Encrypt a Hard Drive - Lazy Guide

This is a lazy guide (mostly for me to refer to) on how to encrypt a hard drive on Debian GNU/Linux. What this lazy guide does not cover is how to make your machine bootable, so if you want to encrypt your whole system (very good practice), you should probably do it via your OS installer.

Important note: The following contains examples of commands that may totally destroy data that you didn't want to destroy. Please be careful and don't stupidly copy paste and expect Jesus to show up at your door with the original 10 commandments. Also note I am a human being, so it is totally possible for me to make mistakes and/or typos.

Create a partition

Okay, so lets break things now. First, create a partition that we will encrypt, use your favourite disk partitioner, fdisk, cfdisk, gdisk or whatever you find.

Let's assume we will be working with /dev/sdb and we created the new partition /dev/sdb1. No need to format or anything, that should be done later.

Encrypt the Partition

We'll need cryptsetup to do this. If you don't already have it installed:

apt-get install cryptsetup

Now encrypt it ! (careful):

cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/sdb1

The options used mean as follows:

  • -y: confirm passphrase (ask twice)
  • -s 256: key size
  • -c aes-cbc-essiv:sha256: LUKS cipher:hash

Decrypt the Partition

Now is when we will want to format it, or eventually use it for LVM, etc. First though, we must decrypt it as follows:

cryptsetup luksOpen /dev/sdb1 encryptedcrap

Note: You can replace encryptedcrap with whatever you want. All this means is that this disk will be available at /dev/mapper/encryptedcrap.

Once decrypted you can format it using /dev/mapper/encryptedcrap, for example:

mkfs.ext3 /dev/mapper/encryptedcrap

You could create drives using LVM etc etc, just do it on /dev/mapper/encryptedcrap.

Now you can mount your partition as usual:

mount /dev/mapper/encryptedcrap /mnt/somewhere

Undecrypt it

You can re-encrypt it and make it unreadable at any time, all you need to do is un-mount it (if it's mounted) and "luksClose" it:

cryptsetup luksClose /dev/mapper/encryptedcrap

Basic Key Management

You should have so far 1 key. There are 8 key slots on this lock (from 0 to 7), so you can have up to eight passphrases (keys). You can check the status by doing:

cryptsetup luksDump /dev/sdb1

This should show you a bunch of stuff, for now you should mostly be interested with: Key Slot 0: ENABLED So far all other key slots should be disabled. These numbers will come in handy later.

Add a Key

When adding a new key you will be asked to provide an existing key first, of course, then you will be prompted for the new passphrase:

cryptsetup luksAddKey /dev/sdb1

Note: By default keys are added to the first available slot. If you are using keys 0, 1, 3, then the next key would be added to slot 2. However, it is possible to specify which slot to use when adding a key by using the --key-slot option. Example:

cryptsetup luksAddKey /dev/sdb1 --key-slot 6

Deleting a Key

You can delete a key either by knowing the actual passphrase you want to delete OR by using the key slot. This is why it's important to keep track of who's using which slot.

To delete a key using the passphrase, this will ask you to enter the passphrase to delete and then a remaining valid key:

cryptsetup luksRemoveKey /dev/sdb1

To delete a key by slot, in this case if we want to disable slot 1, this will simply ask for a valid key (not the one being deleted of course):

cryptsetup luksKillSlot /dev/sdb1 1

And.. .. that's it for today.