Let’s say that you get a brand new 2TB/4TB/8TB/XXTB HDD, and you want to use it as a safe backup device.
That means you want to encrypt everything you put in it.
So, assuming you’ve already installed the drive on your computer; let’s prepare it for FDE (Full Disk Encryption).
Correctly identify the drive name
Open a terminal and type:
sudo fdisk -l
You’ll see a list of storage devices connected to your computer and their partitions —if any.
You need to identify the one you just connected. It’s very easy if your devices are of different sizes, since that accurately pinpoint the drive you want to work with.
PLEASE MAKE SURE you identify the drive correctly, as the following procedure will wipe EVERYTHING on it with NO RECOVERY chance. You’ve been warned!
I don’t have a brand new drive, but an old 2TB one.
For me, the data for this device using sudo fdisk -l looks like this:
Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
So, my drive is /dev/sda. Yours could be /dev/sdb, /dev/sdX or something else entirely.
It depends on your drive’s connection interface: Is it a SATA, IDE or an NVMe drive?
Pay careful attention.
You can also use the lsblk command to see a list of all block devices and their partitions:
lsblk
Example output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.8T 0 disk
Write zeros to the drive
For security reasons, and to verify that there are no outstanding problems with your drive, first, it’s recommended to write zeros all over it.
We’ll use the venerable dd command for that:
sudo dd if=/dev/zero of=/dev/sda bs=100M status=progress conv=fdatasync
When finished, you’ll see something like this:
2000368435200 bytes (2.0 TB, 1.8 TiB) copied, 12140 s, 165 MB/s
dd: error writing '/dev/sda': No space left on device
19078+0 records in
19077+0 records out
2000398934016 bytes (2.0 TB, 1.8 TiB) copied, 12259.6 s, 163 MB/s
The write speed varies a lot depending on the type of drive you have.
For me it’s an old 2TB drive connected through SATA.
It took 12259.6 seconds == 204.32 minutes == 3.4 hours to be filled with 0s.
Create the partition table
Let’s open the disk with fdisk.
sudo fdisk /dev/sda
You’ll see something along these lines:
Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xed42f188.
Command (m for help):
As you can see, it automatically created a DOS partition table for us.
Let’s change that to a GPT partition table, if you want to see the available options enter m for help:
Command (m for help): m
Help:
DOS (MBR)
a toggle a bootable flag
b edit nested BSD disklabel
c toggle the dos compatibility flag
Generic
d delete a partition
F list free unpartitioned space
l list known partition types
n add a new partition
p print the partition table
t change a partition type
v verify the partition table
i print information about a partition
Misc
m print this menu
u change display/entry units
x extra functionality (experts only)
Script
I load disk layout from sfdisk script file
O dump disk layout to sfdisk script file
Save & Exit
w write table to disk and exit
q quit without saving changes
Create a new label
g create a new empty GPT partition table
G create a new empty SGI (IRIX) partition table
o create a new empty DOS partition table
s create a new empty Sun partition table
We can see we need to enter g for a GPT partition.
Let’s do that and then wto write the partition table to the /dev/sda disk:
Command (m for help): g
Created a new GPT disklabel (GUID: D12345B9-D963-44A4-448812B7...).
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
After the operation takes place, it’ll exit automatically.
Re-open the drive, and enter the following sequence of commands:
sudo fdisk /dev/sda
n
p
w
- n => New partition —accept all defaults, so it takes all the space available on the device
- p => Show partition info
- w => Write changes and exit
This is the output from the commands above:
Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-3907029134, default 2048):
Last sector (2048-3907029134, default 3907029134):
Created a new partition 1 of type 'Linux filesystem' of size 1.8 TiB.
Command (m for help): p
Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: D12345B9-D963-44A4-448812B7...
Device Start End Sectors Size Type
/dev/sda1 2048 3907029134 3907027087 1.8T Linux filesystem
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Now, if you look at your drive info with sudo fdisk -l you’ll see something like this:
Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: D12345B9-D963-44A4-448812B7...
Device Start End Sectors Size Type
/dev/sda1 2048 3907029134 3907027087 1.8T Linux filesystem
All right! You can already use the drive as is if you don’t want it encrypted.
But I guess you are here for the cookies, so read on!
Encrypt the drive
It’s encryption time for the /dev/sda1 partition:
sudo cryptsetup -v -y luksFormat /dev/sda1
Type in a passphrase and confirm it.
Please take-note/make-sure you DO NOT forget this, else you’ll never have access to your data again. You’ve been warned —again, I know. It’s that important.
Output from command above:
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda1:
Verify passphrase:
Command successful.
Create a new ext4 filesystem
Let’s unlock the partition:
sudo cryptsetup luksOpen /dev/sda1 encrypteddrive
You can change
encrypteddriveto whatever name you fancy.
It’ll ask you for your passphrase —you have it handy, don’t you?
If everything is OK, you’ll see the drive listed at /dev/mapper, like this:
total 0
lrwxrwxrwx 1 root root 7 Jan 25 15:01 encrypteddrive -> ../dm-2
Now, let’s create an ext4 filesystem on it:
sudo mkfs.ext4 /dev/mapper/encrypteddrive
Output is like:
mke2fs 1.43.8 (1-Jan-2018)
Creating filesystem with 488377873 4k blocks and 122101760 inodes
Filesystem UUID: e227bc87-b2e4-44f4-bf8f-240e4d16bcc1
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736...
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
Mount the partition
Create the directory that you are going to use to interact with the drive:
mkdir ~/mynewdrive
sudo mount /dev/mapper/encrypteddrive ~/mynewdrive/
sudo chown -R $USER:$USER ~/mynewdrive/
That’s it!
Whatever you copy to ~/mynewdrive will be encrypted and safe once you close and unmount the drive.
Which leads us to…
Unmount and secure your data
To cleanly close and secure your data you do this:
cd # make sure you are not inside the drive
sudo umount /dev/mapper/encrypteddrive
sudo cryptsetup luksClose /dev/mapper/encrypteddrive
Cannot unmount
umount: /home/yolo/mynewdrive: target is busy.
If you cannot unmount the drive make sure you aren’t inside it whether on a terminal or a file browser.
Should also make sure you don’t have any running operations on it —like unfinished file copying, etc.
Remount the encrypted partition
How do you remount your drive at a later time?
sudo cryptsetup luksOpen /dev/sda1 encrypteddrive
sudo mount /dev/mapper/encrypteddrive ~/mynewdrive
Don’t forget to unmount and close it after you are finished with your backups!
Top comments (10)
For security it's better to write the disk with
/dev/urandomas with zeroing it can be recoverable, at least HDDs in which the bit retains partially the orientation.You are right, but I wanted to provide a compromise between security and time spent formatting the drive.
You can use
/dev/urandombut need to be prepared to spent ~3 days waiting for the drive to be filled with random bits.That's true, but its always worthy leaving a brick when resigning hahahahaha
Very useful, thanks!
A little off topic, I know but how did you set a fb:image meta for your post?
Er... I don't know? I just uploaded it and then set it as cover_image in the front matter list for this article.
Does that answer your question?
It actually does, thank you. I was unaware of this variable.
No problem, glad to be of help! :)
Any tips on choosing a secure passphrase?
Yes, of course, there is a XKCD for that!
xkcd.com/936/
Basically, don't trouble yourself with something hard to remember like this:
tH15-iz_my_pa55phras0rzYou should pick something easy to remember with multiple words like:
hey, you won't be able to guess this one even if you try, don't you agree?... or something like that. :)