With all of the scary and some what questionable things that have made it into the news lately we cannot stress enough, you need to use encryption. Encryption on everything network traffic, passwords and storage media to list a few. This article is going to tell you how to setup encryption on your storage media using linux.
Now one of the things that I have heard when I mention encrypting drives is
“I ticked the box to encrypt my hard drive when I did the install so I am protected”
While technically this is true on RHEL and most others, what about your backup location or perhaps your external hard disk? That is where this article comes in.
Cryptsetup is included out of the box in RHEL,Ubuntu,Mint,SuSe and more. On Gentoo you will likely need to merge it unless you included it in your install.
To install on Gentoo you can do the following:
emerge --ask -jv cryptsetup
From here we can start encrypting our drives, we can use lsblk to find our drive for this example we are using a 3TB external drive.
You should get an output similar to
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sdf 8:80 0 2.7T 0 disk
We can see here that my drive is on sdf and it is not mounted.
Now we need to format the drive (This will delete data on the disk) You will be asked for a password to encrypt the drive, the stronger better.
cryptsetup luksFormat /dev/sdf
Now we need to open the drive in order to put a file system on it, you will be asked for the password that you set earlier. For this command we need to tell it which drive and what we want it to be mapped to, in this case “EXT_DRIVE”
cryptsetup luksOpen /dev/sdf EXT_DRIVE mkfs.ext4 /dev/mapper/EXT_DRIVE
Now we can mount the drive to our system
mount -t ext4 /dev/mapper/EXT_DRIVE /mnt/test
Now the drive is just another disk in your system you can copy your data to it read from it whatever you need. When you are done and you want to unmount the drive or perhaps remove it from the system for an external hard drive you will just have to do the following.
umount /mnt/test cryptsetup luksClose EXT_DRIVE
For drives that you want to mount when the system boots, you can use a key file in place of a password this is specified at the time of the format as follows
cryptsetup luksFormat /dev/sdf /home/brad/Documents/key_file
If you want to change from using a password to using a key file you would do the following, this does not overwrite any data on the disk.
cryptsetup luksAddKey /dev/sdf /home/brad/Documents/key_file