Author: Daniel Krampe

Categories
Linux

How to create an encrypted external drive using LUKS

After some experiences of re-partitioning my laptop, breaking my partition table and subsequently spending sleepless night(s) trying to recover as many files as possible, I became more conscientious in doing backups.

Best practice is to use multiple media and locations. I am using a combination of cloud backups, archive BluRays (Verbatim M-Disc) and external hard disks.

Naturally, my laptop’s hard drive is encrypted so it does not make much sense to store an unencryped backup of the hard disc side by side with my laptop. Therefore, I decided to also encrypt the external hard discs which I use for backups.

Windows users use BitLocker, Linux users use LUKS (and I have more trust in open source software when it comes to security). So here is how I encrypt my external hard disc:

  1. Identify the correct device: First I connect my brand new hard disc to the computer. For the next steps it is very important to identify the correct device and not accidentally wipe the wrong hard disc. This command can help:
root@server:~# lsblk -Sfo +size

Here is an example output:

root@server:~# lsblk -Sfo +size
NAME HCTL       TYPE VENDOR MODEL  REV SERIAL TRAN   FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS  SIZE
sda  4:0:0:0    disk ATA    ST800 SC61 ZA14VC sata                                                                                       7,3T
sdb  5:0:0:0    disk ATA    ST800 SC61 ZA14TM sata                                                                                       7,3T
sdc  6:0:0:0    disk WD     WDC W 1031 8LHNGP usb    crypto 2           db3180e3-ed9b-4113-8051-42af5e4d8cc3                            16,4T

You can see that I have four HDDs connected to my computer. The first two (sda and sdb) are my internal RAID 1 drives. sdc and sdd are two external USB drives which I already encrypted with LUKS.

2. Wipe it: For the following we will work with the external drive sdc. If it is a brand new drive, it is typically formatted by the vendor and has some files like manuals or software provided by the vendor on it. I don’t use this and want to start with a blank drive so let’s wipe all content first.
To delete existing partitions you can use fdisk:

root@server:~# fdisk /dev/sdc

Once in the fdisk console you can display all existing partitions with “p” and delete partitions with “d”. Once finished with the changes, they have to be written to the disc by using the “w” command.

If the disc has already been used (unencrypted) before it contains some old data. You can overwrite all old data with random data before proceeding but this can take hours:

root@server:~# dd bs=2M if=/dev/urandom of=/dev/sdc

Since I started with a new drive, I skipped this step.

3. Encrypt it: Next we can encrypt the drive:

root@server:~# cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/sdc

Since cryptsetup ≥ 2.1.0, LUKS2 is used by default. You can check this:

root@server:~# cryptsetup luksDump /dev/sdc
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	db3180e3-ed9b-4113-8051-42af5e4d8cc3
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  5
	Memory:     1048576
	Threads:    4
	Salt:       11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	            11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	AF stripes: 4000
	AF hash:    sha512
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha512
	Iterations: 202584
	Salt:       11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	            11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	Digest:     11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	            11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	            11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 
	            11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11

As you can see, I created a LUKS2 volume.

4. Backup: Just in case the LUKS header gets broken it’s a good idea to backup the header and store it separately:

root@server:~# cryptsetup luksHeaderBackup /dev/sdc --header-backup-file LUKS_header_sdc_WDElements.bak

5. Create a file system: First we need to open newly created LUKS device:

root@server:~# cryptsetup luksOpen /dev/sdc luks_wdelements

The device is now accessible as virtual device under: /dev/mapper/luks_wdelements and can be treated as a “normal” unencrypted device.

I am using a standard ext4 file system so let’s create one:

root@server:~# mkfs.ext4 /dev/mapper/luks_wdelements

Now we can mount it:

root@server:~# mount /dev/mapper/luks_wdelements /mnt

6. Use the drive: Now you can use it and e.g. copy files to the drive. It is accessible under /mnt

7. Close and unmount: Once done, you can unmount the filesystem and close the LUKS device:

root@server:~# umount /dev/mapper/luks_wdelements
root@server:~# cryptsetup luksClose /dev/mapper/luks_wdelements