cd /my-adventures-in-luks-disk-encryption/

My adventures in LUKS disk encryption

· by jill

I will one day learn that living life on the edge with no backups is a bad idea, but until then..

Note: please do not use any of the info provided in this article on your own hardware without proof-reading it and without backups. I know barely anything about what I'm talking about and don't want to be responsible for data loss. Thanks!

Right at the start of 2022, I bought myself a new computer. New RAM, new GPU, just an upgrade in everything, including a 1TB SSD. Now, I've never used SSDs before. All I knew about them is they're fast, they're sensitive, and they're VERY fast.

So, of course, I wanted to move my setup to the SSD, reinstall my system, and move over my home folder, as I do usually when I switch between distros. However, this time I wanted to try something new. A few of my friends have been heavily interested in disk encryption, and I decided I wanted to give it a go aswell. My main issue is the lack of backup storage I have.

If you'll look anywhere, for any guides, for anything disk or partition related, especially LUKS stuff, you'll find lots of big red, bold warnings. "Backup your stuff!" They'll say. "You can lose ALL OF YOUR DATA!" They'll warn you. My issue with this, is that I kind of can't.

While I do have quite a lot of storage on my hard drive, and that could be used for backups, when you're dealing with LUKS (as you'll see later) you'd probably want a second disk specifically for backups, which I don't have.

And while I probably could back things up On The Cloud™, backing up ~400GiB of storage with ~4MB/s up internet is.. not ideal.

With a file size of 400GiB and a download speed of 4MB/s, an estimated transfer time would be 29.8 hours.
I'm not willing to wait nearly 3 days to upload and download everything, ya know..

So, I decided to roll with it anyways and do it all with no backups, as usual. I backed some stuff up on the SSD, but besides that I left it all un-backed up.

Initially I wanted to encrypt everything: the / partition, the home partition, and any other partitions. But I soon realized this.. didn't have much use. Why would I encrypt the / partition if all that's gonna do is potentially hinder my load times? Y'know, the very thing I have an SSD for?

So, my new plan was this: create a / partition on the SSD, create a storage partition on the SSD for various programs and games, and then create a home partition on the HDD and encrypt that.

However, I soon ran into issues with that aswell; namely, my lack of storage. My first (and naive) plan was to clean out my current hard drive, remove everything non-home, shrink it, move it to the right, and then create an encrypted partition on the left, like so:

Shown here is a disk viewed in GParted, a partitioning software. 2 partitions, one unnamed and the other named "solus" are moved to the right to make space for a new partition, labelled "luks stuff goes here". They don't leave much space for it, however.

Afterwards, I would move everything from my old partitions onto the encrypted partition, delete the old partitions, expand the encrypted partition, and leave it at that.

However, there were many doubts I had about this. For instance, I wasn't sure if it was possible to just, expand the encrypted partition, and I'm very glad to have had those doubts because it turns out, you.. kind of can't.

It's possible, but the amount of those red, bold warnings I spoke of earlier you see when you look LUKS resizing-related stuff up is multiplied tenfold. One StackOverflow comment I found in particular had this in it, for example:

The sector dimensions must be changed, otherwise you WILL destroy your partition(s). I am in no way responsible for your stupidness, BACKUP BACKUP BACKUP your data to a second storage medium before risking your data.

And, since I didn't have any backups, I just really didn't want to bother with it anymore.

However, this kind of left me in a sort of dilemma. If I were to not expand the partition, I would only have ~450GiB of storage available on the encrypted partition - barely half of what my disk could have. And since I only got my original partition down to ~330GiB from the original ~600GiB after lots of optimization, I knew I wasn't gonna live off of that little storage.

So, I gave up. I decided to just, move on, and not care about disk encryption. Besides, why would I encrypt my disk anyways? I didn't really have a good reason for it; I was just doing it just in-case. So I decided to take a break, and not do the encryption afterwards.

However, I had an idea. Remember the solus partition shown on the previous screenshot? This was from my previous installation before the installation I was trying to move away from. (this is getting a little confusing, I know...)

This partition had served as a sort of backup for that migration from Solus to Void Linux, and I wasn't sure if that partition was needed anymore. And, sure enough, I looked through it, and it didn't have anything valuable in it that I didn't already move to my Void partition.

So, I decided to try removing it, and see how my partitions look after that...

A good 600GB is available for a new partition.

Not bad! ~600GiB of storage is good enough for me. Besides, most of my really intensive, huge games and whatnot will go to my SSD anyways, so I thought, why not give it a shot. And so I did!

Hi. I'm a big, red, bold warning. **You know what this means.**

I deleted the solus partition, moved my Void install (cleaned from non-home stuff) to the right, shrinked it as much as possible, and made a new LUKS-encrypted partition. I applied it all, waited for an hour or two (or five!), set up an ext4 filesystem on the LUKS partition, and told Void to put my home directory there and my / directory on my SSD.

And, it worked! I didn't get the GRUB config right first try, but after messing with that and dealing with some cryptic errors, it all works!

On boot-up, it asks me for a password, with a prompt something along the lines of:

Enter passphrase for /dev/sda2:

I enter in the passphrase, the booting process continues, and everything is smooth sailing from there onwards.

I actually almost accidentally made the entire encryption setup completely redundant! I was following along with the Void Linux full disk encryption guide and wasn't paying much attention. I figured I'd be able to extract just the basic LUKS stuff from it and ignore the rest.

And while that did work, there's one step that makes you generate a second key that you place on your / partition, so that you don't have to enter in a password twice: once for the / partition, and again for the /home partition. The key would be automatically used since, if you've unlocked /, there's no reason you shouldn't have access to /home.

Now I copied what the guide did for that aswell, but my / partition was, well, unencrypted. Anyone would've just went there, grabbed the key, and applied it to /home. I only managed to find out I accidentally did it when I was double-checking the instructions after I was already done with everything.

I do quite enjoy just how native everything is like this. The neat thing about LUKS is once you unlock it once, it stays unlocked in /dev/mapper (until you unmount it, of course). Afterwards, everything in there is a native interface to the actual partitions as if they were just, standard /dev/sdX partitions. So you can run the same dd commands and whatnot to them as if they were real partitions.

I haven't noticed any speed downgrades either; however I will note that one thing I hadn't considered before doing this is the time it takes to enter your passphrase. If you're setting it to something long, you're setting yourself up for being annoyed at past you.

I luckily didn't, but I still don't quite like having to enter it each time, especially because I moved everything to an SSD so that everything would load faster. But oh well, you gotta sacrifice some convenience for security sometimes.

I hope this little article has somehow helped you if you're ever planning to delve in LUKS stuff! I certainly would've liked knowing some of this information, so I hope it helps someone too.