skip to main content.

posts about external hard disk.

since i’m always forgetting what to do to encrypt a harddisk, and have to rely on other sites (which might go offline once), i decided to sum everything up in a post. parts can already be found here in this blog.
note that the disk device name can differ from computer to computer, so i used /dev/sdx in this description which you have to change to the right name.


first, connect the disk and unmount it. then, delete all existing partitions and create a linux primary partition (or do whatever else you want):

$ sudo fdisk /dev/sdx

then it is recommended to clear the partition with random data:

$ sudo dd if=/dev/urandom of=/dev/sdx1

note that this step takes a lot of time.
then, make luks aware of the drive, open it with luks and format it:

$ sudo cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdx1
$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mke2fs -v /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk

this creates an ext2 file system. now you should be able to unplug the drive and reconnect it, and ubuntu should ask you for a passphrase to unlock the disk. feel free to add -L “label” (at most 16 characters; see the man page for more details); ubuntu will try to mount the disk as /media/label then.

(edit: since there is now a successful attack on the aes-cbc-essiv encryption mentioned here earlier, i changed it to aes-xts-plain64, using a different approach.)

mounting and unmounting.

to mount:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mount /dev/mapper/encrdisk /mnt

to unmount:

$ sudo unmount /mnt
$ sudo cryptsetup luksClose encrdisk

note that for example newer ubuntu versions automatically ask for a passphrase and performs luksOpen / mount / unmount / luksClose for you.


basically, you just have to open the partition, run the usual file system check, and close it:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo fsck -v -C -n /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk

passphrase management.

note that luks has a storage of several passphrases, which can all be used to open the partition. one can add and remove phrases to/from this list.
to add a passphrase:

$ cryptsetup luksAddKey /dev/sdx1

to remove a passphrase (you have to enter the passphrase to be removed):

$ cryptsetup luksRemoveKey /dev/sdx1

to remove the passphrase from a slot (useful if you forgot one of the passphrases and want to remove it):

$ cryptsetup luksKillSlot /dev/sdx1 0

i got another external hard drive today. the main reason is that i want to encrypt my (current) backup harddisk, which requires reformatting the disk. but if i do so, i’m left with nothing but the original data on the laptop, and no backup. in case something goes terribly wrong, i’m screwed. i just created an encrypted partition on the disk; this is really pretty easy and not much command line typing is required, in particular if everything is set up: then linux will ask me for the password as soon as i plug the usb cable in, and automatically mount it using that password. that’s how it should be. and so far, it works perfect.
currently, rsync is mirroring my home directory onto the disk. as soon as it is done, i will copy some stuff from the other backup disk over (like my server’s backups) which i don’t have on the laptop’s harddisk (which is 180 gb smaller than each of the backup disks), and after that, my old backup disk will be reformatted as well and also filled.
after that, i will deposit one of the backup drives somewhere outside my apartment: in case something goes wrong (like house burns down, someone decides to break in, …), i still have a backup somewhere. and, as it is encrypted, nobody but me can read it. (even if someone breaks in here, and steals both laptop and backup, they can’t access the data without my password. and yes, i am aware of xkcd.)