Debian GNU/Linux

Data Hard Drive Encryption with LUKS (2021)

To encrypt my Debian GNU/Linux system, I use the Debian installer.

My notes are about additionnal data hard drive only.

Introduction

For this task, I use a desktop for this reason.

It is 'better' to do this task in a desktop. In mine it is possible to hot-plug the SATA hard drive. If the task is done in a desktop and if we use the hard drive in external hard drive enclosure, we get this error with fdisk -l command:

GPT PMBR size mismatch (1953525167 != 1953525166) will be corrected by write.
The backup GPT table is corrupt, but the primary appears OK, so that will be used.

But, at least, it works!
I found this link to fix the issue (even with data) but I did not try.

To encrypt the hard drive, we use cryptsetup.

I found most commands here.

Create a gpt Table, a Unformatted Partition and Encrypt It

With gparted:

• Device, Create Partition Table... :
  choose gtp
• Partition, New... :
  choose unformatted as filesystem / give a name
• Edit, Apply All Operations

Encrypt the partition with the following command (with root access) (replace /dev/sdXN by the device file of your partition):

cryptsetup luksFormat -c aes -h sha256 /dev/sdXN

Open Encryption and Format the Partition

For this step, we can use the command line or gparted.

With the Command Line

In these commands (with root access), replace /dev/sdXN by the device file of your partition and replace LABEL by the label of your choice:

cryptsetup luksOpen /dev/sdXN LABEL
mkfs.ext4 /dev/mapper/LABEL
e2label /dev/mapper/LABEL LABEL
cryptsetup luksClose LABEL

With gparted

• GParted, Refresh Devices
• Partition, Open Encryption
• Partition, Format to, ext4
• Edit, Apply All Operations
• Partition, Label File System
• Edit, Apply All Operations

Save and Restore Header

If the hard drive have a issue, you cannot use regular tools (like testdisk or photorec) without the good header. You have to make a backup of the header. You can use this command (with root access) (replace /dev/sdXN by the device file of your partition and replace LABEL by the label):

cryptsetup luksHeaderBackup /dev/sdXN --header-backup-file luksHeaderBackup_LABEL_`date +%Y.%m.%d_%Hh%Mm%Ss`

and this one to restore it:

cryptsetup luksHeaderRestore /dev/sdXN --header-backup-file luksHeaderBackup_LABEL_DATE

Use the Hard Drive

I usually open encryption and mount the partition using Dolphin on KDE. You can open the encryption partition with this command (with root access) (replace /dev/sdXN by the device file of your partition and replace LABEL by the label of your choice, it can be different of the previous label):

cryptsetup luksOpen /dev/sdXN LABEL

Mount the partition (with root access):

mount /dev/mapper/LABEL /mnt/

Umount the partition and close the encryption (with root access):

umount /mnt/
cryptsetup luksClose LABEL

Automount the Hard Drive

Edit the file /etc/crypttab to add this line (replace LABEL by the label of your choice, it can be different of the previous labels and replace HARD_DRIVE_UUID by the uuid of your partition):

LABEL UUID=HARD_DRIVE_UUID none luks,discard

Edit the the file /etc/fstab to add this line (replace LABEL by the label, the same as the previous one):

/dev/mapper/LABEL /media/LABEL ext4 defaults 0 2

Create the directory media/LABEL (with root access) (replace LABEL by the label, the same as the previous one):

mkdir /media/LABEL