Skip to main content
Engineering LibreTexts

12-A.3: Encryption in Linux

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Encryption in Linux

    In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. Historically, various forms of encryption have been used to aid in cryptography. Early encryption techniques were often utilized in military messaging. Since then, new techniques have emerged and become commonplace in all areas of modern computing. Modern encryption schemes utilize the concepts of public-key and symmetric-key. Modern encryption techniques ensure security because modern computers are inefficient at cracking the encryption.

    A private cryptographic key can be used to encrypt a message prior to transmission over a network. Using the sender's public key the recipient can dencrypt the message and find the contents
    Figure \(\PageIndex{1}\): Using keys in encryption (""Public_key_encryption_keys.svg" by Johannes LandinWikimedia Commons is licensed under CC BY-SA 3.00)

    Types of Encryption

    Data in transit, also referred to as data in motion and data in flight, is defined into two categories: information that flows over the public or untrusted network such as the Internet and data that flows in the confines of a private network such as a corporate or enterprise Local Area Network (LAN).

    In addition to the concept of data/file encryption, there are tools that can be used to encrypt drives, partitions or volumes. Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

    Expressions full disk encryption (FDE) or whole disk encryption signify that everything on the disk is encrypted, but the master boot record (MBR) or similar area of a bootable disk, with code that starts the operating system loading sequence, is not encrypted. Some hardware-based full disk encryption systems can truly encrypt an entire boot disk, including the MBR.


    The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

    While most disk encryption software implements different, incompatible, and undocumented formats, LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.

    The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.

    The shred Command

    When you delete a file from Linux or from any OS, then the file is not deleted permanently from the hard disk. When a file is deleted it first gets moved to the trash and as soon as you clear off the trash the files get deleted for the file system. But the file is still there in your hard drive and it could be recovered.

    When you delete a file permanently or delete it from the trash, the pointer pointing to the file leaves the address of it and the data of the file is sent to a sector in hard disk. There it is considered as unallocated space and it can be recovered easily. The file gets permanently deleted when the OS writes over the sector of the file which was considered as unallocated. So, in order to delete a file completely from hard disk “shred” is used in Linux. This command overwrites the contents of a file multiple times, using patterns chosen to maximize the destruction of the residual data, making it harder for even very expensive hardware probing to recover it.


    shred [ OPTION ] FILE...

    To overwrite the contents of the file multiple times to make it unrecoverable.

    pbmac@pbmac-server $ shred filename.txt

    The cryptsetup Command

    The cryptsetup command line tool is the interface with dm-crypt for creating, accessing and managing encrypted devices. The tool was later expanded to support different encryption types that rely on the Linux kernel device-mapper and the cryptographic modules. The most notable expansion was for the Linux Unified Key Setup (LUKS) extension, which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use. Devices accessed via the device-mapper are called blockdevices.


    cryptsetup [ OPTIONS ] [action] [action-specific-options] [device] [dmname]

    As LUKS is the default encryption mode, all that is needed to create a new LUKS device with default parameters (-v is optional):

    pbmac@pbmac-server $ cryptsetup -v luksFormat device

    cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. For basic (plain) dm-crypt mappings, there are four operations.

    Operations Descriptions
    open <name> <device> Opens (creates a mapping) with <name> backed by device <device>.
    remove <name> Removes an existing mapping <name>.
    status <name> Reports the status for the mapping <name>.
    resize <name> Resizes an active mapping <name>.

    In addition, cryptsetup has LUKS extensions that allow certain actions to be enabled from within the cryptsetup command.

    Extension Meaning
    luksFormat <device> [<key file>] Initializes a LUKS partition and sets the initial passphrase (for key-slot 0), either via prompting or via <key file>.
    isLuks <device> Returns true, if <device> is a LUKS device, false otherwise.
    luksAddKey <device> [<key file with new key>] Adds a new passphrase. An existing passphrase must be supplied interactively or via --key-file.
    luksKillSlot <device> <key slot number> Wipes the key-slot number <key slot> from the LUKS device.luksKillSlot <device> <key slot number>.
    open --type luks <device> <name> Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.


    A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. The values are used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

    Hash functions and their associated hash tables are used in data storage and retrieval applications to access data in a small and nearly constant time per retrieval, and storage space only fractionally greater than the total space required for the data or records themselves. Hashing is a computationally and storage space efficient form of data access which avoids the non-linear access time of ordered and unordered lists and structured trees, and the often exponential storage requirements of direct access of state spaces of large or variable-length keys.

    A hash table collision occurs when 2 values are calculated to have the same hash. The hashing algorithm should have a process for dealing with collisions.
    Figure \(\PageIndex{1}\):  Illustration of a hash function mapping four names to the integers 0..15, with one collision. ("Hash_table_4_1_1_0_0_1_0_LL.svg" by Jorge StolfiWikimedia is in the Public Domain, CC0)

    Use of hash functions relies on statistical properties of key and function interaction: worst case behavior is intolerably bad with a vanishing small probability, and average case behavior can be nearly optimal (minimal collisions).

    Hash functions are related to (and often confused with) checksums, check digits, fingerprints, loss compression, randomization functions, error-correcting codes, and ciphers. Although the concepts overlap to some extent, each one has its own uses and requirements and is designed and optimized differently.

    Adapted from:
    "Encryption" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Data in transit" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Disk encryption" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "shred command in Linux with Examples" by manav014, Geeks for Geeks is licensed under CC BY-SA 4.0

    12-A.3: Encryption in Linux is shared under a CC BY-SA 4.0 license and was authored, remixed, and/or curated by LibreTexts.

    • Was this article helpful?