FULL DISK ENCRYPTION # 1. installing cryptsetup & dm-crypt apt install cryptsetup # 2. Idenfity the name of the disk or partition to encrypt: fdisk -l # for this example it will be /dev/sdc or dmesg # for usb sticks # 3. Filling the disk or partition to encrypt with random data (optional) dd if=/dev/urandom of=/dev/sdc status=progress # 4. Initialize the LUKS partition and set the initial passphrase cryptsetup -y -v luksFormat /dev/sdc WARNING! ======== This will overwrite data on /dev/sdc irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdc: Verify passphrase: Command successful. #5. Open the encrypted device and set up a mapping name cryptsetup luksOpen /dev/sdc secretdata ls -l /dev/mapper # display the status of the mapping file cryptsetup status secretdata # 6. Format the filesystem mkfs.ext4 /dev/mapper/secretdata # 7. Mount the encrypted file system into the main file tree. mount /dev/mapper/secretdata /mnn # -> you can mount it to any existing directory like /mnt # 8. Unmount the encrypted disk umount /mnt cryptsetup luksClose secretdata # 9. Accesing the encrypted disk after a restart or unmounting: cryptsetup luksOpen /dev/hdc secretdata mount /dev/mapper/secretdata /root/secret #10. Unlocking LUKS Encrypted Drives With A Keyfile # generating a random keyfile dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 # set the permissions (only root can read it) chmod 400 /root/keyfile # add the keyfile as an additional authorization method cryptsetup luksAddKey /dev/sdc /root/keyfile # unlock the drive using the keyfile cryptsetup luksOpen /dev/hdc secret --key-file /root/keyfile