When it comes to protecting digital information, encryption is not optional; likewise, when it comes to preserving digital information, making backups is not optional. Happily, it is a breeze to do both with free software. Here are the steps I followed to set up an external hard drive with full-disk encryption (dm-crypt/LUKS) on my Debian GNU/Linux system.
Before You Begin
Doing this irrecoverably destroys all the data on the chosen drive, so proceed with care. Read the man pages to learn more about each command and how to modify them to suit your needs. Note, although it would be silly to make encrypted backups of unencrypted data, this process will work whether or not the data on the machine is itself encrypted.
0: Overwrite External Drive
Make sure you have backed up everything you want to keep, because after overwriting the drive you won’t be getting it back.
Once your external hdd is plugged in, use fdisk and mount to see what it’s called and whether or not it’s mounted. You should see something like this:
$ sudo fdisk -l ... Disk /dev/sdc: 250.1 GB, 250059350016 bytes 255 heads, 63 sectors/track, 30401 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x5c74ae42 Device Boot Start End Blocks Id System /dev/sdc1 1 30401 244196001 c W95 FAT32 (LBA)
My 250GB external drive is /dev/sdc, so I will use this path throughout the post. Modify the path in your commands as necessary. Make sure any filesystems on the device are unmounted and we’re ready to nuke it.
Filling the disk with random data accomplishes two things: First, it irrecoverably deletes any data on the drive. Second, it helps hide the fact that encryption is being used and makes it more difficult for an attacker to determine where the encrypted data ends and where the random data begins. There are many tools to choose from, in particular shred, wipe, dd, and badblocks. Consult the Internet and the man pages for specifics on these commands. I chose to use badblocks:
# badblocks -c 10240 -swt random -v /dev/sdc
I’m sure this made the drive reasonably random, but the previous three commands are better suited to higher-security erasure. The trade-off is that they may take a lot more time. badblocks itself took several hours to overwrite my 250GB hdd. Use your best judgment.
1: Partition the Disk
Now that there is nothing but noise on the drive, we can create a new partition. Use fdisk as root to set up the partition table (use gparted if you prefer a GUI).
# fdisk /dev/sdc
The commands you will need in fdisk include:
p – print partition table
n – create new partition
q – quit without saving
w – write new partition table and exit
You should now have a partition called something like /dev/sdc1. Once you have partitioned the disk, it is time to set up encryption.
2. Encrypting the Disk
Initialize the LUKS partition and set its password:
# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1
This will ask for a password and set up the encrypted volume.
Now you may use your password to open the device:
# cryptsetup luksOpen /dev/sdc1 sdc
3. Create Filesystem
At this point, the hdd is connected and it will behave like any other disk. You need to create a filesystem before you can use it. I chose ext4, but there are naturally other options:
# mkfs.ext4 -j /dev/mapper/sdc
If all went well, you may mount the new filesystem and use it like any other:
# mount /dev/mapper/sdc /media/mountpoint
To close the disk, unmount the filesystem and disconnect from LUKS:
# umount /media/mountpoint
# cryptsetup luksClose sdc
Using the Encrypted Drive
Disconnect the USB plug and then plug it back in: I was pleasantly surprised by a user-friendly password prompt from GNOME that takes care of the rest:
Now you may backup data to your external drive knowing that your files are secure. I used rsync to backup my /home directory, but the possibilities are endless.
References
I collected most of these steps from the wiki at infectedtech.org.