Disk encryption

I recently setup a Samba share on a Raspberry Pi on my home network. As part of that, I used a 5 TB Western Digital My Passport Ultra as the storage layer. I wanted to encrypt it since it’s going to store a lot of personal content. That way, I won’t have to worry about leaking any of that data if I lost the disk.

The following post lists down the Linux commands I used to turn on that encryption. And while I tried this on a Raspberry Pi, the commands are generic and should work on any Linux system.

Note: While you can use LUKS to also encrypt the Raspberry Pi’s boot encryption, I haven’t tried that myself.

One-time setup

sudo modprobe dm-crypt sha256

# Supply a strong password for the following.
sudo cryptsetup --verify-passphrase luksFormat /dev/sda1

sudo cryptsetup luksOpen /dev/sda1 cryptdrive

# I used ext4 format (as opposed to NTFS or FAT) as that works better on Linux.
sudo mkfs -t ext4 -m 1 /dev/mapper/cryptdrive

sudo mkdir /media/unencrypted_drive
sudo mount /dev/mapper/cryptdrive /media/unencrypted_drive/

# Change to a non-root owner.
sudo chown pi:pi /media/unencrypted_drive/

Note:

  • Defaults for luksFormat are listed here and are good enough.
  • Device should be unmounted before running this.

This is how it should look now:

pi@raspberrypi:~ $ lsblk
NAME           MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda              8:0    0 14.9G  0 disk  
└─sda1           8:1    0 14.9G  0 part  
  └─cryptdrive 254:0    0 14.9G  0 crypt /media/unencrypted_drive

Auto-mount using a keyfile

The following will ensure that the encrypted partition is unlocked and auto-mounted on system startup.

sudo dd if=/dev/urandom of=/home/pi/cryptsetup.keyfile bs=1024 count=4
sudo chmod 400 /home/pi/cryptsetup.keyfile
sudo cryptsetup luksAddKey /dev/sda1 /home/pi/cryptsetup.keyfile
echo "cryptdrive /dev/sda1 /home/pi/cryptsetup.keyfile luks" | sudo tee -a /etc/crypttab

# One issue to keep in mind for the following is that, if the disk is absent at boot 
# time (for e.g., if it is unplugged), the system won't even come up. So, be careful!
echo "/dev/mapper/cryptdrive /media/unencrypted_drive/ ext4 defaults,rw 0 0" | sudo tee -a /etc/fstab

Edit encryption secrets

LUKS has 8 slots in the header and the original passphrase and the keyfile will be present in slot 0 and 1 respectively. (Check that using the sudo cryptsetup luksDump /dev/sda1 command.)

So, there are following alternatives to edit the encryption secrets. (Check this Stack Exchange answer for some more details.)

  • cryptsetup luksChangeKey: Change key for a particular slot.
  • cryptsetup luksAddKey: Add a new key.
  • cryptsetup luksRemoveKey or cryptsetup luksKillSlot: Remove keys.

However, note that messing with this could brick the disk, so it might be better to test on a separate USB drive first.

Open

sudo cryptsetup luksOpen /dev/sda1 cryptdrive

After that, just mount using file explorer.

Close

(The following should work but doesn’t for me for some reason.)

sudo umount -f /dev/mapper/cryptdrive
sudo cryptsetup close cryptdrive

Resources