Verifying if a Disk Is Encrypted in Linux

Last updated: June 4, 2023

Reviewed by: Saajan Nagendra

1. Overview

LUKS (Linux Unified Key Setup) is a de facto standard for disk encryption under Linux. It simplifies compatibility between Linux distributions by providing a secure and cross-platform way to encrypt data.

LUKS uses a master key to encrypt data and stores multiple copies of that key in different slots, each protected by a passphrase or key file. This allows us to access our encrypted data using various key acquisition mechanisms, such as passwords, smart cards, security chips, and others. LUKS also supports multiple encryption algorithms (ciphers).

In this tutorial, we’ll look at some tools to determine if a mounted partition is encrypted with LUKS. We’ll test the following examples on a Linux Mint 21 machine with three encrypted partitions.

2. lsblk

Block devices are storage devices that provide random access to data in blocks of fixed size, such as hard disks, CD-ROMs, flash drives, etc. We can use lsblk followed by optional arguments to display various attributes of block devices and partitions, such as their name, size, type, mount point, serial number, etc.

For example, let’s inspect the /dev/sda partitions:

$ lsblk /dev/sda -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT,SIZE
NAME                KNAME FSTYPE      TYPE  MOUNTPOINT   SIZE
sda                 sda               disk             238,5G
├─sda1              sda1              part                 1M
├─sda2              sda2  vfat        part  /boot/efi    513M
├─sda3              sda3  ext4        part  /boot        1,7G
└─sda4              sda4  crypto_LUKS part             236,3G
  └─sda4_crypt      dm-0  LVM2_member crypt            236,3G
    ├─vgmint-root   dm-1  ext4        lvm   /          235,3G
    └─vgmint-swap_1 dm-2  swap        lvm   [SWAP]       976M

In this case, the physical partition /dev/sda4 has the crypto_LUKS file system and contains an encrypted LVM with two logical partitions.

By omitting the /dev/sda parameter, we can expand the output of lsblk to include all disks. Then we can use grep to filter the output of lsblk to show only encrypted partitions:

$ lsblk -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT,SIZE | grep crypt
└─sda4                                        sda4   crypto_LUKS part                                                        236,3G
  └─sda4_crypt                                dm-0   LVM2_member crypt                                                       236,3G
└─sdb1                                        sdb1   crypto_LUKS part                                                        931,5G
  └─luks-cacb47e7-6f8d-4076-afac-625b58cf7c45 dm-4   ext4        crypt /media/francesco/5a0cb140-396f-4b01-869c-b8f17e476b14 931,5G
└─sdc1                                        sdc1   crypto_LUKS part                                                        931,5G
  └─luks-d99ee6e1-7262-4267-ac15-b93674b9f666 dm-3   ext4        crypt /media/francesco/106bfc11-23d5-49c1-8c10-953cbb082a14 931,5G

The result is as expected, namely sda4, sdb1, and sdc1 are our three encrypted partitions.

3. blkid

blkid can print the content type and attributes of a block device by reading its metadata. Sometimes it can work without root privileges, reading unverified cached information, and sometimes it doesn’t. Let’s use sudo to make sure it works properly:

$ sudo blkid /dev/sda
/dev/sda: PTUUID="d008925f-3a4f-4b87-90e5-5a881906bacf" PTTYPE="gpt"

To find all LUKS encrypted partitions on all disks attached to our test machine, we can omit the device name and use the -t option to filter the output:

$ sudo blkid -t TYPE=crypto_LUKS
/dev/sdb1: UUID="cacb47e7-6f8d-4076-afac-625b58cf7c45" TYPE="crypto_LUKS" PARTUUID="e359ee39-848e-481b-b4eb-a1aa3c6be27b"
/dev/sdc1: UUID="d99ee6e1-7262-4267-ac15-b93674b9f666" TYPE="crypto_LUKS" PARTUUID="907e99e6-01"
/dev/sda4: UUID="4c645812-7839-496e-bbb7-57101829c0b5" TYPE="crypto_LUKS" PARTUUID="2265c049-298a-4d8b-a3bb-6cef8e5c9215"

This output is consistent with what we saw earlier with lsblk.

4. /etc/crypttab

/etc/crypttab is a configuration file that contains information about encrypted partitions that are automatically mounted at boot time. For this reason, it only contains one encrypted partition in our case since the other two are on user-mounted external drives:

$ cat /etc/crypttab
sda4_crypt UUID=4c645812-7839-496e-bbb7-57101829c0b5 none luks,discard

Let’s examine these four values:

  • sda4_crypt → name of the encrypted device
  • UUID=[…]UUID of the partition
  • none → this means that the user has to enter the password interactively during boot
  • luks,discard → options to enable TRIM commands to improve SSD performance and lifespan

This file contains a line for each encrypted partition if more than one is mounted at boot time.

5. cryptsetup

cryptsetup uses dm-crypt to create and manage encrypted devices. It supports plain dm-crypt volumes, LUKS volumes, and other compatible formats. cryptsetup can also use the Linux kernel device mapper and crypto API to perform encryption and decryption operations. It requires root privileges.

With the isLuks option followed by a device file, it returns true if this device is a LUKS encrypted partition and false otherwise. This makes it easy to use the && operator to make any command, e.g., echo, run only if the boolean value of isLuks is true:

$ sudo cryptsetup isLuks /dev/sda4 && echo "sda4 is LUKS Encrypted"
sda4 is LUKS Encrypted

So, with the help of find, we can check all partitions:

$ find /dev/sd* -type b -exec bash -c "sudo cryptsetup isLuks {} && echo \"{} is LUKS Encrypted\"" \;
/dev/sda4 is LUKS Encrypted
/dev/sdb1 is LUKS Encrypted
/dev/sdc1 is LUKS Encrypted

This result is consistent with previous findings.

6. dmsetup

dmsetup allows us to manage logical devices that use the device mapper driver. It requires root privileges. We can use it to create, remove, suspend, resume, load, reload, rename, and display information about these devices.

To find all LUKS partitions on our system, we can use the following command:

$ sudo dmsetup table --target crypt
luks-cacb47e7-6f8d-4076-afac-625b58cf7c45: 0 1953517568 crypt aes-xts-plain64 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0 8:17 4096
luks-d99ee6e1-7262-4267-ac15-b93674b9f666: 0 1953517568 crypt aes-xts-plain64 0000000000000000000000000000000000000000000000000000000000000000 0 8:33 4096
sda4_crypt: 0 495529984 crypt aes-xts-plain64 :64:logon:cryptsetup:4c645812-7839-496e-bbb7-57101829c0b5-d0 0 8:4 32768 1 allow_discards

This table format is very long and hard to read. One way to make it more readable is to filter it with awk:

$ sudo dmsetup table --target crypt | awk '{print $1 " " $4}'
luks-cacb47e7-6f8d-4076-afac-625b58cf7c45: crypt
luks-d99ee6e1-7262-4267-ac15-b93674b9f666: crypt
sda4_crypt: crypt

This output shows three devices. It’s intuitive that sda4_crypt refers to /dev/sda. It’s less clear, however, what the first two UUIDs refer to. If we need to convert them to device file names, we can use blkid:

$ blkid -U cacb47e7-6f8d-4076-afac-625b58cf7c45
/dev/sdb1
$ blkid -U d99ee6e1-7262-4267-ac15-b93674b9f666
/dev/sdc1

Again, the result is consistent with what we saw earlier.

7. Conclusion

In this article, we’ve looked at some ways to determine which partitions mounted on Linux are encrypted with LUKS. In particular, we focused on the following tools:

  • lsblk
  • blkid
  • /etc/crypttab
  • cryptsetup
  • dmsetup

But knowing that a particular partition uses encryption doesn’t mean our data is safe. Encryption is only one layer of protection, and we can compromise it with weak passwords, malware infections, unmonitored access to a mounted device, or other mistakes.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.