Encrypting a drive in Linux used to be an extremely cryptic (I’m not sorry) process. Now, while it still is not entirely straightforward, there are tools to make it less painful. Even better, most desktop environments will handle mounting and unmounting encrypted volumes automatically with a simple password prompt once you get the drive set up.
For this tutorial, I assume you want to encrypt an external USB drive and that you don’t mind wiping it first. I assume you’re comfortable working with the command line.
Prepare the drive
First, you need to plug the drive in and find its location. You can use lsblk
to print out the block devices, including physical drives, and their sizes. Find the entry that corresponds to your drive; it will probably be sdb
or sdc
. For the sake of this tutorial, I’ll assume it’s sdb
as it was on my machine, so replace as needed.
First, you’ll want to overwrite the drive with zeroes:
sudo dd if=/dev/zero of=/dev/sdb status=progress
If you’re encrypting a very large drive, this will take hours or even days. You can skip this step if you like, but it will be easier to see data that was on the drive prior to encrypting it. This may or may not be a problem for you, but the best bet is to write with zeroes if you have the time. If you have a lot of time, you can overwrite with random junk data instead by replacing /dev/zero
with /dev/urandom
.
With the drive overwritten, you need to format it with sudo fdisk /dev/sdb
:
$ sudo fdisk /dev/sdb
Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x17371803.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p):
Using default response p.
Partition number (1-4, default 1):
First sector (2048-30883839, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-30883839, default 30883839):
Created a new partition 1 of type 'Linux' and of size 14.7 GiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
At this point, you have a drive with a partition table set and a single partition. You can verify this by running lsblk
and observing that there is now a /dev/sdb1
entry with no mountpoint:
sdb 8:16 1 14.7G 0 disk
└─sdb1 8:17 1 14.7G 0 part
You can further see that the new partition is unformatted by running sudo file -sL /dev/sdb1
(-s
is used for special “files” like block devices, and -L
follows symbolic links) and seeing that it simply sees “data”.
If you weren’t going to encrypt the drive, you would normally go ahead and format the partition you just created. In this case, though, we’re going to introduce a layer of encryption first.
Setup and use LUKS on the new partition
LUKS (Linux Unified Key Setup) is the de facto standard in Linux drive encryption, and cryptsetup
is the tool we use to setup LUKS on partitions. It’s like formatting a drive not with a filesystem, but an encryption system. Then, with the encryption layer in place, you can format the empty space “in” that encryption layer with the filesystem of your choice.
If you don’t have cryptsetup
on your machine, install it with sudo apt install -y cryptsetup
.
Encrypt the partition:
$ sudo cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:
The longer the password, the better–try for 20 or so characters. Sentences that are nonsensical, but memorable and easy to type, are good. If you run file -sL /dev/sdb1
now, you should see something like /dev/sdb1: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256]
.
Mount the encrypted partition with sudo cryptsetup luksOpen /dev/sdb1 usb
. Enter the passphrase you just set up. It will be mounted at /dev/mapper/usb
. Again, run lsblk
to see the change:
sdb 8:16 1 14.7G 0 disk
└─sdb1 8:17 1 14.7G 0 part
└─usb 253:0 0 14.7G 0 crypt
…And run sudo file -sL /dev/mapper/usb
to see that the content of the partition is simply “data” like you saw before encrypting. This shows that the “stuff” beyond the encryption layer right now is just that–stuff.
Create a usable filesystem
To make that useless stuff useful, create a filesystem out of it with: sudo mkfs.ext4 /dev/mapper/usb -L usb
. (If you don’t have mkfs.ext4
, install it with sudo apt install e2fsprogs
.) Run sudo file -sL /dev/mapper/usb
to see that, indeed, there is an ext4 filesystem where there was just “data” a moment ago.
Now the encrypted partition is mounted, and there’s a usable ext4 filesystem on that partition, but that ext4 filesystem is not mounted. To mount it, create a place on your machine to mount it at and use the mount
command:
sudo mkdir /mnt/encrypted-usb && \
sudo mount /dev/mapper/usb /mnt/encrypted-usb
Run lsblk
one last time to see that there is a block device of type crypt
with a mountpoint of /mnt/encrypted-usb
:
sdb 8:16 1 14.7G 0 disk
└─sdb1 8:17 1 14.7G 0 part
└─usb 253:0 0 14.7G 0 crypt /mnt/encrypted-usb
At this point, you can access files (as root) at /mnt/encrypted-usb
. This is inconvenient, and it is possible to mount with user-level permissions via the command line, but you’ll probably want to just unmount everything and use your system’s GUI for actually moving files around:
sudo umount /mnt/encrypted-usb && sudo cryptsetup luksClose usb
The payoff
Now you can unplug the USB drive if you want. When you plug it back in, depending on your desktop environment, you’ll probably see a device in the file browser with a lock icon on it in the “Devices” section. You can click that device, and you’ll be prompted for the password. Everything else (mounting the encryption layer and mounting the actual filesystem within) will happen automagically, and you’ll be able to transfer files and click the eject button just like you would with any other normal drive. While it’s mounted this way, you can check the mount location with lsblk
as usual.
Conclusion
While there are other encryption options out there, such as Veracrypt (or Truecrypt 7.1a) for cross-platform support or good old-fashioned gpg -c
symmetric file encryption for raw simplicity, LUKS is a relatively seamless method to use an entire encrypted partition in a Linux-native way. It integrates nicely with most Linux desktop environments.
The setup can be a bit of a hassle if you’re just trying to get something working, but going through the setup process will help you understand the layers involved and troubleshoot filesystem-related errors more methodically and efficiently in the future.