In this post, I will briefly cover encryption of SSD drives, removable hard drives and USB drives. Depending on your objectives you may need to tweak certain options to achieve stronger protection, if required.
Before starting the process, it is necessary to connect the drive of your choice to your Linux system. If the drive is already connected first identify the drive that is to be encrypted. The following command will provide the details you need:
sudo fdisk -l
Assuming that the drive that is to be encrypted is /dev/sdb, if no encryption is present, you can set it up using the command below. This command will also wipe your drive therefore make sure that the correct drive is selected:
sudo cryptsetup -y -v luksFormat /dev/sdb
Then select “YES” and enter credentials you would like to use for encryption.
To decrypt the drive the following command is used. “drive-label” is any label you would like to use when mounting the drive e.g. mydrive2:
sudo cryptsetup luksOpen /dev/sdb drive-label
You can also wipe the drive to remove any unwanted data “/dev/zero” is not random. Another option is /dev/urandom which is better when wiping LUKS keyslots.
sudo dd if=/dev/zero of=/dev/mapper/mydrive2 status=progress
Next step is creating the filesystem on the drive:
sudo mkfs.ext4 /dev/mapper/mydrive2
To close the drive:
sudo cryptsetup luksClose /dev/mapper/mydrive2
To open the drive:
sudo cryptsetup luksOpen /dev/sdb mydrive2 sudo mount /dev/mapper/mydrive2 /mnt/mydrive2
To unmount and close the drive:
sudo unmount /mnt/mydrive2 sudo cryptsetup luksClose /dev/mapper/mydrive2
For more information, please refer to the LUKS manual available on any Linux system. One important thing to remember is creating a suitable backup of LUKS headers for encrypted drives. In case these headers get damaged either accidentally or when updating the operating system, the encrypted data may become unrecoverable.