Disk encryption
I recently setup a Samba share on a Raspberry Pi on my home network. As part of that, I used a 5 TB Western Digital My Passport Ultra as the storage layer. I wanted to encrypt it since it’s going to store a lot of personal content. That way, I won’t have to worry about leaking any of that data if I lost the disk.
The following post lists down the Linux commands I used to turn on that encryption. And while I tried this on a Raspberry Pi, the commands are generic and should work on any Linux system.
Note: While you can use LUKS to also encrypt the Raspberry Pi’s boot encryption, I haven’t tried that myself.
One-time setup #
New hard drive #
sudo modprobe dm-crypt sha256
# Supply a strong password for the following.
# See note below before using `/dev/sda1`.
sudo cryptsetup --verify-passphrase luksFormat /dev/sda1
sudo cryptsetup luksOpen /dev/sda1 cryptdrive
# I used ext4 format (as opposed to NTFS or FAT) as that works better on Linux.
sudo mkfs -t ext4 -m 1 /dev/mapper/cryptdrive
sudo mkdir /media/unencrypted_drive
sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/
# Change to a non-root owner.
sudo chown pi:pi /media/unencrypted_drive/
Old encrypted hard drive on a new computer #
sudo modprobe dm-crypt sha256
# See note below before using `/dev/sda1`.
sudo cryptsetup luksOpen /dev/sda1 cryptdrive
sudo mkdir /media/unencrypted_drive
sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/
Note #
- Check the following before using
/dev/sda1
: Runlsblk
. If you see the hard drive at/dev/sdb1
or something (instead of/dev/sda1
), try rebooting once and check again. - Defaults for
luksFormat
are listed here and are good enough. - Device should be unmounted before running this.
This is how it should look now:
pi@raspberrypi:~ $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 14.9G 0 disk
└─sda1 8:1 0 14.9G 0 part
└─cryptdrive 254:0 0 14.9G 0 crypt /media/unencrypted_drive
Auto-mount using a keyfile #
The following will ensure that the encrypted partition is unlocked and auto-mounted on system startup.
# For a drive setup by Openmediavault, only the first 4 lines are needed. Also, replace "/dev/sda1" with something like "/dev/disk/by-uuid/xxx" where
# you'll find the right value of "xxx" by doing: "ls -alh /dev/disk/by-uuid/"
sudo dd if=/dev/urandom of=/home/pi/cryptsetup.keyfile bs=1024 count=4
sudo chmod 400 /home/pi/cryptsetup.keyfile
sudo cryptsetup luksAddKey /dev/sda1 /home/pi/cryptsetup.keyfile
echo "cryptdrive /dev/sda1 /home/pi/cryptsetup.keyfile luks" | sudo tee -a /etc/crypttab
# The following should work even if the disk is absent at boot time but I haven't tested that yet.
echo "/dev/mapper/cryptdrive /media/unencrypted_drive/ ext4 defaults,nofail 0 0" | sudo tee -a /etc/fstab
Edit encryption secrets #
LUKS has 8 slots in the header and the original passphrase and the keyfile will be present in slot 0 and 1 respectively. (Check that using the sudo cryptsetup luksDump /dev/sda1
command.)
So, there are following alternatives to edit the encryption secrets. (Check this Stack Exchange answer for some more details.)
sudo cryptsetup luksKillSlot /dev/sda1 1
: This will remove the secret from the given slot. This may be useful if, for example, you want to remove a cryptsetup.keyfile which you had configured on an older computer.cryptsetup luksChangeKey -S 1
: Change key for a particular slot.cryptsetup luksAddKey
: Add a new key.cryptsetup luksRemoveKey -S 1
: Remove a key.
However, note that messing with this could brick the disk, so it might be better to test on a separate USB drive first.
Open #
sudo cryptsetup luksOpen /dev/sda1 cryptdrive
After that, just mount using file explorer.
Close #
(The following should work but doesn’t for me for some reason.)
sudo umount -f /dev/mapper/cryptdrive
sudo cryptsetup close cryptdrive
Backup LUKS header #
# First, take a look at the header:
sudo cryptsetup luksDump /dev/sdb
# Then, backup and verify:
sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file luks_backup_western_digital_hard_drive
sudo cryptsetup luksDump luks_backup_western_digital_hard_drive