dotlinux blog

Encrypt Disks with Parted and LUKS in Linux

In an era where data breaches and unauthorized access are rampant, securing sensitive data at rest is non-negotiable. Disk encryption is a critical layer of defense, ensuring that even if physical access to a storage device is compromised, the data remains unreadable without the decryption key.

In Linux, two powerful tools facilitate this process: Parted (for disk partitioning) and LUKS (Linux Unified Key Setup) (for encryption). Parted simplifies creating and managing disk partitions, while LUKS provides a standardized, secure framework for encrypting entire partitions. Together, they form a robust solution for protecting data on internal or external drives.

This blog will guide you through encrypting a disk step-by-step, from partitioning with Parted to setting up LUKS encryption, mounting the encrypted volume, and configuring automount on boot.

2026-03

Table of Contents#

  1. Prerequisites
  2. Understanding Parted and LUKS
    • 2.1 What is Parted?
    • 2.2 What is LUKS?
  3. Step-by-Step Guide to Encrypt a Disk
    • 3.1 Identify the Target Disk
    • 3.2 Partition the Disk with Parted
    • 3.3 Set Up LUKS Encryption
    • 3.4 Open the Encrypted Partition
    • 3.5 Format and Mount the Encrypted Volume
    • 3.6 Automount the Encrypted Volume on Boot
  4. Troubleshooting Common Issues
  5. Conclusion
  6. References

Prerequisites#

Before starting, ensure you have:

  • A Linux system (tested on Ubuntu 22.04, CentOS 9, and Fedora 38).
  • Root or sudo access (required for partitioning and encryption operations).
  • A disk to encrypt (e.g., an external USB drive, secondary internal SSD, or empty partition). Warning: Encrypting the wrong disk will erase data—double-check the disk identifier!
  • Basic familiarity with the Linux terminal.
  • Tools preinstalled: parted (partitioning), cryptsetup (LUKS management), and a filesystem tool (e.g., mkfs.ext4 for ext4, mkfs.xfs for XFS).

Understanding Parted and LUKS#

2.1 What is Parted?#

Parted is a command-line utility for creating, resizing, and managing disk partitions. It supports both MBR (Master Boot Record) and GPT (GUID Partition Table) partition schemes, making it versatile for modern systems. Key features include:

  • Creating/ deleting partitions.
  • Resizing partitions without data loss (with caution).
  • Setting partition labels and types (e.g., "crypt" for LUKS).

2.2 What is LUKS?#

LUKS is the de facto standard for disk encryption in Linux. It encrypts entire partitions using a master key, which is itself encrypted with a user-provided passphrase or key file. Key advantages:

  • Standardization: Works across most Linux distributions.
  • Multiple key slots: Allows up to 8 passphrases/keys for a single encrypted volume (useful for recovery).
  • Header protection: Stores encryption metadata (e.g., algorithm, key slots) in a header, making it easy to back up.

Step-by-Step Guide to Encrypt a Disk#

3.1 Identify the Target Disk#

First, list all disks and partitions to identify the target device. Use lsblk (list block devices) or fdisk -l:

lsblk   # Lists all disks (e.g., /dev/sda, /dev/sdb) and partitions (e.g., /dev/sda1)

Example Output:

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda      8:0    0 238.5G  0 disk 
├─sda1   8:1    0   512M  0 part /boot/efi
└─sda2   8:2    0 238G    0 part /
sdb      8:16   0  100G   0 disk  # <-- This is our target disk (external USB drive)

In this example, the target disk is /dev/sdb (no partitions yet). Confirm the disk path—using the wrong disk (e.g., /dev/sda) will erase your OS!

3.2 Partition the Disk with Parted#

Use parted to create a new partition on the target disk. We’ll use GPT (recommended for modern systems) and a single partition for encryption.

Step 3.2.1 Launch Parted#

Run parted with the target disk:

sudo parted /dev/sdb

You’ll enter the Parted interactive shell.

Step 3.2.2 Create a GPT Partition Table#

If the disk has an existing partition table (e.g., MBR), erase it and create a GPT table:

(parted) mklabel gpt   # Creates a GPT partition table (erases existing data!)

Step 3.2.3 Create a Partition#

Create a primary partition spanning the entire disk. Use mkpart with:

  • Partition name (e.g., "encrypted_data").
  • Filesystem type (use ext4 as a placeholder; LUKS will overwrite this).
  • Start and end positions (use 1MiB for alignment and 100% to use the full disk).
(parted) mkpart "encrypted_data" ext4 1MiB 100%

Tag the partition as a LUKS-encrypted volume using set:

(parted) set 1 luks on   # "1" is the partition number; "luks" marks it as encrypted

Step 3.2.5 Verify the Partition#

Check the new partition with print:

(parted) print

Example Output:

Model: SanDisk Ultra (scsi)
Disk /dev/sdb: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name            Flags
 1      1049kB  100GB   100GB   ext4         encrypted_data  luks

Exit Parted:

(parted) quit

The new partition is now /dev/sdb1 (replace sdb with your disk).

3.3 Set Up LUKS Encryption#

Use cryptsetup to encrypt the partition with LUKS. This overwrites the partition with encrypted data, so back up data first if needed.

Step 3.3.1 Initialize LUKS on the Partition#

Run cryptsetup luksFormat to create a LUKS header and encrypt the partition:

sudo cryptsetup luksFormat /dev/sdb1

Warning: This will erase all data on /dev/sdb1. Type YES (uppercase) to confirm, then enter a strong passphrase (12+ characters, mix of letters, numbers, and symbols).

Step 3.3.2 Verify LUKS Setup#

Check the LUKS header to confirm encryption:

sudo cryptsetup luksDump /dev/sdb1

This displays details like encryption algorithm (default: aes-xts-plain64), key slots, and UUID.

3.4 Open the Encrypted Partition#

To access the encrypted data, "open" the partition with cryptsetup open, which maps it to a virtual device under /dev/mapper/.

Choose a mapper name (e.g., my_encrypted_disk):

sudo cryptsetup open /dev/sdb1 my_encrypted_disk

Enter the passphrase when prompted. The encrypted volume is now accessible at /dev/mapper/my_encrypted_disk.

3.5 Format and Mount the Encrypted Volume#

The encrypted volume is a raw block device—format it with a filesystem (e.g., ext4) and mount it.

Step 3.5.1 Format the Volume#

Use mkfs.ext4 (or mkfs.xfs, mkfs.btrfs, etc.):

sudo mkfs.ext4 /dev/mapper/my_encrypted_disk

Step 3.5.2 Mount the Volume#

Create a mount point (e.g., /mnt/encrypted_data) and mount the volume:

sudo mkdir -p /mnt/encrypted_data
sudo mount /dev/mapper/my_encrypted_disk /mnt/encrypted_data

Verify the mount:

df -h /mnt/encrypted_data

Example Output:

Filesystem                   Size  Used Avail Use% Mounted on
/dev/mapper/my_encrypted_disk  98G   60M   93G   1% /mnt/encrypted_data

3.6 Automount the Encrypted Volume on Boot#

To avoid manually opening and mounting the volume after reboot, configure crypttab (for LUKS) and fstab (for mounting).

Step 3.6.1 Get the Partition UUID#

LUKS uses the partition’s UUID to identify the encrypted volume. Find it with:

sudo blkid /dev/sdb1

Example Output:

/dev/sdb1: UUID="1234-ABCD-5678-EFGH" TYPE="crypto_LUKS" PARTLABEL="encrypted_data" PARTUUID="..."

Copy the UUID (e.g., 1234-ABCD-5678-EFGH).

Step 3.6.2 Edit /etc/crypttab#

crypttab defines encrypted volumes to open at boot. Add a line:

sudo nano /etc/crypttab

Add:

my_encrypted_disk  UUID=1234-ABCD-5678-EFGH  none  luks
  • my_encrypted_disk: Mapper name (must match the one used in cryptsetup open).
  • UUID=...: The LUKS partition’s UUID.
  • none: No key file (use passphrase; for key files, specify the path here).
  • luks: Required for LUKS volumes.

Step 3.6.3 Edit /etc/fstab#

fstab defines mount points. Add a line to mount the encrypted volume:

sudo nano /etc/fstab

Add:

/dev/mapper/my_encrypted_disk  /mnt/encrypted_data  ext4  defaults  0  2
  • defaults: Mount options (read/write, etc.).
  • 0: Dump frequency (0 = no dump).
  • 2: Filesystem check order (2 = check after root).

Step 3.6.4 Test Automount#

Reboot and verify the volume mounts automatically. You’ll be prompted for the passphrase during boot (unless using a key file).

Troubleshooting Common Issues#

  • "No such device or address" when opening LUKS:
    Ensure the partition path (e.g., /dev/sdb1) is correct. Use lsblk to confirm the disk/partition exists.

  • Forgotten passphrase:
    LUKS cannot recover a lost passphrase. If you added multiple key slots, use a backup passphrase. Otherwise, the data is irrecoverable.

  • Automount fails:
    Check crypttab and fstab for typos (UUID, mapper name, mount point). Run sudo mount -a to test fstab entries.

  • "Device is busy" when formatting:
    Ensure the volume is not mounted. Use sudo umount /mnt/encrypted_data if needed.

Conclusion#

Encrypting disks with Parted and LUKS is a straightforward yet powerful way to secure data in Linux. By following this guide, you’ve learned to partition a disk, set up LUKS encryption, and configure automounting. Always back up critical data, use strong passphrases, and test configurations in a non-production environment first.

With encryption in place, your data remains protected even if the physical disk is lost or stolen.

References#