1. Overview
LUKS (Linux Unified Key Setup) is a de facto standard for disk encryption under Linux. It simplifies compatibility between Linux distributions by providing a secure and cross-platform way to encrypt data.
LUKS uses a master key to encrypt data and stores multiple copies of that key in different slots, each protected by a passphrase or key file. This allows us to access our encrypted data using various key acquisition mechanisms, such as passwords, smart cards, security chips, and others. LUKS also supports multiple encryption algorithms (ciphers).
In this tutorial, we’ll look at some tools to determine if a mounted partition is encrypted with LUKS. We’ll test the following examples on a Linux Mint 21 machine with three encrypted partitions.
2. lsblk
Block devices are storage devices that provide random access to data in blocks of fixed size, such as hard disks, CD-ROMs, flash drives, etc. We can use lsblk followed by optional arguments to display various attributes of block devices and partitions, such as their name, size, type, mount point, serial number, etc.
For example, let’s inspect the /dev/sda partitions:
$ lsblk /dev/sda -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT,SIZE
NAME KNAME FSTYPE TYPE MOUNTPOINT SIZE
sda sda disk 238,5G
├─sda1 sda1 part 1M
├─sda2 sda2 vfat part /boot/efi 513M
├─sda3 sda3 ext4 part /boot 1,7G
└─sda4 sda4 crypto_LUKS part 236,3G
└─sda4_crypt dm-0 LVM2_member crypt 236,3G
├─vgmint-root dm-1 ext4 lvm / 235,3G
└─vgmint-swap_1 dm-2 swap lvm [SWAP] 976M
In this case, the physical partition /dev/sda4 has the crypto_LUKS file system and contains an encrypted LVM with two logical partitions.
By omitting the /dev/sda parameter, we can expand the output of lsblk to include all disks. Then we can use grep to filter the output of lsblk to show only encrypted partitions:
$ lsblk -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT,SIZE | grep crypt
└─sda4 sda4 crypto_LUKS part 236,3G
└─sda4_crypt dm-0 LVM2_member crypt 236,3G
└─sdb1 sdb1 crypto_LUKS part 931,5G
└─luks-cacb47e7-6f8d-4076-afac-625b58cf7c45 dm-4 ext4 crypt /media/francesco/5a0cb140-396f-4b01-869c-b8f17e476b14 931,5G
└─sdc1 sdc1 crypto_LUKS part 931,5G
└─luks-d99ee6e1-7262-4267-ac15-b93674b9f666 dm-3 ext4 crypt /media/francesco/106bfc11-23d5-49c1-8c10-953cbb082a14 931,5G
The result is as expected, namely sda4, sdb1, and sdc1 are our three encrypted partitions.
3. blkid
blkid can print the content type and attributes of a block device by reading its metadata. Sometimes it can work without root privileges, reading unverified cached information, and sometimes it doesn’t. Let’s use sudo to make sure it works properly:
$ sudo blkid /dev/sda
/dev/sda: PTUUID="d008925f-3a4f-4b87-90e5-5a881906bacf" PTTYPE="gpt"
To find all LUKS encrypted partitions on all disks attached to our test machine, we can omit the device name and use the -t option to filter the output:
$ sudo blkid -t TYPE=crypto_LUKS
/dev/sdb1: UUID="cacb47e7-6f8d-4076-afac-625b58cf7c45" TYPE="crypto_LUKS" PARTUUID="e359ee39-848e-481b-b4eb-a1aa3c6be27b"
/dev/sdc1: UUID="d99ee6e1-7262-4267-ac15-b93674b9f666" TYPE="crypto_LUKS" PARTUUID="907e99e6-01"
/dev/sda4: UUID="4c645812-7839-496e-bbb7-57101829c0b5" TYPE="crypto_LUKS" PARTUUID="2265c049-298a-4d8b-a3bb-6cef8e5c9215"
This output is consistent with what we saw earlier with lsblk.
4. /etc/crypttab
/etc/crypttab is a configuration file that contains information about encrypted partitions that are automatically mounted at boot time. For this reason, it only contains one encrypted partition in our case since the other two are on user-mounted external drives:
$ cat /etc/crypttab
sda4_crypt UUID=4c645812-7839-496e-bbb7-57101829c0b5 none luks,discard
Let’s examine these four values:
- sda4_crypt → name of the encrypted device
- UUID=[…] → UUID of the partition
- none → this means that the user has to enter the password interactively during boot
- luks,discard → options to enable TRIM commands to improve SSD performance and lifespan
This file contains a line for each encrypted partition if more than one is mounted at boot time.
5. cryptsetup
cryptsetup uses dm-crypt to create and manage encrypted devices. It supports plain dm-crypt volumes, LUKS volumes, and other compatible formats. cryptsetup can also use the Linux kernel device mapper and crypto API to perform encryption and decryption operations. It requires root privileges.
With the isLuks option followed by a device file, it returns true if this device is a LUKS encrypted partition and false otherwise. This makes it easy to use the && operator to make any command, e.g., echo, run only if the boolean value of isLuks is true:
$ sudo cryptsetup isLuks /dev/sda4 && echo "sda4 is LUKS Encrypted"
sda4 is LUKS Encrypted
So, with the help of find, we can check all partitions:
$ find /dev/sd* -type b -exec bash -c "sudo cryptsetup isLuks {} && echo \"{} is LUKS Encrypted\"" \;
/dev/sda4 is LUKS Encrypted
/dev/sdb1 is LUKS Encrypted
/dev/sdc1 is LUKS Encrypted
This result is consistent with previous findings.
6. dmsetup
dmsetup allows us to manage logical devices that use the device mapper driver. It requires root privileges. We can use it to create, remove, suspend, resume, load, reload, rename, and display information about these devices.
To find all LUKS partitions on our system, we can use the following command:
$ sudo dmsetup table --target crypt
luks-cacb47e7-6f8d-4076-afac-625b58cf7c45: 0 1953517568 crypt aes-xts-plain64 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0 8:17 4096
luks-d99ee6e1-7262-4267-ac15-b93674b9f666: 0 1953517568 crypt aes-xts-plain64 0000000000000000000000000000000000000000000000000000000000000000 0 8:33 4096
sda4_crypt: 0 495529984 crypt aes-xts-plain64 :64:logon:cryptsetup:4c645812-7839-496e-bbb7-57101829c0b5-d0 0 8:4 32768 1 allow_discards
This table format is very long and hard to read. One way to make it more readable is to filter it with awk:
$ sudo dmsetup table --target crypt | awk '{print $1 " " $4}'
luks-cacb47e7-6f8d-4076-afac-625b58cf7c45: crypt
luks-d99ee6e1-7262-4267-ac15-b93674b9f666: crypt
sda4_crypt: crypt
This output shows three devices. It’s intuitive that sda4_crypt refers to /dev/sda. It’s less clear, however, what the first two UUIDs refer to. If we need to convert them to device file names, we can use blkid:
$ blkid -U cacb47e7-6f8d-4076-afac-625b58cf7c45
/dev/sdb1
$ blkid -U d99ee6e1-7262-4267-ac15-b93674b9f666
/dev/sdc1
Again, the result is consistent with what we saw earlier.
7. Conclusion
In this article, we’ve looked at some ways to determine which partitions mounted on Linux are encrypted with LUKS. In particular, we focused on the following tools:
- lsblk
- blkid
- /etc/crypttab
- cryptsetup
- dmsetup
But knowing that a particular partition uses encryption doesn’t mean our data is safe. Encryption is only one layer of protection, and we can compromise it with weak passwords, malware infections, unmonitored access to a mounted device, or other mistakes.