Encrypting an external hard drive on Debian (Squeeze)

Share your wisdom. Not for support questions!

Moderator: How-to Curator

Encrypting an external hard drive on Debian (Squeeze)

Postby fsmithred » March 7th, 2011, 2:59 pm

Click here for discussion

This guide assumes that you have some familiarity with using the command line, know how to become root, and know how to partition a drive. (You might not need to partition the drive, but it's better if you know how.)


Install cryptsetup with your favorite package manager.
If you're using cryptsetup immediately after installing it (without rebooting first) then also do:
Code: Select all
modprobe -v dm-mod

I'll assume that the external drive is /dev/sdb, and you're going to encrypt the first partition on the drive (/dev/sdb1). You'll need to replace that with the correct name for your drive. To find out the correct device name for your drive, run one or both of these commands after you plug the drive into your computer. You should check this right before you do the encryption, in case the drive does not get the same name every time you plug it in. (I've seen that happen.)
(as normal user)
Code: Select all

(as root)
Code: Select all
fdisk -l

IMPORTANT: The next commands will erase any data on the drive. Do not err.

If there's already data on the drive that you want to keep, you'll need to copy it to another drive first.

You need a linux partition on the drive. If you don't have one already, you can partition the drive with gparted (graphical) or cfdisk (in a terminal) or your favorite partitioning tool. If you've never partitioned a drive, search the web for gparted instructions, and you'll find nice pictures for all the steps. Don't worry about which filesystem format to use now. That'll get done with a command in a later step.

Wipe the drive

There are a couple of considerations here. If you previously had sensitive data on the drive, you need to do something to obscure that data. Deleting it is not enough. You need to overwrite it with something. The fast and easy way is to write zeros to the drive, and the more secure way is to write random data. Using random data will make it so that nobody can tell where the files are on the drive. If you don't do this, your data will still be encrypted, but anyone trying to decrypt the data will have a less work to do. And if you have more than one partition, moving the data from the unencrypted partition to the encrypted one is not good enough. You'd still need to wipe the data that was on the unencrypted part.

You can just overwrite a partition, or you could overwrite the entire drive. If you do the latter, you'll need to repartition the drive afterward. To overwrite an entire drive, leave the partition number off of the device name in one of the following dd commands (e.g. /dev/sdb instead of /dev/sdb1).

Writing zeros to a partition (faster, less secure):
Code: Select all
dd if=/dev/zero of=/dev/sdb1

Writing random data (slower, more secure)
Code: Select all
dd if=/dev/urandom of=/dev/sdb1

This will take awhile. If the partition is measured in hundreds of gigabytes, find something else to do until tomorrow, or maybe longer. (Not kidding.)

Create an encrypted volume

(as root):
Code: Select all
cryptsetup luksFormat /dev/sdb1

You'll be asked for a pass phrase at this point. Make sure you remember it. There's no way to retrieve or change a lost pass phrase.

Open the encrypted volume:
Code: Select all
cryptsetup luksOpen /dev/sdb1 <name>

<name> is a temporary name you give to the partition. It only exists until you close the volume. Avoid special characters and spaces.

Create a filesystem:
Code: Select all
mke2fs -t ext4 /dev/mapper/<name>

You can use ext3 if you prefer, or even ext2 if it's a small thumb drive.

Mount the filesystem:
Code: Select all
mount /dev/mapper/<name> /mnt

/mnt could be any mountpoint you want.

Give yourself ownership of the filesystem
Code: Select all
chown -R user:user /mnt

where "user" is your user name.

You can now copy files to the encrypted drive.

When you're finished, unmount the drive and close the encrypted volume.
Code: Select all
umount /mnt
cryptsetup luksClose <name>

You're done.

Using it

Next time you want to use the drive, plug it in. If you're lucky, your desktop environment will pop up a window asking for the pass phrase. Then you can mount/unmount it with a file manager. (Usually by right-clicking on the icon for the drive)

If you need to do it from command line, you already know the commands (as root):
Code: Select all
cryptsetup luksOpen /dev/sdb1 <name>
mount /dev/mapper/<name> /mnt

umount /mnt
cryptsetup luksClose <name>
Posts: 287
Joined: February 11th, 2011, 4:14 am

Return to HowTo

Who is online

Users browsing this forum: No registered users and 1 guest