How to Create an Encrypted Virtual Hard Drive in Linux

By On Saturday, October 12, 2024
A hard disk

One of the best ways to store sensitive data locally is to create an encrypted virtual hard drive on an operating system of your choice. In this guide, we're going to make one in Linux. Familiarity with the command line environment can help but is not essential. Although creating a physical NAS storage system for home use is the ultimate solution to secure your private data, the option discussed in this guide is a viable option if you are tight on budget. To ensure maximum security and best results, add a secondary hard disk to your Linux system and use it to create virtual drives. So, let's get started!

A hard disk
📷 Credit: epSos.de / Wikimedia Commons

The process given below applies to a brand-new virtual drive built from scratch. It's not intended for existing partitions already filled with data. You can transfer the data to the encrypted drive though.

Read Also:
Unclutter Your Linux System: A Comprehensive Guide to Disk Space Analysis

The primary tool used in this guide is available for all the popular Linux distributions. The rest of the tools come preinstalled. The drive creation process is safe and does not affect other parts of storage.

Why Encrypt a Virtual Hard Drive?

Regardless of the operating system you are using, a virtual hard drive is essentially a file emulating like a storage device. In simple words, anyone having access to this file can extract the data stored in it.

Encryption ensures only individuals having the passphrase can access the contents of the virtual hard drive. If your Linux system is used by several users and you are storing sensitive information in the virtual drive—encryption is a must.

Tools Needed for Creating and Encrypting Virtual Hard Drive

Here's a list of tools and applications you will need to create and encrypt a virtual hard drive. Tick-mark this list before proceeding.

  • Root privilege: You must have 'root' or sudo access to create such a drive.
  • cryptsetup application: It's used to encrypt the hard drive.
  • dd command: It'll be used to create a file for the virtual hard disk.
  • mkfs command: It is used for formatting hard drives. And, in this case, it'll format our virtual hard drive.

Both dd and mkfs are available on all Linux systems, but cryptsetup may or may not be present. If it's not, here's how you can install it.

# On a Ubuntu system
sudo apt-get update
sudo apt-get install cryptsetup

# On Fedora, run
sudo dnf install cryptsetup

Now that everything is ready, let's start the virtual drive creation process.

1. Create a File for the Virtual Hard Drive

Because virtual hard drives are essentially files, we need to create one. This file will be huge in size because it'll act as a hard drive.

To quickly make such a huge file in no time, we'll use the dd command.

sudo dd if=/dev/zero of=~/encrypted_hard_drive.img bs=2M count=2048

In the command used above:

  • if=/dev/zero parameter fills the file with zero bytes.
  • of=~/encrypted_hard_drive.img provides the location and name of the file. Here, I've chosen the home directory for the file. Feel free to change the location and the file name as per your preference.
  • Both the parameters bs=2M and count=2048 instruct the dd command to write 2MB chunks of data (zero bytes) 2048 times in the file. This makes a 4GB file filled with zero bytes.

Now we have a raw 4GB file ready to be used as a virtual hard drive. Let's move on to the next step.

2. Activate and Initialize LUKS Encryption

When it comes to Linux encryption, LUKS is the preferred method. It provides strong security safeguarding sensitive data—without any fail.

We'll use it to encrypt the file we have created in the previous step. First, we need to set up LUKS using the following command.

sudo cryptsetup luksFormat ~/encrypted_hard_drive.img

After firing this command, you'll be prompted to confirm. Make sure to type 'YES' in capital letters to confirm.

In the next step, you'll be prompted to enter a passphrase. Type something you can easily remember but is difficult to guess at the same time. In the future, whenever you try to access the encrypted hard drive, this passphrase will be asked.

3. Open and Map the Encrypted Volume

Our file is now encrypted—but—it's not usable as a virtual hard drive. To do so, first, we need to map it to a block device so that we can use it as a hard drive.

To do this mapping, use the following command.

sudo cryptsetup open ~/encrypted_hard_drive.img encrypted_disk

The last parameter encrypted_disk acts as an alias for the mapped device. As mentioned before, any action performed on this file will need a passphrase. Here too, you'll be prompted for it.

Upon completion of this command, you can access the virtual hard drive through the /dev/mapper/encrypted_disk device path.

4. Format the Virtual Hard Drive

At present our virtual drive file is in raw form. There's no filesystem on it. Which means, we cannot create files and folders in it. So, it's time to format it and create a filesystem on it.

Use the following command to format and create the ext4 filesystem on the virtual hard drive.

sudo mkfs.ext4 /dev/mapper/encrypted_disk

If you want, you can use another filesystem for your virtual drive as Linux supports several of them. But, the one selected here is widely used everywhere and is pretty stable.

5. Opening and Closing the Virtual Hard Drive

In Linux, to access any drive, first you should mount it. The same applies to our virtual hard drive. Let's see how we'll mount and unmount it.

Mounting the Virtual Hard Drive

Drives are generally mounted in one of the directories of the /mnt/ parent directory. Let's use the /mnt/encrypted_disk as the mount point of our virtual hard disk.

# Create a directory for the mount point
sudo mkdir /mnt/encrypted_disk

# Mount the virtual hard drive
sudo mount /dev/mapper/encrypted_disk /mnt/encrypted_disk

Once mounted, you can access the /mnt/encrypted_disk directory to store and access your files.

Unmounting and Closing the Virtual Hard Drive

When you do not want to use the virtual drive, you can unmount and close it. The process is as follows.

# Unmount the virtual hard drive
sudo umount /mnt/encrypted_disk

# Detach the LUKS encryption mapping
sudo cryptsetup close encrypted_disk

Closing the LUKS mapping ensures the drive is not accessible to a person who does not know the passphrase. Whenever someone will try to open it again, the passphrase will be asked.

Simplifying the Mounting and Unmounting Process

Instead of typing long commands every time you want to open and close your virtual hard drive, a script can be handy to kind of automate both processes.

Let's create two simple scripts for both processes. Here's the first one to open and mount the virtual hard drive.

#!/bin/bash

# Open the encrypted drive. You'll be prompted for passphrase
sudo cryptsetup open ~/encrypted_hard_drive.img encrypted_disk 

# Mount the drive
sudo mount /dev/mapper/encrypted_disk /mnt/encrypted_disk

# Announce the drive's ready state
echo "Your encrypted drive is ready. The mount point is at /mnt/encrypted_disk"

And, here's the second one to unmount and close the virtual hard drive.

#!/bin/bash

# Unmount the drive
sudo umount /mnt/encrypted_disk

# Close the encrypted drive. 
sudo cryptsetup close encrypted_disk 

# Announce the drive's close status
echo "Your encrypted drive (/mnt/encrypted_disk) is now unmounted and closed."

Give your preferred names to both scripts. And make sure to apply execute permissions on both of them. Here's how to do it.

chmod +x open_my_drive.sh close_my_drive.sh

Feel free to change the names of these scripts. Remember, during the opening process, you'll be prompted for the passphrase.

Take a Backup of the LUKS Header

It is always recommended to keep a backup of the LUKS header of the disk drive. This way—in the future—if it gets corrupted for some reason, you can restore it from the backup to salvage your content.

Here's how you a take a backup of the LUKS header.

sudo cryptsetup luksHeaderBackup ~/encrypted_hard_drive.img --header-backup-file luks_backup.img

And, here's how you can restore it in a time of need.

sudo cryptsetup luksHeaderRestore ~/encrypted_hard_drive.img --header-backup-file /path/to/luks_backup_file

Remember, at the time of restoration, you'll get a warning about the header overwriting process. Simply type 'YES' in uppercase to complete the restoration process. Instead of storing the backup file on your local system, I'll recommend keeping it on a secure cloud storage at a remote location.

Conclusion

If you've followed this guide, you've successfully set up and encrypted a virtual hard drive on Linux. Using LUKS encryption, you can rest assured that your sensitive information is shielded from unauthorized access and hackers. Just remember, the strength of your security depends on your passphrase, so pick a strong one and keep it safe.

Rajeev Edmonds - Author of Fresh Tech Tips

Rajeev Edmonds

Editor-in-Chief / Author

Rajeev Edmonds has been guiding tech enthusiasts with in-depth tutorials since 2012. He covers WordPress, digital services, the latest gadgets, and more. He also crafts websites and web apps for individuals and small to mid-sized businesses. Connect with him on X, Bluesky, and GitHub.

All comments posted here are subject to the comment policy of this blog.