I recently setup a Samba share on a Raspberry Pi on my home network. As part of that, I used a 5 TB Western Digital My Passport Ultra as the storage layer. I wanted to encrypt it since it’s going to store a lot of personal content. That way, I won’t have to worry about leaking any of that data if I lost the disk.
The following post lists down the Linux commands I used to turn on that encryption. And while I tried this on a Raspberry Pi, the commands are generic and should work on any Linux system.
Note: While you can use LUKS to also encrypt the Raspberry Pi’s boot encryption, I haven’t tried that myself.
sudo modprobe dm-crypt sha256 # Supply a strong password for the following. sudo cryptsetup --verify-passphrase luksFormat /dev/sda1 sudo cryptsetup luksOpen /dev/sda1 cryptdrive # I used ext4 format (as opposed to NTFS or FAT) as that works better on Linux. sudo mkfs -t ext4 -m 1 /dev/mapper/cryptdrive sudo mkdir /media/unencrypted_drive sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/ # Change to a non-root owner. sudo chown pi:pi /media/unencrypted_drive/
- Defaults for
luksFormatare listed here and are good enough.
- Device should be unmounted before running this.
This is how it should look now:
pi@raspberrypi:~ $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 14.9G 0 disk └─sda1 8:1 0 14.9G 0 part └─cryptdrive 254:0 0 14.9G 0 crypt /media/unencrypted_drive
Auto-mount using a keyfile
The following will ensure that the encrypted partition is unlocked and auto-mounted on system startup.
sudo dd if=/dev/urandom of=/home/pi/cryptsetup.keyfile bs=1024 count=4 sudo chmod 400 /home/pi/cryptsetup.keyfile sudo cryptsetup luksAddKey /dev/sda1 /home/pi/cryptsetup.keyfile echo "cryptdrive /dev/sda1 /home/pi/cryptsetup.keyfile luks" | sudo tee -a /etc/crypttab # One issue to keep in mind for the following is that, if the disk is absent at boot # time (for e.g., if it is unplugged), the system won't even come up. So, be careful! echo "/dev/mapper/cryptdrive /media/unencrypted_drive/ ext4 defaults,rw 0 0" | sudo tee -a /etc/fstab
Edit encryption secrets
LUKS has 8 slots in the header and the original passphrase and the keyfile will be present in slot 0 and 1 respectively. (Check that using the
sudo cryptsetup luksDump /dev/sda1 command.)
So, there are following alternatives to edit the encryption secrets. (Check this Stack Exchange answer for some more details.)
cryptsetup luksChangeKey: Change key for a particular slot.
cryptsetup luksAddKey: Add a new key.
cryptsetup luksKillSlot: Remove keys.
However, note that messing with this could brick the disk, so it might be better to test on a separate USB drive first.
sudo cryptsetup luksOpen /dev/sda1 cryptdrive
After that, just mount using file explorer.
(The following should work but doesn’t for me for some reason.)
sudo umount -f /dev/mapper/cryptdrive sudo cryptsetup close cryptdrive