since i’m always forgetting what to do to encrypt a harddisk, and have to rely on other sites (which might go offline once), i decided to sum everything up in a post. parts can already be found here in this blog.
note that the disk device name can differ from computer to computer, so i used /dev/sdx
in this description which you have to change to the right name.
creation.
first, connect the disk and unmount it. then, delete all existing partitions and create a linux primary partition (or do whatever else you want):
$ sudo fdisk /dev/sdx
then it is recommended to clear the partition with random data:
$ sudo dd if=/dev/urandom of=/dev/sdx1
note that this step takes a lot of time.
then, make luks aware of the drive, open it with luks and format it:
$ sudo cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdx1
$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mke2fs -v /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk
this creates an ext2 file system. now you should be able to unplug the drive and reconnect it, and ubuntu should ask you for a passphrase to unlock the disk. feel free to add -L “label”
(at most 16 characters; see the man page for more details); ubuntu will try to mount the disk as /media/label then.
(edit: since there is now a successful attack on the aes-cbc-essiv
encryption mentioned here earlier, i changed it to aes-xts-plain64
, using a different approach.)
mounting and unmounting.
to mount:
$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mount /dev/mapper/encrdisk /mnt
to unmount:
$ sudo unmount /mnt
$ sudo cryptsetup luksClose encrdisk
note that for example newer ubuntu versions automatically ask for a passphrase and performs luksOpen / mount / unmount / luksClose for you.
checking.
basically, you just have to open the partition, run the usual file system check, and close it:
$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo fsck -v -C -n /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk
passphrase management.
note that luks has a storage of several passphrases, which can all be used to open the partition. one can add and remove phrases to/from this list.
to add a passphrase:
$ cryptsetup luksAddKey /dev/sdx1
to remove a passphrase (you have to enter the passphrase to be removed):
$ cryptsetup luksRemoveKey /dev/sdx1
to remove the passphrase from a slot (useful if you forgot one of the passphrases and want to remove it):
$ cryptsetup luksKillSlot /dev/sdx1 0
comments.
sometimes one also wants encrypted container files. here’s documentation on how to create such a container; it can be mounted and unmounted using
mount.crypt
andumount.crypt
. for easy reference, here’s what you have to do (also contains less bugs and does a more thorough job):