The Btrfs filesystem-level encryption feature is still not available. But you can use a 3rd party encryption tool like dm-crypt to encrypt the entire storage devices of your Btrfs filesystem.
In this article, I am going to show you how to encrypt the storage devices added to a Btrfs filesystem with dm-crypt. So, let’s get started.
Abbreviations
- LUKS – Linux Unified Key Setup
- HDD – Hard Disk Drive
- SSD – Solid-State Drive
Prerequisites
To follow this article:
- You must be running either Fedora 33 Workstation or Ubuntu 20.04 LTS Linux distribution on your computer.
- You must have a free HDD/SSD on your computer.
As you can see, I have an HDD sdb on my Ubuntu 20.04 LTS machine. I will encrypt it and format it with the Btrfs filesystem.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image11-18.png" data-lazy- height="386" src="data:image/svg xml,” width=”596″>
Installing Required Packages on Ubuntu 20.04 LTS
To encrypt storage devices and format them with the Btrfs filesystem, you need to have the btrfs-progs and cryptsetup packages installed on your Ubuntu 20.04 LTS machine. Luckily, these packages are available in the official package repository of Ubuntu 20.04 LTS.
First, update the APT package repository cache with the following command:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image13-15.png" data-lazy- height="283" src="data:image/svg xml,” width=”754″>
To install btrfs-progs and cryptsetup, run the following command:
$ sudo apt install btrfs-progs cryptsetup –install-suggests
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image12-15.png" data-lazy- height="91" src="data:image/svg xml,” width=”877″>
To confirm the installation, press Y and then press <Enter>.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image15-14.png" data-lazy- height="427" src="data:image/svg xml,” width=”1000″>
The btrfs-progs and cryptsetup packages and their dependencies are being installed.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image14-15.png" data-lazy- height="567" src="data:image/svg xml,” width=”1013″>
The btrfs-progs and cryptsetup packages should be installed at this point.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image17-10.png" data-lazy- height="438" src="data:image/svg xml,” width=”714″>
Installing Required Packages on Fedora 33
To encrypt storage devices and format them with the Btrfs filesystem, you need to have the btrfs-progs and cryptsetup packages installed on your Fedora 33 Workstation machine. Luckily, these packages are available in the official package repository of Fedora 33 Workstation.
First, update the DNF package repository cache with the following command:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image16-11.png" data-lazy- height="269" src="data:image/svg xml,” width=”969″>
To install btrfs-progs and cryptsetup, run the following command:
$ sudo dnf install btrfs-progs cryptsetup -y
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image21-6.png" data-lazy- height="88" src="data:image/svg xml,” width=”685″>
Fedora 33 Workstation uses the Btrfs filesystem by default. So, it’s more likely that you will have these packages installed already, as you can see in the screenshot below. If for some reason, they are not installed, they will be installed.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image19-7.png" data-lazy- height="286" src="data:image/svg xml,” width=”988″>
Generating an Encryption Key
Before you can encrypt your storage devices with cryptsetup, you need to generate a 64 bytes long random key.
You can generate your encryption key and store it in the /etc/cryptkey file with the following command:
$ sudo dd if=/dev/urandom of=/etc/cryptkey bs=64 count=1
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image26-5.png" data-lazy- height="93" src="data:image/svg xml,” width=”854″>
A new encryption key should be generated and stored in the /etc/cryptkey file.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image22-7.png" data-lazy- height="175" src="data:image/svg xml,” width=”858″>
The encryption key file /etc/cryptkey can be read by everyone by default, as you can see in the screenshot below. This is a security risk. We want only the root user to be able to read/write to the /etc/cryptkey file.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image24-5.png" data-lazy- height="130" src="data:image/svg xml,” width=”719″>
To allow only the root user to read/write to the /etc/cryptkey file, change the file permissions as follows:
$ sudo chmod -v 600 /etc/cryptkey
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image27-4.png" data-lazy- height="132" src="data:image/svg xml,” width=”777″>
As you can see, only the root user has read/write (rw) permission to the /etc/cryptkey file. So, no one else can see what’s in the /etc/cryptkey file.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image29-4.png" data-lazy- height="197" src="data:image/svg xml,” width=”785″>
Encrypting the Storage Devices with dm-crypt
Now that you have generated an encryption key, you can encrypt your storage device. let’s say, sdb, with the LUKS v2 (version 2) disk encryption technology as follows:
$ sudo cryptsetup -v –type luks2 luksFormat /dev/sdb /etc/cryptkey
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image30-4.png" data-lazy- height="87" src="data:image/svg xml,” width=”936″>
cryptsetup will prompt you to confirm the encryption operation.
NOTE: All the data of your HDD/SSD should be removed. So, make sure to move all of your important data before you attempt to encrypt your HDD/SSD.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image31-4.png" data-lazy- height="238" src="data:image/svg xml,” width=”974″>
To confirm the disk encryption operation, type in YES (in uppercase) and press . It may take a while to complete.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image32-4.png" data-lazy- height="278" src="data:image/svg xml,” width=”975″>
At this point, the storage device /dev/sdb should be encrypted with the encryption key /etc/cryptkey.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image33-4.png" data-lazy- height="281" src="data:image/svg xml,” width=”970″>
Opening Encrypted Storage Devices
Once you’ve encrypted a storage device with cryptsetup, you need to open it with the cryptsetup tool to be able to use it.
You can open the encrypted storage device sdb and map it to your computer as a data storage device as follows:
$ sudo cryptsetup open –key-file=/etc/cryptkey –type luks2 /dev/sdb data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image34-3.png" data-lazy- height="93" src="data:image/svg xml,” width=”1016″>
Now, the decrypted storage device will be available in the path /dev/mapper/data. You have to create your desired filesystem in the /dev/mapper/data device and mount the /dev/mapper/data device instead of /dev/sdb from now on.
Creating Btrfs Filesystem on Encrypted Devices:
To create a Btrfs filesystem on the decrypted storage device /dev/mapper/data with the label data, run the following command:
$ sudo mkfs.btrfs -L data /dev/mapper/data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image35-3.png" data-lazy- height="93" src="data:image/svg xml,” width=”721″>
A Btrfs filesystem should be created on the /dev/mapper/data storage device, which is decrypted from the storage device /dev/sdb (encrypted with LUKS 2).
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image1-44.png" data-lazy- height="550" src="data:image/svg xml,” width=”710″>
Mounting Encrypted Btrfs Filesystem
You can mount the Btrfs filesystem you have created earlier as well.
Let’s say, you want to mount the Btrfs filesystem you’ve created earlier in the /data directory.
So, create the /data directory as follows:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image2-42.png" data-lazy- height="121" src="data:image/svg xml,” width=”499″>
To mount the Btrfs filesystem created on the /dev/mapper/data storage device in the /data directory, run the following command:
$ sudo mount /dev/mapper/data /data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image3-40.png" data-lazy- height="87" src="data:image/svg xml,” width=”680″>
As you can see, the Btrfs filesystem created on the encrypted storage device sdb is mounted in the /data directory.
$ sudo btrfs filesystem show /data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image4-35.png" data-lazy- height="200" src="data:image/svg xml,” width=”726″>
Automatically Mounting Encrypted Btrfs Filesystem at Boot-Time
You can mount the encrypted Btrfs filesystem at boot time as well.
To mount the encrypted Btrfs filesystem at boot time, you need to:
- decrypt the storage device /dev/sdb at boot time using the /etc/cryptkey encryption key file
- mount the decrypted storage device /dev/mapper/data to the /data directory
First, find the UUID of the sdb encrypted storage device with the following command:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image5-30.png" data-lazy- height="88" src="data:image/svg xml,” width=”829″>
As you can see, the UUID of the sdb encrypted storage device is 1c66b0de-b2a3-4d28-81c5-81950434f972. It will be different for you. So, make sure to change it with yours from now on.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image6-28.png" data-lazy- height="252" src="data:image/svg xml,” width=”829″>
To automatically decrypt the sdb storage device at boot time, you have to add an entry for it on the /etc/crypttab file.
Open the /etc/crypttab file with the nano text editor as follows:
$ sudo nano /etc/crypttab
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image7-22.png" data-lazy- height="89" src="data:image/svg xml,” width=”689″>
Add the following line at the end of the /etc/crypttab file if you’re using an HDD.
data UUID=1c66b0de-b2a3-4d28-81c5-81950434f972 /etc/cryptkey luks,noearly
Add the following line at the end of the /etc/crypttab file if you’re using an SSD.
data UUID=1c66b0de-b2a3-4d28-81c5-81950434f972 /etc/cryptkey luks,noearly,discard
Once you’re done, press <Ctrl> X, followed by Y, and <Enter> to save the /etc/crypttab file.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image8-23.png" data-lazy- height="482" src="data:image/svg xml,” width=”1160″>
Now, find the UUID of the decrypted /dev/mapper/data storage device with the following command:
$ sudo blkid /dev/mapper/data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image9-21.png" data-lazy- height="81" src="data:image/svg xml,” width=”698″>
As you can see, the UUID of the /dev/mapper/data decrypted storage device is dafd9d61-bdc9-446a-8b0c-aa209bfab98d. It will be different for you. So, make sure to change it with yours from now on.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image10-18.png" data-lazy- height="277" src="data:image/svg xml,” width=”1176″>
To automatically mount the decrypted storage device /dev/mapper/data in the /data directory at boot time, you have to add an entry for it on the /etc/fstab file.
Open the /etc/fstab file with the nano text editor as follows:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image18-9.png" data-lazy- height="89" src="data:image/svg xml,” width=”507″>
Now, add the following line at the end of the /etc/fstab file:
UUID=dafd9d61-bdc9-446a-8b0c-aa209bfab98d /data btrfs defaults 0 0
Once you’re done, press <Ctrl> X, followed by Y, and <Enter> to save the /etc/fstab file.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image20-8.png" data-lazy- height="571" src="data:image/svg xml,” width=”1137″>
Finally, reboot your computer for the changes to take effect.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image23-5.png" data-lazy- height="87" src="data:image/svg xml,” width=”417″>
The encrypted storage device sdb is decrypted into a data storage device, and the data storage device is mounted in the /data directory.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image25-4.png" data-lazy- height="330" src="data:image/svg xml,” width=”618″>
As you can see, the Btrfs filesystem, which was created on the decrypted /dev/mapper/data storage device is mounted in the /data directory.
$ sudo btrfs filesystem show /data
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/image28-4.png" data-lazy- height="217" src="data:image/svg xml,” width=”806″>
Conclusion
In this article, I have shown you how to encrypt a storage device using the LUKS 2 encryption technology with cryptsetup. You also learn how to decrypt the encrypted storage device and format it with the Btrfs filesystem as well. As well as how to automatically decrypt the encrypted storage device and mount it at boot time. This article should help you get started with Btrfs filesystem encryption.
About the author
<img alt="Shahriar Shovon" data-lazy-src="https://kirelos.com/wp-content/uploads/2021/02/echo/photo2-150×150.png60177b6053d46.jpg" height="112" src="data:image/svg xml,” width=”112″>
Shahriar Shovon
Freelancer & Linux System Administrator. Also loves Web API development with Node.js and JavaScript. I was born in Bangladesh. I am currently studying Electronics and Communication Engineering at Khulna University of Engineering & Technology (KUET), one of the demanding public engineering universities of Bangladesh.
