Disk Encryption: LUKS
Your security is only as good as the weakest link in the chain. Encrypt your disks.
I know a lot of folks who setup a root password on Linux or account password on Windows without encrypting their drives, anyone can easily bypass these password with something as simple as a live boot disk. The weakest link in the chain is TOO WEAK to be reasonably secure.
So, here I will discuss a simple tool called cryptsetup to encrypt drives on Linux.
We need to encrypt our internal HDD (root) and external HDD that contain your data.
1. Install-time root encryption
I was capturing screenshots for writing this blog when I found an easy to follow tutorial by CryptoDad:
2. Pendrive / External HDD encryption
NOTE: Remember to move device data elsewhere before starting with these steps. All data in the device will be deleted.
1. Let's install cryptsetup:
Debian & it’s derivatives:
sudo apt update
sudo apt cryptsetup
Fedora & it’s cousins:
sudo dnf install cryptsetup-luks
2. Find the partition:
Identify the path to the partition you want to encrypt:
3. Secure delete partition:
Before encryption, I would recommend you to shred everything from the device:
shred -vzn 2 /dev/sdb1
# v - Verbose
# z - Add a final overwrite of 0s to hide shredding
# n 2 - Make 2 passes
sudo cryptsetup -key-size 512 -hash sha512 -v luksFormat /dev/sdb1 --verify-passphrase
5. Open encrypted drive:
sudo cryptsetup luksOpen /dev/sdb1 <NAME>
6. Create ext4 filesystem:
sudo mkfs.ext4 /dev/mapper/<NAME>
Now you are good to go, enjoy your encrypted external HDD / pendrive.
Note: You can close LUKS partition when you are done:
sudo cryptsetup luksClose /dev/mapper/<NAME>
If you have any questions or you think I should clarify some step in more detail, please reach out to me on Twitter.
Hope this makes disk encryption more accessible for you.