Linux Unified Key Setup (LUKS) is an utility for disk encryption based on the DMCrypt kernel module.

It is not recommended to encrypt a partition that already contains data because of the risk of data loss.

The safer way is attaching a new volume to the system, encrypt the new volume and then copy the files over.

Edit the partition table of the new volume:

sudo fdisk -l
sudo fdisk /dev/sdb

Press the following keys:

  • p
    • Prints the existent partitions (should have none yet).
  • n
    • Creates a new partition.
      • p
        • Primary
          • 1
            • Partition number.
              • <Enter>
              • <Enter>
  • p
    • Prints the partition table with the newly created partition.
  • w
    • Writes the changes to the disk.

Install Crypt Setup:

sudo apt-get install cryptsetup -y

Encrypt the partition:

sudo cryptsetup luksFormat /dev/sdb1

Type YES and give it a passphrase and save it securely in a key vault or password manager.

Open (unlock) the partition and give it a meaningful name:

sudo cryptsetup luksOpen /dev/sdb1 partitionName

Inspect the partition with the following command:

lsblk

Format the new partition:

sudo mkfs.ext4 /dev/mapper/partitionName

Create a mounting point and mount the partition on it:

sudo mkdir -p /encryptedVolume
sudo mount /dev/mapper/partitionName /encryptedVolume

MOUNTING ON BOOT

sudo nano /etc/crypttab

Find out the UUID of the new partition:

sudo blkid

Add the following line:

# <target name> <source device> <key file> <options>
partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e none luks

Note: for passphrase use none on the third column (if using a key, add the path to the key file instead). And luks is the mounting option.

Now edit the fstab:

sudo nano /etc/fstab

Append a line:

UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /encryptedVolume ext4 defaults 0 0

Note: during the boot will be prompted for the passphrase. Not all distributions will deal very well and might not prompt for the password on the boot.

Alternatively, create a key file for the volume by issuing:

sudo cryptsetup luksAddKey /dev/sdb1 /boot/volume.key

Check if the key was added correctly:

sudo cryptsetup luksDump /dev/sdb1

Then, on the /etc/crypttab enter the path to the key:

# <target name> <source device> <key file> <options>
partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /boot/volume.key luks

BONUS

1 – If the header of the drive gets corrupted there is no way the rest of the drive can be decrypted. So back it up:

cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file LUKS-Header.bin

2 – To restore use:

cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file LUKS-Header.bin

3 – Use the key TAB to see the available commands:

cryptsetup <TAB>

4 – Change the password:

cryptsetup luksChangeKey /dev/sdb1

5 – Add multiple keys:

cryptsetup luksAddKey /dev/sdb1