
sudo umount <mount-point>
</pre>
</pre>


=== Format the Volume with LUKS Encryption ===
=== Format the Volume with LUKS Encryption ===
Use `cryptsetup` to encrypt the logical volume:
Use '''cryptsetup''' to encrypt the logical volume:


<pre>
<pre>
# sudo cryptsetup luksFormat <lvm-path>
sudo cryptsetup luksFormat <lvm-path>
</pre>
</pre>


Line 22: Line 22:


<pre>
<pre>
# sudo cryptsetup open <lvm-path> data_crypt
sudo cryptsetup open <lvm-path> data_crypt
</pre>
</pre>


Line 29: Line 29:


<pre>
<pre>
# sudo mkfs.ext4 /dev/mapper/data_crypt
sudo mkfs.ext4 /dev/mapper/data_crypt
</pre>
</pre>


Line 37: Line 37:


<pre>
<pre>
# sudo blkid <lvm-path>
sudo blkid <lvm-path>
</pre>
</pre>


Line 43: Line 43:


<pre>
<pre>
# sudo nano /etc/crypttab
sudo nano /etc/crypttab
</pre>
</pre>


Line 56: Line 56:


<pre>
<pre>
# sudo nano /etc/fstab
sudo nano /etc/fstab
</pre>
</pre>


Line 87: Line 87:


<pre>
<pre>
# sudo update-grub
sudo update-grub
</pre>
</pre>


* After updating GRUB, the system now prompts for the LUKS passphrase in the command-line interface during boot
* After updating GRUB, the system now prompts for the LUKS passphrase in the command-line interface during boot


=== Reboot ===
== Reboot ==
Reboot the system to test if the encrypted volume mounts correctly and asks for the passphrase:
Reboot the system to test if the encrypted volume mounts correctly and asks for the passphrase:


<pre>
<pre>
# sudo reboot
sudo reboot
</pre>
</pre>
==Change encryption password==
To change encryption password use:
# Use following command to list devices and see which device is being used by crypt for LUKS based encryption:
#:<pre>
#:: lsblk -f
#:</pre>
# Change password using:
#:<pre>
#:: sudo cryptsetup luksChangeKey <device-name>
#:</pre>
===Other option===
# Other option is to look at LUKS keyslots via:
#:<pre>
#:: sudo cryptsetup luksDump <device-name>
#:</pre>
# Add a new passphrase in new key slot:
#:<pre>
#::  sudo cryptsetup luksAddKey <device-name>
#:</pre>
# Test the new password via reboot (or umount / mount)
# Remove old passphrase via:
#:<pre>
#:: sudo cryptsetup luksRemoveKey <device-name>
#:</pre>

Latest revision as of 04:25, 11 August 2025

Home > Ubuntu > Ubuntu 22.04 > Ubuntu 22.04 LVM encryption using LUKS

To configure encryption on an empty LVM logical volume in Ubuntu 22.04 (Also works on Ubuntu 24.04) after OS installation, follow these steps:

Encrypting and Mounting a Logical Volume with LUKS

  • If the logical volume is already mounted, unmount it:
sudo umount <mount-point>

Format the Volume with LUKS Encryption

Use cryptsetup to encrypt the logical volume: 

sudo cryptsetup luksFormat <lvm-path>

Open the Encrypted Volume

Open the LUKS volume and map it to a device name (e.g., `data_crypt`): 

sudo cryptsetup open <lvm-path> data_crypt

Create Filesystem

Format the mapped encrypted volume with the ext4 filesystem: 

sudo mkfs.ext4 /dev/mapper/data_crypt

Configure crypttab

  • Find the UUID of the encrypted device:
sudo blkid <lvm-path>
  • Edit /etc/crypttab and add an entry like the following:
sudo nano /etc/crypttab

Example content: 

data_crypt UUID=82e544db-2c86-46ad-86cd-081e61d9d48c none luks

Configure fstab

Edit /etc/fstab to mount the decrypted volume at boot: 

sudo nano /etc/fstab

Example content: 

/dev/mapper/data_crypt /mnt/data1 ext4 defaults 0 2

Update Initramfs

Update the initramfs so the system can unlock the volume during boot: 

sudo update-initramfs -u

Modify GRUB

sudo nano /etc/default/grub
  • remove quiet splash parameters in the following line:
GRUB_CMDLINE_LINUX_DEFAULT=""
  • Update GRUB:
sudo update-grub
  • After updating GRUB, the system now prompts for the LUKS passphrase in the command-line interface during boot

Reboot

Reboot the system to test if the encrypted volume mounts correctly and asks for the passphrase: 

sudo reboot


Change encryption password

To change encryption password use:

  1. Use following command to list devices and see which device is being used by crypt for LUKS based encryption: 
    lsblk -f
  2. Change password using: 
    sudo cryptsetup luksChangeKey <device-name>

Other option

  1. Other option is to look at LUKS keyslots via: 
    sudo cryptsetup luksDump <device-name>
  2. Add a new passphrase in new key slot: 
    sudo cryptsetup luksAddKey <device-name>
  3. Test the new password via reboot (or umount / mount)
  4. Remove old passphrase via: 
    sudo cryptsetup luksRemoveKey <device-name>
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Ubuntu_22.04_LVM_encryption_using_LUKS&oldid=9363"