1. Find your drive
In order to find the correct drive to encrypt, run the lsblk command, then plug in your external storage device and run the lsblk command again. And now by comparing you can identify a new one appeared in the output of the last executed command.
The /dev/sdX drive referenced in this article is an imaginary device and be sure to replace it with your real device.
2. Erase the drive [Optional]
Destroy the drive's partition table by overwriting the drive's head with zeros:
sudo dd if=/dev/zero of=/dev/sdX count=4096We can also overwrite previously stored data to permanently delete them but this is not necessary:
shred -v --iterations=1 /dev/sdX3. Create a LUKS-Encrypted Partition on the Drive
Install the cryptsetup utility used to manage LUKS encrypted volumes:
sudo pacman -S cryptsetup3.1 Encryption and Decryption with Passphrase
Initialize the device as a LUKS partition and set the passphrase with the luksFormat subcommand:
sudo cryptsetup luksFormat /dev/sdXThis will warn you about data overwriting and prompt you for a passphrase for the partition. Finally confirm the passphrase definition with the command cryptsetup luksDump /dev/sdX.
In order to use the encrypted partition we need to decrypt and open it:
cryptsetup open /dev/sdX luks_partluks_partAn arbitrary name to identify the opened partition.
LUKS volumes are opened in a special device location called /dev/mapper and when we close the volume using the following command it will be removed from the previous location:
cryptsetup close luks_part3.1 Encryption and Decryption with Key File
We can also a key file instead of a passphrase to decrypt the partition which allows automount the partition on boot. In order to do so, create a key file:
sudo dd if=/dev/random of=/root/.luks_keys/luks_part bs=512 count=1Note: We instructed dd to read and write 1 block of 512 bytes of size random numbers using the bs and count options respectively.
We can also check the content of the key using the command sudo xxd /root/.luks_keys/luks_part.
Restrict access to the key file to enhance security. Set the permissions so that only the root user has read access:
sudo chmod 0400 /root/.luks_keys/luks_partOnce created the key file, assign it to the LUKS partition:
sudo cryptsetup luksFormat --key-file /root/.luks_keys/luks_part /dev/sdXConfirm the assignement of the key file with the command cryptsetup luksDump /dev/sdX.
Note: It is possible to add a key file into a pre-existing LUKS-encrypted partition using cryptsetup luksAddKey <device> <path-to-key-file> --key-file <path-to-existing-passphrase-key-file> command.
Now we can unlock the partition using the key file:
sudo cryptsetup luksOpen /dev/sdX luks_part --key-file /root/.luks_keys/luks_partIf the partition is already opened, then close if using the command cryptsetup -v luksClose luks_part.
4. Create a Filesystem
Once the LUKS volume is decrypted and opened, we must create a filesystem to store the data on it. Here I use btrfs, but you can use ext4 or any other:
sudo mkfs.btrfs /dev/mapper/luks_partNote: Make sure you install btrfs-progs to use the btrfs filesystem.
5. Mount and unmount a LUKS volume
Now we are ready to mount the LUKS volume. Assume you have a directory called /mnt/data and mount the LUKS volume there:
sudo cryptsetup open /dev/sdX luks_part
sudo mount /dev/mapper/luks_part /mnt/data5.1 Auto-Mount Partition at Startup
If we chose the '3.1 Encryption and Decryption with Key File' method, we can automatically decrypt and open the LUKS volume at system startup by adding an entry to /etc/crypttab file describing the information about the encrypted LUKS volume:
# <target name> <source device> <key-file> <options>
luks_part UUID=4a3ca3d5-f1e9-4eb4-8fe0-29af8e079f69 /root/.luks_keys/luks_part luksHere we use the UUID of the device instead of the device name /dev/sdX as it can change sometimes. The UUID can be obtained using:
sudo cryptsetup luksUUID /dev/sdXThen, as usual, we can automatically mount the open partition using /etc/fstab:
# Mount the encrypted external drive
/dev/mapper/luks_part /mnt/data btrfs defaults 0 0