Skip to main content

Disk encryption

·3 mins

I recently setup a Samba share on a Raspberry Pi on my home network. As part of that, I used a 5 TB Western Digital My Passport Ultra as the storage layer. I wanted to encrypt it since it’s going to store a lot of personal content. That way, I won’t have to worry about leaking any of that data if I lost the disk.

The following post lists down the Linux commands I used to turn on that encryption. And while I tried this on a Raspberry Pi, the commands are generic and should work on any Linux system.

Note: While you can use LUKS to also encrypt the Raspberry Pi’s boot encryption, I haven’t tried that myself.

One-time setup #

New hard drive #

sudo modprobe dm-crypt sha256

# Supply a strong password for the following.
# See note below before using `/dev/sda1`.
sudo cryptsetup --verify-passphrase luksFormat /dev/sda1

sudo cryptsetup luksOpen /dev/sda1 cryptdrive

# I used ext4 format (as opposed to NTFS or FAT) as that works better on Linux.
sudo mkfs -t ext4 -m 1 /dev/mapper/cryptdrive

sudo mkdir /media/unencrypted_drive
sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/

# Change to a non-root owner.
sudo chown pi:pi /media/unencrypted_drive/

Old encrypted hard drive on a new computer #

sudo modprobe dm-crypt sha256

# See note below before using `/dev/sda1`.
sudo cryptsetup luksOpen /dev/sda1 cryptdrive

sudo mkdir /media/unencrypted_drive
sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/

Note #

  • Check the following before using /dev/sda1: Run lsblk. If you see the hard drive at /dev/sdb1 or something (instead of /dev/sda1), try rebooting once and check again.
  • Defaults for luksFormat are listed here and are good enough.
  • Device should be unmounted before running this.

This is how it should look now:

pi@raspberrypi:~ $ lsblk
NAME           MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda              8:0    0 14.9G  0 disk  
└─sda1           8:1    0 14.9G  0 part  
  └─cryptdrive 254:0    0 14.9G  0 crypt /media/unencrypted_drive

Auto-mount using a keyfile #

The following will ensure that the encrypted partition is unlocked and auto-mounted on system startup.

# For a drive setup by Openmediavault, only the first 4 lines are needed. Also, replace "/dev/sda1" with something like "/dev/disk/by-uuid/xxx" where 
# you'll find the right value of "xxx" by doing: "ls -alh /dev/disk/by-uuid/"
sudo dd if=/dev/urandom of=/home/pi/cryptsetup.keyfile bs=1024 count=4
sudo chmod 400 /home/pi/cryptsetup.keyfile
sudo cryptsetup luksAddKey /dev/sda1 /home/pi/cryptsetup.keyfile
echo "cryptdrive /dev/sda1 /home/pi/cryptsetup.keyfile luks" | sudo tee -a /etc/crypttab

# The following should work even if the disk is absent at boot time but I haven't tested that yet.
echo "/dev/mapper/cryptdrive /media/unencrypted_drive/ ext4 defaults,nofail 0 0" | sudo tee -a /etc/fstab

Edit encryption secrets #

LUKS has 8 slots in the header and the original passphrase and the keyfile will be present in slot 0 and 1 respectively. (Check that using the sudo cryptsetup luksDump /dev/sda1 command.)

So, there are following alternatives to edit the encryption secrets. (Check this Stack Exchange answer for some more details.)

  • sudo cryptsetup luksKillSlot /dev/sda1 1: This will remove the secret from the given slot. This may be useful if, for example, you want to remove a cryptsetup.keyfile which you had configured on an older computer.
  • cryptsetup luksChangeKey -S 1: Change key for a particular slot.
  • cryptsetup luksAddKey: Add a new key.
  • cryptsetup luksRemoveKey -S 1: Remove a key.

However, note that messing with this could brick the disk, so it might be better to test on a separate USB drive first.

Open #

sudo cryptsetup luksOpen /dev/sda1 cryptdrive

After that, just mount using file explorer.

Close #

(The following should work but doesn’t for me for some reason.)

sudo umount -f /dev/mapper/cryptdrive
sudo cryptsetup close cryptdrive

Backup LUKS header #

# First, take a look at the header:
sudo cryptsetup luksDump /dev/sdb

# Then, backup and verify:
sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file luks_backup_western_digital_hard_drive
sudo cryptsetup luksDump luks_backup_western_digital_hard_drive

Resources #