If you’re like me, you’ve set up full-disk encryption during your installation. But what if you want to encrypt your backups and USB sticks too?
In this post I’ll share how I did it.
So you want to encrypt your disk. Please note that formatting or encrypting the wrong partition may ruin your system. This is why I recommend installing GParted so you are absolutely sure you’re using the right disk.
sudo apt install gparted
In GParted you should be able to recognise the partition you would like to encrypt. In my case this was
At the time of writing, LUKS encryption drives are not supported by GParted. Therefore we will do it manually, very similar to how it’s done if you would enable full-disk encryption during your Debian installation.
We will be using
cryptsetup for this. First, check if it exists on your system.
This should show the cryptsetup manual. If not, please install
cryptsetup before proceeding (
sudo apt install cryptsetup).
DO NOT PROCEED if you don’t know what formatting means or if you’re uncomfortable with using the command line.
Enter this command to format your partition:
cryptsetup -y -v luksFormat [your partition here]
[your partition here] with your partition, e.g.
If this doesn’t work, but you have successfully passed step 1, try this command with
This should output something like this:
WARNING! ======== This will overwrite data on /dev/sda irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
OK so you have formatted your partition, but it doesn’t appear anywhere before you mount it. You can do this with the following command:
# Prefix with sudo if needed cryptsetup luksOpen /dev/sda backup2
This should output something like:
[sudo] password for [username]: Enter passphrase for /dev/sda:
To check if it’s mounted correctly, run:
ls -l /dev/mapper/backup2
Which should output:
lrwxrwxrwx 1 root root 7 Dec 21 11:55 /dev/mapper/backup2 -> ../dm-6
And if you want to double-check it:
# Prefix with sudo if needed cryptsetup -v status backup2
Which gives you some information about the partition:
/dev/mapper/backup2 is active. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits device: /dev/sda offset: 4096 sectors size: 3907025072 sectors mode: read/write Command successful.
Now, if you’re using an existing harddisk, chances are there is still some old, unencrypted data on the disk. To clean this up, we can use
/dev/zero to fill the hard drive with zeros. This is exactly what Debian does during it’s installation process. Normally zeroing wouldn’t be enough, but since we’ve encrypted the disk, the disk is now filled with “random” data.
sudo dd if=/dev/zero of=/dev/mapper/backup2 bs=1M status=progress
27105309184 bytes (27 GB, 25 GiB) copied, 457 s, 59.3 MB/s
This will take some time (in my case: 10493 seconds (~ 3 hours) for a 1TB SATA disk)
Now the disk is encrypted and clean and it can be put to use. So let’s create a partition:
sudo mkfs.ext4 /dev/mapper/backup2
mke2fs 1.43.4 (31-Jan-2017) Creating filesystem with 244190134 4k blocks and 61054976 inodes Filesystem UUID: c35fc753-363a-4b19-be6a-818b8c1e000c Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done
Now you should see the drive on your desktop or in the file manager.
Instead of showing “1.0 TB Encrypted” it would be nice to set a name for your harddisk - especially if you have multiple encrypted disks of the same size. You can set a label with this command to make it a bit prettier:
sudo e2label /dev/mapper/backup2 backup-two
One thing though.. because we might have used
sudo (for access to cryptsetup) the drive is not yet accessible for our user account.
We will change the access to all ‘administrative’ users.
Navigate to the partition in your file manager. The location should look like
/media/[your-username-here]/[some-complicated-dashed-string]/ in the location bar.
Now, open a Terminal:
cd /media/[your-username-here]/ sudo chgrp adm [some-complicated-dashed-string] sudo chmod g+w [some-complicated-dashed-string]
This will change the partition’s group to
adm and give this group write access.