Add A Drive to Linux and Encrypt It

We’re going to be featuring encrypted removable backups on Category5 Technology TV, and here’s a quick list of the steps we’ll be using to prepare the hard drive.

Everything we’re about to do requires running terminal as root.

In Debian, become root as follows:

In Ubuntu (and other “sudo”-based environments):

First things first:
Create a partition on your device, which we'll call /dev/whatever1. If you run luksFormat against the device itself (as opposed to a partition on the device) you will receive the error "no key available with this passphrase" when you try to run luksOpen, and will not be able to open the volume. If you accidentally do that, you can use a partition editor like gparted to change the drive to "unallocated" and try again.

Install cryptsetup:

Make the drive encrypted (destructive), 512-bit :

Show result:

Map the drive:

This will ask you for the passphrase and then creates a new mapper at /dev/mapper/backup

The reason I first go to /tmp is just in case there is a ./backup folder where I am currently situated within the filesystem. This could cause problems, so moving to /tmp removes the risk (unless there is a /tmp/backup, of course).

Create the filesystem (format):

You can now test mounting the drive if you like:

Create a key file so you can auto-mount the drive (without having to enter the keyphrase). Only root should have access to this file:

Add the keyfile to our LUKS drive:

Enter your passphrase when prompted.

Do another dump and you should now see Key Slot 1 has a key (from your key file):

Now we need to determine the UUID of your LUKS-encrypted partition. This will be different than the actual physical UUID, so we have to use cryptsetup to find it:


Setup a crypttab entry:

Add the following:

Start the crypto disk (replace backup with whatever you called it in the crypttab file):

Create your permanent mountpoint wherever you’d like and make it so you can’t write to it unless it’s mounted. For my example I’ll place it in /home/robbie/backup

Open your fstab file for editing:

Add your encrypted partition to the permanent mountpoint by adding this line:

nofail means if the drive is not present, keep booting. noatime means access times are not updated when a file is read (read operations are read only: don’t use resources or reduce the life of the drive with write operations when not necessary). Our x-systemd.device-timeout setting means the mount will skip the drive if it is not plugged in after 5 seconds. The default is 90 so this speeds up boot big time.

Test to make sure everything worked:

Do not reboot until you get a good result. ūüėÄ

Side note: If the drive is a USB drive, make sure you disable usbcore autosuspend, which will periodically turn off your USB, thereby breaking your mountpoint. On Debian I did this by editing /etc/default/grup and adding usbcore.autosuspend=-1 to GRUB_CMDLINE_LINUX_DEFAULT Рyou can confirm it worked by rebooting and then typing: cat /sys/module/usbcore/parameters/autosuspend РHere is some great info for other distros:

Leave a Reply

Be the First to Comment!

Notify of