Download Article
Download Article
Encrypting your internal or external hard drive can help prevent unauthorized access to your personal data. Hard drive encryption in Linux can be tricky, so we'll walk you through the commands, step-by-step.
Steps
-
1Check whether
cryptsetup
is present: Type sudo cryptsetup --version into the terminal. If, instead of printing a version number, that results in "command not found", you need to installcryptsetup
.- Note that you need to use
sudo
. Attempting to runcryptsetup
withoutsudo
will result in "command not found" even if the program is installed.
- Note that you need to use
-
2Check which devices are connected: sudo fdisk -l .Advertisement
-
Connect the external hard drive.
-
4Check which devices are connected again. Run sudo fdisk -l again and look for a part that is different. That is the hard drive you connected. Remember its device name (e.g.
/dev/sdb
). In this article, it will be referred to as/dev/sdX
; make sure to replace it with the actual path in all instances. -
5Back up any data that you want to keep. The next steps will erase all the data from the hard drive.
-
6Unmount the external hard drive. Do not disconnect it — only unmount it. You can do so through your file manager, or with: sudo umount /dev/sdX
-
7Wipe all file systems and data from the hard drive. While this is not required for setting up the encryption, it is recommended. [1] X Research source
- To quickly wipe only the file system headers, use: sudo wipefs -a /dev/sdX
- To overwrite all the data on the hard drive, use: sudo dd if=/dev/urandom of=/dev/sdX bs=1M
. You will not see a progress bar or any other output, but if your external hard drive has a lamp that blinks when the drive is written to, it should start blinking.
- If the external hard drive is big, expect that you will need to wait a long time. While it depends on the device and the hard drive, a possible speed is 30 MB per second, taking about 2½ hours for 256 GB.
- If you want to see the progress, find out the process ID of the
dd
, then open another terminal and use sudo kill -USR1 pid ( pid being your process ID). This will not terminate the process (askill
without the-USR1
parameter would do), but just tells it to print how many bytes it has copied. - Using sudo dd if=/dev/zero of=/dev/sdX bs=1M to overwrite with zeroes instead may be faster, but is somewhat less secure than overwriting with random data [2] X Research source .
-
8Run
cryptsetup
: sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdX-
cryptsetup
will warn you that data will be overwritten irrevocably. TypeYES
to confirm that you want to do this and continue. You will be prompted to choose a passphrase. After you chose one, it will take some time to set up the encryption.cryptsetup
should finish with "Command successful." - If
cryptsetup
warns you about existing partitions (with a message of the formWARNING: Device /dev/sdX already contains ...... partition signature
), you haven't properly erased the existing file systems. You should refer to the step about wiping file systems and data, but it is also possible to ignore the warning and continue.
-
-
9Open the encrypted partition: sudo cryptsetup luksOpen /dev/sdX sdX (replace both
sdX
with the encrypted partition you just set up.)- You will be prompted for a passphrase. Enter the passphrase that you chose in the previous step.
-
10Check where the encrypted partition has been mapped to. It is usually
/dev/mapper/sdX
, but you should double-check using sudo fdisk -l . -
11Create a new filesystem on the encrypted partition. Setting up the encryption has wiped any that previously existed. Use the command: sudo mkfs.ext4 /dev/mapper/sdX
- It is important that you specify
/dev/mapper/sdX
. If you specify/dev/sdX
instead, you will format the disk as an unencrypted EXT4 partition. - You can give your filesystem a label with the -L option, for example: sudo mkfs.ext4 -L MyEncryptedDisk /dev/mapper/sdX
- It is important that you specify
-
12Remove the reserved space. By default, some space has been reserved, but if you don't intend to run a system from the hard drive, you can remove it to have slightly more space on the hard drive. [3] X Research source Use the command: sudo tune2fs -m 0 /dev/mapper/sdX
-
13Close the encrypted device: sudo cryptsetup luksClose sdX
- You can safely disconnect the external hard drive now. For instructions on opening it again and using it, refer to the "Opening an Encrypted External Hard Drive" method.
Advertisement
-
Connect the external hard drive.
-
2Wait and see whether a prompt opens. Some systems will automatically ask for the passphrase, and if you enter it correctly, mount the device.
-
3Mount the drive manually if the prompt doesn't open.
- Find the device name: lsblk
- If this is the first time you are mounting it, create a directory to mount it in, for example: sudo mkdir /mnt/encrypted . Otherwise, use the directory you previously created.
- Open the encrypted partition: sudo cryptsetup luksOpen /dev/sdX sdX
- Mount the encrypted partition: sudo mount /dev/mapper/sdX /mnt/encrypted
-
4Adjust the permissions if this is the first time you're mounting the drive. When you mount the drive for the first time, writing to the drive requires
sudo
. To change that, transfer ownership of the folder to the current user: sudo chown -R `whoami`:users /mnt/encrypted- If your hard drive was mounted automatically, you can find out where it was mounted using lsblk . Often, it is at a path similar to: /media/your_username/drive_label
-
5Use the hard drive. You may now use your encrypted hard drive like you would any other hard drive, reading files from it and transferring files onto it.
-
6Unmount the encrypted hard drive. This is necessary so that you may safely disconnect it. You can do so through a file manager, or over the terminal:
- Unmount the encrypted partition: sudo umount /mnt/encrypted
- Close the encrypted partition: sudo cryptsetup luksClose sdX
- If that gives the error message "Device sdX is not active.", the encrypted partition had been opened under a different name (that can happen, for example, if you entered the passphrase in the prompt instead of mounting manually). You can find it with the lsblk
command. Look for an entry of type
crypt
.
- If that gives the error message "Device sdX is not active.", the encrypted partition had been opened under a different name (that can happen, for example, if you entered the passphrase in the prompt instead of mounting manually). You can find it with the lsblk
command. Look for an entry of type
Advertisement
Expert Q&A
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Submit
Advertisement
Tips
- If you disconnect the hard drive before finishing the steps, it is likely that it will not mount if you connect it again. In that case, find it using sudo fdisk -l , then either finish the steps or format it to have an unencrypted hard drive.Thanks
-
cryptsetup
has a Frequently Asked Questions document with more detailed information about its use: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestionsThanks
Submit a Tip
All tip submissions are carefully reviewed before being published
Name
Please provide your name and last initial
Thanks for submitting a tip for review!
Advertisement
Warnings
- Read the warnings that come with
cryptsetup
. You can read these in the manual with the command man cryptsetup .Thanks - Encryption protects the data on your hard drive while the encrypted partition isn't mounted and opened. While it is open, it may still be unauthorizedly accessed if you aren't careful.Thanks
Advertisement
References
About This Article
Thanks to all authors for creating a page that has been read 30,938 times.
Advertisement