J.Christensen
Oct-2023
This document describes how to create an encrypted volume using the Linux Unified Key Setup (LUKS) facility. We will create a single encrypted partition that takes up the entire device. The main aim is to create an encrypted external disk or USB stick, for backup purposes or just general offline, secure storage.
Always be very careful when executing low-level device commands. Be sure to use the correct device or partition. Mistakes can, and most likely will, result in unrecoverable data loss.
In this document, I use device /dev/sdx and partition /dev/sdx1 in the examples, hoping that these are unlikely to exist on your machine. That way, if an example command is mistakenly entered verbatim, then it will probably fail. Wherever sdx appears, substitute the device you are working with, e.g. sda, sdb, nvme0n1, etc.
Connect your device to the system. Ensure there is nothing on it that you want as all existing data will be destroyed!
If the device has been previously used, and you have requirements for high security, you may want to erase the device first to eliminate residual data. The best way to do that depends on the device, and is beyond the scope of this document. If you just want to wipe the partition table, to make the device appear unused, use this command:
$ sudo dd bs=4M count=10 if=/dev/zero of=/dev/sdx
Using the fdisk command, create a new partition table and a partition that takes up the entire device:
$ sudo fdisk /dev/sdx
Command: g # create a new empty GPT partition table
Command: n # add a new partition
Partition number: # Press Enter to accept default of 1
First sector: # Press Enter to accept default
Last sector: # Press Enter to accept default
Command: w # write the partition table and exit
Initialize the LUKS partition and set the passphrase. Choose a strong passphrase and do not lose it, as data on the partition cannot be retrieved without it.
$ sudo cryptsetup luksFormat -v --type luks2 --verify-passphrase /dev/sdx1
Open the LUKS partition and map it to the name mydisk.
$ sudo cryptsetup open -v --type luks2 /dev/sdx1 mydisk
Create an ext4 filesystem on the LUKS partition. The -L argument gives the partition a name (label). I chose secret as an example, but use whatever you like. Many systems will use the partition name when automatically mounting the device. (Other filesystems should be possible but we use ext4 here as it is probably the most common Linux filesystem.)
$ sudo mkfs.ext4 -L secret /dev/mapper/mydisk
Remove the mapping to mydisk.
$ sudo cryptsetup close mydisk
At this point, the encrypted volume should be visible in your system's file manager. You should be able to mount and open the volume like any other device. Typically it will be mounted at (e.g.) /media/jack/secret. However, the owner is root at this point, so you will probably want to change ownership so you can create directories and files, e.g. but use your user name:
$ sudo chown jack:jack /media/jack/secret
Eject the device. Now it can be used on any machine, and should behave like any other external disk or USB stick, except entering the passphrase is required to use it.
This procedure was developed and tested on Linux Mint and Raspberry Pi OS. It should be usable on Debian and derivatives.
On the Raspberry Pi, the cryptsetup command was not installed by default; I installed it with sudo apt install cryptsetup.