Tags: , , ,

The Use Case: I want to use a hard disk for backups. It consists of two partitions, one NTFS for windows compatibility and on encrypted ext3 partition. This short tutorial will show you what is required to encrypt a single partition.

Random Data

To make the encryption secure you need to fill the partition with random data before-hand. This ensures that no information about the encryption key can be gained from an analysis.

Find out where your partition is mounted. Make your sure is really the correct path, you don’t want to overwrite the wrong partition. For me, it was /dev/sdb2, so I called

dd if=/dev/urandom of=/dev/sdb2

Be aware that depending on size of the partition and the CPU speed this may take up to a couple of hours. In my case it took about 1.14 hours to write 12 gigabytes.

Create Encrypted Partition

Before you start creating the encrypted partition, ensure that the following modules are loaded.

modprobe aes
modprobe dm_mod
modprobe dm_crypt

1. Create the device mapping.

cryptsetup -v --key-size 256 luksFormat /dev/sdb2

It will ask you “Are you sure?(Type uppercase yes):” but I always got “Command failed.” Why? I did not read the question. This took me a while to figure out, but the trick is to “Type uppercase yes”. Duh!

2. View the details of the encrypted partition.

cryptsetup luksDump /dev/sdb2

3. Open the encrypted partition.

cryptsetup luksOpen /dev/sdb2 backup-2

This should have created an entry in /dev/mapper, called backup.

4. Create a file system on the new device.

/sbin/mkfs.ext3 -O dir_index,resize_inode /dev/mapper/backup

I used ext3, but you can use any file system you like.

5. Mount encrypted partition.

mkdir /mnt/backup
mount /dev/mapper/backup /mnt/backup

Done. At least it worked for me.

Regular Mounting

Whenever I connect my backup drive, I have to call

cryptsetup luksOpen /dev/sdb2 backup
mount /dev/mapper/backup /mnt/backup

or use GNOME which does it automatically.