Encrypting an External Storage Device
published onIt’s a good idea to keep backups of important data, it’s an even better idea to make sure only you can access them.
This is a guide on how to encrypt an external storage device for use on a Linux system.
Storage Devices
This guide should be relatively universal for most external storage devices.
For this example I am assuming you know what kind of storage device is best for your use case and that you are using a NEW device.
Important Notice: If you are using a device that you have used previously you may wish to securely wipe all data on it first. I do not have a guide for this at this time. I will update this post in the future if that changes.
Requirements:
You will need the following to follow this guide along:
- A computer running a GNU/Linux operating system.
- An external storage device.
- The
cryptsetup
package installed.- Name may vary based on distro.
Encrypting The Device
1. Find your device’s path.
You can do so with the following command:
sudo fdisk -l
The output of this command will list information about each storage device connected to your computer. Such as it’s total capacity in GiB units and the model number. You can use this information to determine which disk is the one you intend to write to.
From this point forward I will be referring to this device as /dev/sdx.
2. Set up partition table.
Most drives when purchased will come with the msdos partition table, you don’t need this for a Linux machine. The following command will change it to use the GPT partition table.
sudo parted /dev/sdx mklabel gpt
The drive now has the GPT partition table format.
3. Creating a LUKS device.
We will now create the LUKS device. Using the following command.
sudo cryptsetup luksFormat /dev/sdx
Now it will ask you for a password and to confirm it. I assume you know how to choose a strong one.
4. Mapping the device.
We will now mount the device to the mapper. This allows us to use it like a normal storage device.
You will want to name the device at this stage, we will refer to your given name as DevName from here on.
sudo cryptsetup luksOpen /dev/sdx DevName
The device is now available for usage as a normal storage device would be if it were unmounted.
5. Formatting the device.
At this stage we will be formatting the device as the ext4 Linux format. To do that we run the following command:
sudo mkfs.ext4 /dev/mapper/DevName
The device now has the ext4 format and can be mounted.
Mounting The Device
At this stage you can mount the device the way you normally would an external device.
You can use your GUI file manager such as pcmanfam
or dolphin
to open it.
You can also do the following to open it using the terminal:
1. Repeat step 4 above. (Mapping the device)
You can skip this if it is still mapped from earlier.
2. Mount the drive.
You can now mount the device as you would normally do so for an external device via the terminal.
sudo mount /dev/mapper/DevName </path/to/mount/point/>
Unmounting the device
1. Unmounting the drive.
You can unmount the drive using the following command.
sudo umount </path/to/mount/point>
2. Unmapping the device.
You can unmap the device using the following command.
sudo cryptsetup luksClose DevName
You can now safely remove the device from the computer.
Tips:
- If you prefer to use a graphical file manager then you should use one.
- In fact for external devices I recommend doing so.
- You can use other formats for the disk if you wish.