by fsmithred, i only copy it to here so i got it at hand.
his guide assumes that you have some familiarity with using the command line, know how to become root, and know how to partition a drive. (You might not need to partition the drive, but it's better if you know how.)
PreparationInstall cryptsetup with your favorite package manager.
If you're using cryptsetup immediately after installing it (without rebooting first) then also do:
- Code:
modprobe -v dm-mod
I'll assume that the external drive is /dev/sdb, and you're going to encrypt the first partition on the drive (/dev/sdb1). You'll need to replace that with the correct name for your drive. To find out the correct device name for your drive, run one or both of these commands after you plug the drive into your computer. You should check this right before you do the encryption, in case the drive does not get the same name every time you plug it in. (I've seen that happen.)
(as normal user)
- Code:
dmesg
(as root)
- Code:
fdisk -l
IMPORTANT: The next commands will erase any data on the drive. Do not err.
If there's already data on the drive that you want to keep, you'll need to copy it to another drive first.
You need a linux partition on the drive. If you don't have one already, you can partition the drive with gparted (graphical) or cfdisk (in a terminal) or your favorite partitioning tool. If you've never partitioned a drive, search the web for gparted instructions, and you'll find nice pictures for all the steps. Don't worry about which filesystem format to use now. That'll get done with a command in a later step.
Wipe the drive
There are a couple of considerations here. If you previously had sensitive data on the drive, you need to do something to obscure that data. Deleting it is not enough. You need to overwrite it with something. The fast and easy way is to write zeros to the drive, and the more secure way is to write random data. Using random data will make it so that nobody can tell where the files are on the drive. If you don't do this, your data will still be encrypted, but anyone trying to decrypt the data will have a less work to do. And if you have more than one partition, moving the data from the unencrypted partition to the encrypted one is not good enough. You'd still need to wipe the data that was on the unencrypted part.
You can just overwrite a partition, or you could overwrite the entire drive. If you do the latter, you'll need to repartition the drive afterward. To overwrite an entire drive, leave the partition number off of the device name in one of the following dd commands (e.g. /dev/sdb instead of /dev/sdb1).
Writing zeros to a partition (faster, less secure):
- Code:
dd if=/dev/zero of=/dev/sdb1
Writing random data (slower, more secure)
- Code:
dd if=/dev/urandom of=/dev/sdb1
This will take awhile. If the partition is measured in hundreds of gigabytes, find something else to do until tomorrow, or maybe longer. (Not kidding.)
Create an encrypted volume(as root):
- Code:
cryptsetup luksFormat /dev/sdb1
You'll be asked for a pass phrase at this point. Make sure you remember it. There's no way to retrieve or change a lost pass phrase.
Open the encrypted volume:
- Code:
cryptsetup luksOpen /dev/sdb1 <name>
<name> is a temporary name you give to the partition. It only exists until you close the volume. Avoid special characters and spaces.
Create a filesystem:- Code:
mke2fs -t ext4 /dev/mapper/<name>
You can use ext3 if you prefer, or even ext2 if it's a small thumb drive.
Mount the filesystem:
- Code:
mount /dev/mapper/<name> /mnt
/mnt could be any mountpoint you want.
Give yourself ownership of the filesystem
- Code:
chown -R user:user /mnt
where "user" is your user name.
You can now copy files to the encrypted drive.
When you're finished, unmount the drive and close the encrypted volume.
- Code:
umount /mnt
cryptsetup luksClose <name>
You're done.
Using itNext time you want to use the drive, plug it in. If you're lucky, your desktop environment will pop up a window asking for the pass phrase. Then you can mount/unmount it with a file manager. (Usually by right-clicking on the icon for the drive)
If you need to do it from command line, you already know the commands (as root):
- Code:
cryptsetup luksOpen /dev/sdb1 <name>
mount /dev/mapper/<name> /mnt
- Code:
umount /mnt
cryptsetup luksClose <name>