Skip to main content
UmmIt

Encrypting External Drives with LUKS: A Beginner's Guide (LVM Not Included)

·869 words·5 mins
LUKS Encryption Security GNU/Linux External Drive
UmmIt
Author
UmmIt
Loves to write about technology, and cybersecurity related topics :)
Table of Contents

Introduction
#

Encrypting your external drive is a great way to protect your data from unauthorized access in case the drive is lost or stolen. LUKS (Linux Unified Key Setup) is a popular disk encryption method that allows you to encrypt your drives with ease. This article will guide you through the process of encrypting an external drive with LUKS and mounting it on your GNU/Linux system.

Prerequisites
#

Before you begin, make sure you have the following:

  • An external drive that you want to encrypt.
  • A GNU/Linux system with the cryptsetup package installed.

Step 1: Identify the External Drive
#

First, you need to identify the device identifier of your external drive. You can do this by plugging in the drive and running the following command:

lsblk

Step 2: Create a filesystem on the External drive
#

Before encrypting the drive, you need to using tool like gdisk or fdisk to initialize the disk and create a partition. For example, to create a partition on /dev/sdb, you can use the following command:

sudo gdisk /dev/sdb
o # Create a new empty GUID partition table (GPT)
n # Create a new partition
<Enter> # Use the default partition number
<Enter> # Use the default first sector
<Enter> # Use the default last sector
t # Change the partition type
L # List known partition types
<Enter> # Choose the Linux filesystem type (e.g., 8309 for LUKS)
w # Write changes to disk

In case you lsblk again don’t show the new partition, you can run the following commands for the system to recognize the new partition:

sudo sync
sudo partprobe /dev/sdb

And now lsblk should show the new partition, for example /dev/sdb1.

Step 3: Encrypt the External Drive
#

To encrypt the external drive, use the cryptsetup command with the luksFormat option. Replace /dev/sdb1 with the actual device identifier of your external drive:

cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha256 --iter-time 10000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase /dev/sdb1

YES

You will be prompted to enter a passphrase for the encryption.

Step 4: Open the Encrypted drive
#

After encrypting the drive, you need to open it using the cryptsetup open command. Replace /dev/sdb1 with the actual device identifier of your encrypted drive and yourdrive with a name you want to assign to the mapped device:

sudo cryptsetup open /dev/sdb1 yourdrive

You will be prompted to enter the passphrase you set during encryption.

Step 5: Create a Filesystem on the Mapped device
#

Now that the encrypted drive is open, you can create a filesystem on the mapped device. For example, to create an btrfs filesystem on the mapped device /dev/mapper/yourdrive, you can use the following command:

sudo mkfs.btrfs /dev/mapper/yourdrive

Step 6: Mount the Encrypted Drive
#

Finally, you can mount the encrypted drive to a directory of your choice. For example, to mount the mapped device /dev/mapper/yourdrive to the /mnt/encrypted directory, you can use the following command:

mount --mkdir /dev/sdb1 /mnt/yourdrive

You can now access the encrypted drive at the specified mount point. To ensure that the drive is mounted you can type ’lsblk’ and see if the drive is mounted.

Close the Encrypted drive
#

To close the encrypted drive, you can use the cryptsetup close command. Replace yourdrive with the name you assigned to the mapped device:

sudo cryptsetup close yourdrive

Cannot Unmount the Drive
#

If you are unable to unmount a drive, it is likely that the drive is still in use. You can follow these steps to identify and resolve the issue:

Step 1: Check for Open Files
#

Use the lsof command to check for any open files on the mount point:

sudo lsof +D /mnt/yourdrive

Step 2: Identify Processes Using the Mount Point
#

You can also use the fuser command to identify which processes are using the mount point:

sudo fuser -m /mnt/yourdrive

Step 3: Terminate Specific Processes
#

If you need to terminate a specific process using the mount point, you can use the following command:

sudo kill -9 PID

Step 4: Kill Processes Using the Mount Point
#

If you don’t sure which process is using the mount point and don’t care about those processes, you can kill all processes using the mount point, which is all processes using the drive, all the using files will be closed.

sudo fuser -k /mnt/yourdrive

Step 5: Unmount the Encrypted Drive
#

Once you have closed all processes using the mount point, you can unmount the encrypted drive using the following command:

sudo umount /mnt/yourdrive

Step 6: Close the Encrypted Drive
#

Finally, you can close the encrypted drive using the cryptsetup close command:

sudo cryptsetup close yourdrive

Don’t Force Unplugging the Drive
#

Gernerally, many people forget to unmount the drive before closing the encrypted drive, which will cause the drive to be still in use. And just foce to unplugging the drive will cause the drive to be corrupted. So, it is important to unmount the drive before closing the encrypted drive.

Conclusion
#

That’s all! You have successfully encrypted an external drive with LUKS and mounted it on your GNU/Linux system. Remember to safely unmount and close the encrypted drive before disconnecting it to avoid data corruption.

Related

How to Add More Keys and Verify Keys on LUKS
·319 words·2 mins
LUKS Encryption Security GNU/Linux
How to Set Up 2FA on Linux for Enhanced Security
·532 words·3 mins
GNU/Linux 2FA Security
Complete Guide to setting up LUKS on LVM encryption in Arch Linux (Minimal System)
··1839 words·9 mins
Arch Linux LUKS LVM Encryption
How to Build Your Own WireGuard VPN Server and Connect from Anywhere!
·1032 words·5 mins
Wireguard VPN Server GNU/Linux Android
How to Backup Your GPG Key: A Step-by-Step Guide
·390 words·2 mins
GPG GNU/Linux