DEV Community

Cover image for How to setup Full Disk Encryption on a secondary HDD in Linux
Víctor Adrián
Víctor Adrián

Posted on • Originally published at lobotuerto.com on

How to setup Full Disk Encryption on a secondary HDD in Linux

Let’s say that you get a brand new 2TB/4TB/8TB/XXTB HDD, and you want to use it as a safe backup device.

That means you want to encrypt everything you put in it.

So, assuming you’ve already installed the drive on your computer; let’s prepare it for FDE (Full Disk Encryption).

Correctly identify the drive name

Open a terminal and type:

sudo fdisk -l
Enter fullscreen mode Exit fullscreen mode

You’ll see a list of storage devices connected to your computer and their partitions —if any.

You need to identify the one you just connected. It’s very easy if your devices are of different sizes, since that accurately pinpoint the drive you want to work with.


PLEASE MAKE SURE you identify the drive correctly, as the following procedure will wipe EVERYTHING on it with NO RECOVERY chance. You’ve been warned!

I don’t have a brand new drive, but an old 2TB one.

For me, the data for this device using sudo fdisk -l looks like this:

Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Enter fullscreen mode Exit fullscreen mode

So, my drive is /dev/sda. Yours could be /dev/sdb, /dev/sdX or something else entirely.

It depends on your drive’s connection interface: Is it a SATA, IDE or an NVMe drive?

Pay careful attention.


You can also use the lsblk command to see a list of all block devices and their partitions:

lsblk
Enter fullscreen mode Exit fullscreen mode

Example output:

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.8T 0 disk
Enter fullscreen mode Exit fullscreen mode

Write zeros to the drive

For security reasons, and to verify that there are no outstanding problems with your drive, first, it’s recommended to write zeros all over it.

We’ll use the venerable dd command for that:

sudo dd if=/dev/zero of=/dev/sda bs=100M status=progress conv=fdatasync
Enter fullscreen mode Exit fullscreen mode

When finished, you’ll see something like this:

2000368435200 bytes (2.0 TB, 1.8 TiB) copied, 12140 s, 165 MB/s
dd: error writing '/dev/sda': No space left on device
19078+0 records in
19077+0 records out
2000398934016 bytes (2.0 TB, 1.8 TiB) copied, 12259.6 s, 163 MB/s
Enter fullscreen mode Exit fullscreen mode

The write speed varies a lot depending on the type of drive you have.

For me it’s an old 2TB drive connected through SATA.

It took 12259.6 seconds == 204.32 minutes == 3.4 hours to be filled with 0s.

Create the partition table

Let’s open the disk with fdisk.

sudo fdisk /dev/sda
Enter fullscreen mode Exit fullscreen mode

You’ll see something along these lines:

Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xed42f188.

Command (m for help):
Enter fullscreen mode Exit fullscreen mode

As you can see, it automatically created a DOS partition table for us.

Let’s change that to a GPT partition table, if you want to see the available options enter m for help:

Command (m for help): m

Help:

  DOS (MBR)
   a toggle a bootable flag
   b edit nested BSD disklabel
   c toggle the dos compatibility flag

  Generic
   d delete a partition
   F list free unpartitioned space
   l list known partition types
   n add a new partition
   p print the partition table
   t change a partition type
   v verify the partition table
   i print information about a partition

  Misc
   m print this menu
   u change display/entry units
   x extra functionality (experts only)

  Script
   I load disk layout from sfdisk script file
   O dump disk layout to sfdisk script file

  Save & Exit
   w write table to disk and exit
   q quit without saving changes

  Create a new label
   g create a new empty GPT partition table
   G create a new empty SGI (IRIX) partition table
   o create a new empty DOS partition table
   s create a new empty Sun partition table
Enter fullscreen mode Exit fullscreen mode

We can see we need to enter g for a GPT partition.

Let’s do that and then wto write the partition table to the /dev/sda disk:

Command (m for help): g
Created a new GPT disklabel (GUID: D12345B9-D963-44A4-448812B7...).

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Enter fullscreen mode Exit fullscreen mode

After the operation takes place, it’ll exit automatically.

Re-open the drive, and enter the following sequence of commands:

sudo fdisk /dev/sda
n
p
w
Enter fullscreen mode Exit fullscreen mode
  1. n => New partition —accept all defaults, so it takes all the space available on the device
  2. p => Show partition info
  3. w => Write changes and exit

This is the output from the commands above:

Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-3907029134, default 2048):
Last sector (2048-3907029134, default 3907029134):

Created a new partition 1 of type 'Linux filesystem' of size 1.8 TiB.

Command (m for help): p
Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: D12345B9-D963-44A4-448812B7...

Device Start End Sectors Size Type
/dev/sda1 2048 3907029134 3907027087 1.8T Linux filesystem

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Enter fullscreen mode Exit fullscreen mode

Now, if you look at your drive info with sudo fdisk -l you’ll see something like this:

Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: D12345B9-D963-44A4-448812B7...

Device Start End Sectors Size Type
/dev/sda1 2048 3907029134 3907027087 1.8T Linux filesystem
Enter fullscreen mode Exit fullscreen mode

All right! You can already use the drive as is if you don’t want it encrypted.

But I guess you are here for the cookies, so read on!

Encrypt the drive

It’s encryption time for the /dev/sda1 partition:

sudo cryptsetup -v -y luksFormat /dev/sda1
Enter fullscreen mode Exit fullscreen mode

Type in a passphrase and confirm it.

Please take-note/make-sure you DO NOT forget this, else you’ll never have access to your data again. You’ve been warned —again, I know. It’s that important.

Output from command above:

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda1:
Verify passphrase:
Command successful.
Enter fullscreen mode Exit fullscreen mode

Create a new ext4 filesystem

Let’s unlock the partition:

sudo cryptsetup luksOpen /dev/sda1 encrypteddrive
Enter fullscreen mode Exit fullscreen mode

You can change encrypteddrive to whatever name you fancy.

It’ll ask you for your passphrase —you have it handy, don’t you?


If everything is OK, you’ll see the drive listed at /dev/mapper, like this:

total 0
lrwxrwxrwx 1 root root 7 Jan 25 15:01 encrypteddrive -> ../dm-2
Enter fullscreen mode Exit fullscreen mode

Now, let’s create an ext4 filesystem on it:

sudo mkfs.ext4 /dev/mapper/encrypteddrive
Enter fullscreen mode Exit fullscreen mode

Output is like:

mke2fs 1.43.8 (1-Jan-2018)
Creating filesystem with 488377873 4k blocks and 122101760 inodes
Filesystem UUID: e227bc87-b2e4-44f4-bf8f-240e4d16bcc1
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736...

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
Enter fullscreen mode Exit fullscreen mode

Mount the partition

Create the directory that you are going to use to interact with the drive:

mkdir ~/mynewdrive
sudo mount /dev/mapper/encrypteddrive ~/mynewdrive/
sudo chown -R $USER:$USER ~/mynewdrive/
Enter fullscreen mode Exit fullscreen mode

That’s it!

Whatever you copy to ~/mynewdrive will be encrypted and safe once you close and unmount the drive.


Which leads us to…

Unmount and secure your data

To cleanly close and secure your data you do this:

cd # make sure you are not inside the drive
sudo umount /dev/mapper/encrypteddrive
sudo cryptsetup luksClose /dev/mapper/encrypteddrive
Enter fullscreen mode Exit fullscreen mode

Cannot unmount

umount: /home/yolo/mynewdrive: target is busy.
Enter fullscreen mode Exit fullscreen mode

If you cannot unmount the drive make sure you aren’t inside it whether on a terminal or a file browser.

Should also make sure you don’t have any running operations on it —like unfinished file copying, etc.

Remount the encrypted partition

How do you remount your drive at a later time?

sudo cryptsetup luksOpen /dev/sda1 encrypteddrive
sudo mount /dev/mapper/encrypteddrive ~/mynewdrive
Enter fullscreen mode Exit fullscreen mode

Don’t forget to unmount and close it after you are finished with your backups!

Discussion (10)

Collapse
dsanchezseco profile image
dsanchezseco

For security it's better to write the disk with /dev/urandom as with zeroing it can be recoverable, at least HDDs in which the bit retains partially the orientation.

Collapse
lobo_tuerto profile image
Víctor Adrián Author

You are right, but I wanted to provide a compromise between security and time spent formatting the drive.

You can use /dev/urandom but need to be prepared to spent ~3 days waiting for the drive to be filled with random bits.

Collapse
dsanchezseco profile image
dsanchezseco

That's true, but its always worthy leaving a brick when resigning hahahahaha

Collapse
iridakos profile image
Lazarus Lazaridis

Very useful, thanks!

Collapse
jochemstoel profile image
Jochem Stoel

A little off topic, I know but how did you set a fb:image meta for your post?

Collapse
lobo_tuerto profile image
Víctor Adrián Author

Er... I don't know? I just uploaded it and then set it as cover_image in the front matter list for this article.

Does that answer your question?

Collapse
jochemstoel profile image
Jochem Stoel

It actually does, thank you. I was unaware of this variable.

Thread Thread
lobo_tuerto profile image
Víctor Adrián Author

No problem, glad to be of help! :)

Collapse
cannuhlar profile image
Can Nuhlar

Any tips on choosing a secure passphrase?

Collapse
lobo_tuerto profile image
Víctor Adrián Author

Yes, of course, there is a XKCD for that!

xkcd.com/936/

Basically, don't trouble yourself with something hard to remember like this:

tH15-iz_my_pa55phras0rz

You should pick something easy to remember with multiple words like:

hey, you won't be able to guess this one even if you try, don't you agree?

... or something like that. :)