Disk Encryption: LUKS

Your security is only as good as the weakest link in the chain. Encrypt your disks.

I know a lot of folks who setup a root password on Linux or account password on Windows without encrypting their drives, anyone can easily bypass these password with something as simple as a live boot disk. The weakest link in the chain is TOO WEAK to be reasonably secure.

So, here I will discuss a simple tool called cryptsetup to encrypt drives on Linux.

We need to encrypt our internal HDD (root) and external HDD that contain your data.

I was capturing screenshots for writing this blog when I found an easy to follow tutorial by CryptoDad:

- Part 1: https://www.youtube.com/watch?v=etzJAG_H5F8
- Part 2: https://www.youtube.com/watch?v=yJdBIigQcVw
- Part 3: https://www.youtube.com/watch?v=JyA4owRVUls

NOTE: Remember to move device data elsewhere before starting with these steps. All data in the device will be deleted.

1. Let's install cryptsetup:

Debian & it’s derivatives:

sudo apt update
sudo apt cryptsetup

Fedora & it’s cousins:

sudo dnf install cryptsetup-luks

2. Find the partition:

Identify the path to the partition you want to encrypt:

sudo blkid
Say, I want to encrypt the device with labelled “ATFS”, then, I’ll note path “/dev/sdb1” in the image.

3. Secure delete partition:

Before encryption, I would recommend you to shred everything from the device:

shred -vzn 2 /dev/sdb1
# v - Verbose
# z - Add a final overwrite of 0s to hide shredding
# n 2 - Make 2 passes

4. Encrypt!

sudo cryptsetup -key-size 512 -hash sha512 -v luksFormat /dev/sdb1 --verify-passphrase

5. Open encrypted drive:

sudo cryptsetup luksOpen /dev/sdb1 <NAME>

6. Create ext4 filesystem:

sudo mkfs.ext4 /dev/mapper/<NAME>

Now you are good to go, enjoy your encrypted external HDD / pendrive.

Note: You can close LUKS partition when you are done:

sudo cryptsetup luksClose /dev/mapper/<NAME>

If you have any questions or you think I should clarify some step in more detail, please reach out to me on Twitter.

Hope this makes disk encryption more accessible for you.

Stoic. Existentialist. Optimistically Nihilist. Snowdenist. Friendly. Confident. Perfectionist. Creative. Playful. Programmer. Philosopher.