LabEx
Log InJoin Free

How to check if disk encryption is enabled in Linux

LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to check if disk encryption is enabled on a Linux system. Understanding the encryption status of your disks is a fundamental skill for system administration and security.

We will explore three key methods to achieve this: using the lsblk -f command to identify encrypted devices, examining the /etc/crypttab file to verify configured encrypted volumes, and utilizing the cryptsetup status command for detailed information about active encrypted devices. By the end of this lab, you will be equipped to confidently determine the encryption status of disks on a Linux machine.

Check encrypted devices with lsblk -f

In this step, we will start exploring encrypted devices on a Linux system. Understanding how to identify encrypted partitions is crucial for system administration and security.

We will use the lsblk command with the -f option. The lsblk command lists block devices (like hard drives and partitions). The -f option adds information about the filesystem and, importantly for us, encryption.

Open your terminal if it's not already open. You can find the Xfce Terminal icon on the left side of your desktop.

Type the following command and press Enter:

lsblk -f

You will see output similar to this:

NAME    FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0   squashfs    4.0                                                     0   100% /snap/bare/5
loop1   squashfs    4.0                                                     0   100% /snap/core20/2182
loop2   squashfs    4.0                                                     0   100% /snap/core22/1122
loop3   squashfs    4.0                                                     0   100% /snap/firefox/437
loop4   squashfs    4.0                                                     0   100% /snap/gnome-3-38-2004/140
loop5   squashfs    4.0                                                     0   100% /snap/gtk-common-themes/1535
loop6   squashfs    4.0                                                     0   100% /snap/htop/3620
loop7   squashfs    4.0                                                     0   100% /snap/snapd/20671
loop8   squashfs    4.0                                                     0   100% /snap/snapd-desktop-integration/83
sda
├─sda1  vfat        FAT32       <UUID>                                505.4M     0% /boot/efi
├─sda2  ext4        1.0         <UUID>                                  1.4G    68% /boot
└─sda3  crypto_LUKS 2           <UUID>
  └─sda3_crypt
    ext4        1.0         <UUID>                                 16.4G    11% /

Look for the FSTYPE column. If you see crypto_LUKS listed for a partition (like sda3 in the example above), it indicates that this partition is encrypted using LUKS (Linux Unified Key Setup).

The line below the crypto_LUKS entry (e.g., └─sda3_crypt) shows the decrypted device name that is created when the partition is unlocked. This decrypted device is then typically formatted with a standard filesystem like ext4 and mounted (e.g., at /).

Identifying partitions with crypto_LUKS is the first step in understanding the encryption setup on a Linux system.

Click Continue to proceed to the next step.

Verify crypttab with cat /etc/crypttab

In this step, we will examine the /etc/crypttab file. This file is used by the system to configure encrypted block devices that are set up during system boot. It contains information about encrypted partitions and how they should be unlocked.

We will use the cat command to display the contents of the /etc/crypttab file. The cat command is a simple utility used to concatenate and display file content.

Type the following command in your terminal and press Enter:

cat /etc/crypttab

You will see output similar to this:

sda3_crypt UUID=<UUID> none luks,discard

Let's break down the typical format of a line in /etc/crypttab:

  1. Target name: This is the name of the decrypted device that will be created (e.g., sda3_crypt). This should match the name you saw under the crypto_LUKS entry in the lsblk -f output from the previous step.
  2. Source device: This specifies the encrypted partition. It's often identified by its UUID (UUID=<UUID>) for reliability, but can also be a device path like /dev/sda3.
  3. Key file or password: This indicates how the device should be unlocked. none means the system will prompt for a password during boot. Other options include specifying a key file path.
  4. Options: This field contains comma-separated options, such as luks (specifying it's a LUKS device) and discard (enabling TRIM support for SSDs).

Examining /etc/crypttab helps confirm which partitions are configured for encryption at boot time and how they are intended to be unlocked.

Click Continue to move to the next step.

Inspect encryption with cryptsetup status

In this final step, we will use the cryptsetup command to get detailed status information about an active encrypted device. The cryptsetup utility is a command-line tool used to set up and manage encrypted disk devices using LUKS.

We will use the status option followed by the name of the decrypted device. From the lsblk -f output in Step 1, we identified the decrypted device name as sda3_crypt.

Type the following command in your terminal and press Enter:

sudo cryptsetup status sda3_crypt

You will see detailed output about the encrypted device, similar to this:

/dev/mapper/sda3_crypt is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sda3
  sector size: 512
  offset:  16384 sectors
  size:    <size in sectors> sectors
  mode:    read/write
  flags:   discards

Let's look at some key pieces of information from the output:

  • type: LUKS2: Confirms the encryption type is LUKS version 2.
  • cipher: aes-xts-plain64: Shows the encryption algorithm and mode used (AES in XTS mode).
  • keysize: 512 bits: Indicates the size of the encryption key.
  • device: /dev/sda3: Specifies the underlying encrypted partition.
  • flags: discards: Confirms that the discards option (TRIM support) is enabled, matching what we saw in /etc/crypttab.

The cryptsetup status command provides a comprehensive view of the encryption parameters for an active LUKS device, which is very useful for verifying the encryption setup.

You have now successfully used lsblk, cat, and cryptsetup to identify and inspect encrypted partitions on a Linux system.

Click Continue to complete the lab.

Summary

In this lab, we learned how to check if disk encryption is enabled in Linux. We started by using the lsblk -f command to list block devices and identify partitions with the crypto_LUKS FSTYPE, indicating LUKS encryption. This command provides a quick overview of the system's block devices and their encryption status.

Next, we would typically verify the /etc/crypttab file to see which devices are configured for encryption at boot time and inspect the encryption details of a specific device using cryptsetup status. These steps, combined with lsblk -f, provide a comprehensive way to determine if and how disk encryption is implemented on a Linux system.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux