Add A Drive to Linux and Encrypt It

Do you use an external hard drive, USB Flash drive or other removable media for your personal or company backups? Let’s encrypt it!

My biggest concern with this scenario is in this: what if someone steals it? What if you lose it and someone else picks it up? Your data is a free for all and the finder (or thief) can access anything on the drive.

In this post, I’ll teach you how to use the Linux terminal to encrypt the entire partition. We’ll learn to encrypt your drive in such a way that it requires a password to mount and access, plus we’ll learn how to use a key file to setup trusted systems, so when you plug it into your own machine or server, the drive auto-mounts without a password (just like normal).

To be clear, this tutorial is for Linux. macOS and Windows users can upgrade to Linux for free! :p

Video Companion

Part 1: Encrypt Your Removable Backup Drive in the Linux Terminal

Part 2: Auto Mount Your Encrypted Backup Drive Linux With or Without a GUI

Step-By-Step Instructions

Everything we’re about to do requires running terminal as root.

In Debian, become root as follows:

In Ubuntu (and other “sudo”-based environments):

First things first:
Create a partition on your device, which we'll call /dev/whatever1. If you run luksFormat against the device itself (as opposed to a partition on the device) you will receive the error "no key available with this passphrase" when you try to run luksOpen, and will not be able to open the volume. If you accidentally do that, you can use a partition editor like gparted to change the drive to "unallocated" and try again.

Install cryptsetup:

Make the drive encrypted (destructive), 512-bit :

Show result:

Map the drive:

This will ask you for the passphrase and then creates a new mapper at /dev/mapper/backup

The reason I first go to /tmp is just in case there is a ./backup folder where I am currently situated within the filesystem. This could cause problems, so moving to /tmp removes the risk (unless there is a /tmp/backup, of course).

Create the filesystem (format):

You can now test mounting the drive if you like:

Create a key file so you can auto-mount the drive (without having to enter the keyphrase). Only root should have access to this file:

Add the keyfile to our LUKS drive:

Enter your passphrase when prompted.

Do another dump and you should now see Key Slot 1 has a key (from your key file):

Now we need to determine the UUID of your LUKS-encrypted partition. This will be different than the actual physical UUID, so we have to use cryptsetup to find it:


Setup a crypttab entry:

Add the following:

Start the crypto disk (replace backup with whatever you called it in the crypttab file):

Create your permanent mountpoint wherever you’d like and make it so you can’t write to it unless it’s mounted. For my example I’ll place it in /home/robbie/backup

Open your fstab file for editing:

Add your encrypted partition to the permanent mountpoint by adding this line:

nofail means if the drive is not present, keep booting. noatime means access times are not updated when a file is read (read operations are read only: don’t use resources or reduce the life of the drive with write operations when not necessary). Our x-systemd.device-timeout setting means the mount will skip the drive if it is not plugged in after 5 seconds. The default is 90 so this speeds up boot big time.

Test to make sure everything worked:

Do not reboot until you get a good result. ūüėÄ

Side note: If the drive is a USB drive, make sure you disable usbcore autosuspend, which will periodically turn off your USB, thereby breaking your mountpoint. On Debian I did this by editing /etc/default/grup and adding usbcore.autosuspend=-1 to GRUB_CMDLINE_LINUX_DEFAULT Рyou can confirm it worked by rebooting and then typing: cat /sys/module/usbcore/parameters/autosuspend РHere is some great info for other distros:

Leave a Reply

Be the First to Comment!

Notify of