Store employee information in an encrypted Linux partition (1)

From time to time, we can see such headlines: "A company has lost personal social security codes of over 10 million customers, other personal sensitive information, and financial data! Shouldn't we be angry ?" Usually it's a "contractor" who pays attention to why he never worked as an employee) who seems to have stored all this information on his/her laptop with a gigabit hard drive, and the laptop is lost or stolen, but no one knows the exact time and location. Or, a supplier is responsible for transporting a large box of backup tapes, and apparently the supplier is "too poor" to afford even cars with anti-theft locks. For me, these interpretations are nonsense or even absurd. How can a contractor first obtain all sensitive data? Why do they need to put all the data in their laptops? Why do people who cannot afford cars with high security performance need to transport a large box of sensitive information backup tapes? How do they know what data is lost and whether the data is encrypted or properly protected?
There are still many questions that cannot be answered. The topic of this article is how to use an encrypted file system to protect sensitive data on the hard disk. This solution is provided to mobile users and those who need to protect data security in servers and workstations. We will use the simple and powerful cryptsetup-luks. We will create an encrypted partition and only need to provide a password during loading. Then you can use the partition just like other partitions.
You can use cryptsetup-luks for Debian, Ubuntu, and Fedora. You don't need to modify the kernel or anything else; you just need to install it.
On Debian and Ubuntu:
# Install cryptsetup in aptitude
On Fedora:
# Install cryptsetup-luks in yum
Prepare the system
Unfortunately, cryptsetup cannot encrypt the existing data in your system. Therefore, you must create an encrypted partition and transfer the data to the new partition. Use GPartedGnome partition Editor) to manage partitions conveniently. GParted is available in all mainstream Linux versions. You can use it to reset the partition size, move, delete, or create a partition, and select your preferred File System formatting method. It supports all the partition types and file systems supported by your system kernel. Therefore, if your machine is a dual system, you can even use this tool on Windows partitions. For new hard disk partitions, you can use Gparted live CD.
This article only discusses how to encrypt data partitions. I also know many ways to encrypt partitions in other file systems that store potential sensitive information, such as/var and/etc. However, these two methods are complex and they can be drilled down, they cannot be encrypted at startup. Therefore, I will only discuss the more mature existing methods here, because other methods cannot work stably based on my own tests.
You can use a file system to format partitions. Everything can be rewritten. The encrypted file format is also variable.
You will use a password to protect your encrypted partition. If you lose your password, it is unfortunate that you cannot retrieve the data.
Encrypt partitions
With a new blank partition, you can use the cryptsetup command to encrypt it. Make sure that the partition to be protected is encrypted:

# cryptsetup --verbose --verify-passphrase -c aes-cbc-plain luksFormat /dev/sda2

Be careful!
This will irreversible rewrite the data on/dev/sda2.

Are you sure? (Type uppercase yes): YESEnter LUKS passphrase:Verify passphrase:Command successful.

The preceding command creates an encrypted partition. Now we need to create a logical partition that can be loaded and name it. In this example, we name it sda2. You can also name it test, fred, my secret partition, or any name you like:

# cryptsetup luksOpen /dev/sda2 sda2Enter LUKS passphrase:key slot 0 unlocked.Command successful.