Full (external) disk encryption


#1

Hey all -

I wrote this up when I was running Debian. It also translates to Ubuntu and I just finished up replicating this for ArchLabs. In short, it ought to work with any Linux distro as long as your drive is encrypted, you have the key file mentioned in the write-up OR simply just creating this from the beginning. I have interchanged a set of encrypted drives with a few Linux distros without issue.

The small print stuff:

Assumptions -
1. Drive to be encrypted not be part of LVM.
2. cryptsetup has already been installed
3. You already know the device you wish to encrypt (I will be using /dev/sdb1 as an example)
4. You have already saved off any and all data on the drive you wish to encrypt - otherwise you will lose it all
5. You need to know how to use of sudo or su -

Notes & WARNINGS -
You have already saved off any and all data on the drive you wish to encrypt - otherwise you will lose it all
This process I am presenting, worked for me - YMMV
Please see the referring links at the end for a more complete overview of other options and processes
as mine is a compilation from these link to suite my needs.
... and finally, You have already saved off any and all data on the drive you wish to encrypt - otherwise you will lose it all


And now, for something completely different... The process:

Create a key-file for authentication - you will want this if you intend to use auto mount on boot:
dd if=/dev/urandom of=/root/drive_key bs=1024 count=4

Protect the key-file to be read only by root:
chmod 0400 /root/drive_key

Initialize the LUKS file system and use the key-file to authenticate instead of a password:
cryptsetup -d=/root/drive_key -v luksFormat /dev/sdb1

Create the LUKS mapping using the key-file:
cryptsetup -d=/root/drive_key luksOpen /dev/sdb1 data

Create your file system (I use ext4):
mkfs.ext4 /dev/mapper/data

Create your mount point on the system (some folks use /media):
mkdir /mnt/data

Mount the new file system at the mount point:
mount /dev/mapper/data /mnt/data

Create the mapper for fstab to use - edit /etc/crypttab:
# <target name> <source device> <key file> <options>
data /dev/sdb1 /root/drive_key luks

Add the mount point to fstab:
/dev/mapper/data /mnt/data ext4 defaults 0 2

Reboot or use mount -a


Referencing links for futher reading:
1. Linux Hard Disk Encryption With LUKS - https://www.cyberciti.biz/hardware/h...setup-command/
2. Automatically Unlock LUKS Encrypted Drives With A Keyfile - https://www.howtoforge.com/automatic...with-a-keyfile
3. How to Recover a LUKS Encrypted Disk - https://alvinabad.wordpress.com/2012.../#comment-3634

#2

Nice one! Thank you for sharing!


#3

Top job @chris60601