If you’re like me, you’ve set up full-disk encryption during your installation. But what if you want to encrypt your backups and USB sticks too?

In this post I’ll share how I did it.

Check your disks

So you want to encrypt your disk. Please note that formatting or encrypting the wrong partition may ruin your system. This is why I recommend installing GParted so you are absolutely sure you’re using the right disk.

sudo apt install gparted

In GParted you should be able to recognise the partition you would like to encrypt. In my case this was /dev/sda.

At the time of writing, LUKS encryption drives are not supported by GParted. Therefore we will do it manually, very similar to how it’s done if you would enable full-disk encryption during your Debian installation.

Check if cryptsetup is installed

We will be using cryptsetup for this. First, check if it exists on your system.

man cryptsetup

This should show the cryptsetup manual. If not, please install cryptsetup before proceeding (sudo apt install cryptsetup).

Format your disk

DO NOT PROCEED if you don’t know what formatting means or if you’re uncomfortable with using the command line.

Enter this command to format your partition:

cryptsetup -y -v luksFormat [your partition here]

Replace [your partition here] with your partition, e.g. /dev/sda.

If this doesn’t work, but you have successfully passed step 1, try this command with sudo.

This should output something like this:

WARNING!
========
This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

Mount the disk

OK so you have formatted your partition, but it doesn’t appear anywhere before you mount it. You can do this with the following command:

# Prefix with sudo if needed
cryptsetup luksOpen /dev/sda backup2

This should output something like:

[sudo] password for [username]: 
Enter passphrase for /dev/sda: 

To check if it’s mounted correctly, run:

ls -l /dev/mapper/backup2

Which should output:

lrwxrwxrwx 1 root root 7 Dec 21 11:55 /dev/mapper/backup2 -> ../dm-6

And if you want to double-check it:

# Prefix with sudo if needed
cryptsetup -v status backup2

Which gives you some information about the partition:

/dev/mapper/backup2 is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sda
  offset:  4096 sectors
  size:    3907025072 sectors
  mode:    read/write
Command successful.

Zeroing the disk

Now, if you’re using an existing harddisk, chances are there is still some old, unencrypted data on the disk. To clean this up, we can use /dev/zero to fill the hard drive with zeros. This is exactly what Debian does during it’s installation process. Normally zeroing wouldn’t be enough, but since we’ve encrypted the disk, the disk is now filled with “random” data.

sudo dd if=/dev/zero of=/dev/mapper/backup2 bs=1M status=progress

Outputs:

27105309184 bytes (27 GB, 25 GiB) copied, 457 s, 59.3 MB/s

This will take some time (in my case: 10493 seconds (~ 3 hours) for a 1TB SATA disk)

Creating the partition

Now the disk is encrypted and clean and it can be put to use. So let’s create a partition:

sudo mkfs.ext4 /dev/mapper/backup2

Outputs:

mke2fs 1.43.4 (31-Jan-2017)
Creating filesystem with 244190134 4k blocks and 61054976 inodes
Filesystem UUID: c35fc753-363a-4b19-be6a-818b8c1e000c
Superblock backups stored on blocks: 
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
    4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
    102400000, 214990848

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

Now you should see the drive on your desktop or in the file manager.

Optional: Setting a label

Instead of showing “1.0 TB Encrypted” it would be nice to set a name for your harddisk - especially if you have multiple encrypted disks of the same size. You can set a label with this command to make it a bit prettier:

sudo e2label /dev/mapper/backup2 backup-two

Getting access to the partition

One thing though.. because we might have used sudo (for access to cryptsetup) the drive is not yet accessible for our user account.
We will change the access to all ‘administrative’ users.

Navigate to the partition in your file manager. The location should look like /media/[your-username-here]/[some-complicated-dashed-string]/ in the location bar.

Now, open a Terminal:

cd /media/[your-username-here]/
sudo chgrp adm [some-complicated-dashed-string]
sudo chmod g+w [some-complicated-dashed-string]

This will change the partition’s group to adm and give this group write access.


Sources