Pareto Security
Pareto Security
Pricing Contact
Start for Free

Existing customer? Login

CIS ISO NIST CSF SOC

Encryption is on

Time to fix

< 30m

What

Disk encryption protects the data on your storage devices using LUKS (Linux Unified Key Setup). This ensures that your files remain secure even if your device is stolen or accessed physically.

Why you should enable disk encryption

If someone steals your laptop or gains physical access to your storage device, and your disk is not encrypted, all documents, photos, and other files can be easily extracted from the disk.

Repair shops, data recovery services, or anyone with physical access can easily read all files from unencrypted drives. Encryption ensures your data remains protected even when your device is out of your control.

Check if encryption is already enabled

First, check if your system already has disk encryption enabled:

lsblk -f

Look for "crypto_LUKS" in the FSTYPE column. If present, your disk is already encrypted.

sudo cryptsetup status /dev/mapper/luks-*

This shows details about active encrypted volumes.

How to enable disk encryption

Option 1: During Installation (Recommended)

The easiest way to enable encryption is during the initial OS installation:

  • Ubuntu/Debian: Select "Encrypt the new Ubuntu installation" during partitioning
  • Fedora: Check "Encrypt my data" in the Installation Destination screen
  • Arch Linux: Set up LUKS manually during installation using cryptsetup
  • openSUSE: Enable "Encrypt System" in the partitioning step

Option 2: Encrypt Existing System (Advanced)

Warning

Encrypting an existing system is complex and risky. Always backup all important data before attempting this process. Consider reinstalling with encryption instead.

For existing systems, the process involves:

  1. Create a full backup of your system
  2. Boot from a live USB/CD
  3. Shrink existing partition to make space
  4. Set up LUKS encryption and migrate data
  5. Update bootloader configuration

Managing Encryption Keys

LUKS supports multiple keys for accessing encrypted volumes:

Add a backup key:

sudo cryptsetup luksAddKey /dev/sdX

List key slots:

sudo cryptsetup luksDump /dev/sdX | grep "Key Slot"

Remove a key:

sudo cryptsetup luksRemoveKey /dev/sdX

Recovery and Backup

Create a backup of your LUKS header (critical for recovery):

sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file luks-header-backup.img

Store this backup file in a safe location separate from your encrypted device.

Pro Tips
  • Use a strong, memorable passphrase rather than a short password
  • Consider setting up multiple key slots for different recovery scenarios
  • Some distributions support TPM integration for automatic unlocking
  • Test your recovery process in a virtual machine first
Important Notes
  • Forgotten passphrases cannot be recovered without a backup key
  • LUKS header corruption can make data inaccessible - keep backups
  • Encryption adds minimal performance overhead on modern systems
  • Swap partitions should also be encrypted to prevent key leakage