Encrypting an External Partition

This is one of several blog entries that follow on my recent post on backups. For more, see the backups tag.


Warning: This process will eat some or all of the data on your external drive alive. Be sure you back up anything you want to preserve!


Any data that might fall into hostile hands should be encrypted, and that includes off-site backups and your laptop's USB thumb drive (you do have a way to back up your laptop in the field, don't you?). The partitions on most of my computers are encrypted, but I do that during installation, and that's another article. But because of that, the tools we need for LUKS (Linux Unified Key Setup) should already be installed. If not,

apt-get install cryptsetup

I usually leave a spare partition for sneaker net file transfers on my external drives. So any external drive has multiple partitions on it. Normally, I start preparing an external drive by shrinking the existing partition to a suitable size.

The exception here is exFAT, a fairly new file system from Microsoft for USB solid state drives. Debian 10, Buster, has support for creating an exFAT partition, but not growing or shrinking one. So I delete the partition and create a new one of suitable size. gparted is an excellent GUI tool for the purpose.

Then we identify the partition that will hold the encrypted data. Assume that the external drive is device M, or /dev/sdM, and the partition to be encrypted is partition X, or /dev/sdMX.

Creating the Partition

First, we use cryptsetup to set up our partition as a LUKS partition.

cryptsetup -y -v luksFormat /dev/sdMX

That done, we open up the LUKS partition so we can access it. This creates the device file /dev/mapper/offsite, which we can then examine.

cryptsetup luksOpen /dev/sdMX offsite
ll /dev/mapper/

You can also examine the partition. The status tells you, among other things, the partition to use for the luksdump command, useful later when you go to mount the partition.

cryptsetup -v status offsite
cryptsetup luksDump /dev/sdMX

If you wish, you can zero out the partition, using one of these two commands. This can take a while.

pv -tpreb /dev/zero | dd of=/dev/mapper/offsite bs=1024M # zero out the partition.
dd if=/dev/zero of=/dev/mapper/offsite status=progress

Or you can toss random values in by substituting /dev/random for /dev/zero, if you have enough entropy built up. The random values are preferable. Your encrypted, and apparently random, data will hide out among a bunch of truly random data.

Once you have the partition encrypted to suit, lay down a file system with mkfs.ext4. The second command forces an fsck either every three months, or every 15 mounts, whichever comes first. I highly recommend you do this so you catch the occasional file system error.

mkfs.ext4 /dev/mapper/offsite
tune2fs -i 3m -c 15 /dev/mapper/offsite

Then save the header (substituting for M and X in the file name) so you can restore it if necessary.

cryptsetup luksHeaderBackup /dev/sdMX --header-backup-file  ~/$(date +%F).${HOSTNAME}.offsite.MX.luks.header

Mounting the Encrypted Partition

In future articles, I'll show scripts I use to mount and unmount these encrypted partitions. For now, here's how to do it manually.

mkdir -p /media/offsite
cryptsetup luksOpen /dev/sdMX offsite
fsck /dev/mapper/offsite
mount /dev/mapper/offsite /media/offsite

Unmounting the Encrypted Partition

Again, I have a script to do this, coming soon to a blog near you.

umount /dev/mapper/offsite
cryptsetup luksClose offsite

blogroll

social