How to encrypt your Hard Drive

Posted on 2021-04-09
Tags: Linux, Encryption

Table of Contents

Why should I use Encryption?

Nowadays, in a world where there are industries centered around data mining and malicious actors are willing to spend time and money to get access to data, handling your data well is becoming more and more important, specially if it’s sensitive data like emails, credit cards, passwords, personal files and personal infomation in general. Encrypting your devices can prevent unathorized people to access your data, whether they are non-trusted people, a burgler who stole your laptop or the guy from the repair shop.

Types of Encryption

Data-at-rest encryption stores all the files on disk in an encrypted form. The files are only avaiable when the system is running and unlocked by a trusted party. There are two different types of methods to perform data-at-rest encryption, Filesystem-level encryption which works on a File system level and the Block device encryption ( a.k.a. Full disk encryption) which operates below the file-system layer and ensures that all the data is encrypted inside a block device, like a Hard Drive, SSD, partition or USB flash drive. All the data stored in a encrypted block device is only accessible after mounting the device properly and having the necessary password/key to access it. We are going to use the later method.

What is Cryptsetup?

To perform the block device encryption, we are going to use dm-crypt, Linux kernel’s device-mapper encryption subsystem. The management of dm-crypt is done by the cryptsetup utility. We are going to perform the LUKS Design since it supports multiple keys, secure and the standard among Linux systems.


Since we are going to perform a simple full disk encryption to protect user data, we won’t encrypt the root partition, nor the /boot partition. If you pretend to use a separate drive for your /home directory, then there isn’t much to do. But if you are going to use only one drive then you must do some partitioning, make sure to create at least a root and a /home partition. Obviously we are going to encrypt the home partition to secure our files at /home.

Secure erasure of the drive (optional)

Before encrypting a drive it’s recommended to perform a secure erasure of the disk by overwriting the entire drive with random data or with zeros. That prevents recovery of previously stored data and cryptographic attacks. To do that first we need to create a temporary encrypted container on the desired partition (in our case the home partition) or complete device.

# cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped

where the <block-device> is the name of your block device, it’s something like sda, sdb, sdc if it’s a entire drive, or sda1, sda2, sda3 , if it’s a partition. You can verify if the partition/device by typing # lsblk. A container inside the partition/device with the name to_be_wiped will show up. To wipe the container with zeros, just type:

# dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

You could use if=/dev/urandom instead, but it’s not necessary. The process can take some time to complete, it depends on the size of the partition/device, if you are wiping 1TB or more of disk space it could take a couple of hours. After the process is completed you will get the following output: dd: writing to ‘/dev/mapper/to_be_wiped’: No space left on device.


Now to create a LUKS header, you must type:

# cryptsetup options luksFormat device

where the options field is entirely optional, to know more look the manpages for cryptsetup man cryptsetup. If you don’t know what options to use I recommend you to leave the options field empty, since the default options are good enough. Replace the device field with the previously wiped partition. After choosing a password for your device, you can accesses it by typing:

# cryptsetup open device name

The name field is a temporary name, so you can choose whatever you want. After unlocking the partition, it will be available under the /dev/mapper/name path. Now you can create a file system of your choice, if you want to use the device as a /home partition, type:

# mkfs.ext4 /dev/mapper/name

Again, the name field is the temporary name you gave it when you opened the device/partition. If you are encrypting a USB flash drive, you might want to use mkfs.vfat instead. Now you can mount the device to /home. If you are encrypting a USB flash drive you can just close the device. To close the device, you should unmount it and:

# cryptsetup close name

If you are encrypting a USB flash drive, there’s nothing left to do, you can just enjoy your newly encrypted device. But if you are encrypting your /home partition you might want to mount it at boot time. To do that you must add the UUID of the device to /etc/crypttab, to check the UUID:

# lsblk -f

Add it to /etc/crypttab in the form:

name         UUID=<UUID-number>        none    luks,timeout=180

The timeout option defines a timeout in seconds for entering the decrypting password during boot.

We are done!