← ../

encrypt a partition with luks

partition your device like you would normally

sudo fdisk /dev/sdx

add a key (from stdin) to encrypt this partition

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdxN

create & add a second key from file (optional)

sudo dd if=/dev/urandom of=/path/XYZ.key bs=1024 count=8
sudo cryptsetup luksAddKey /dev/sdxN /path/XYZ.key

check keys for a given partition

sudo cryptsetup luksDump /dev/sdxN

open encrypted partition and mount to /dev/mapper/XXXXX

sudo cryptsetup luksOpen /dev/sdxN XXXXX

create a file system like you would in any normal block device

sudo mkfs.ext4 /dev/mapper/XXXXX

mount like any normal block device

sudo mkdir /mnt/my_encrypted_partition
sudo mount /dev/mapper/XXXXX /mnt/my_encrypted_partition

add your stuff to the encrypted partition

sudo mv /path/my_secret_file /mnt/my_encrypted_partition/

umount like any normal block device

sudo umount /mnt/my_encrypted_partition

close the encrypted partition

sudo cryptsetup luksClose /dev/mapper/XXXXX

how to mount at boot (with a key file)

# get the UUID of the encrypted block device.
sudo cryptsetup luksUUID /dev/sdxN

# edit /etc/crypttab to add the following entry.
XXXXX /dev/disk/by-uuid/[UUID] /path/XYZ.key luks

# edit /etc/fstab and add it as a normal block device
/dev/mapper/XXXXX /mnt/my_encrypted_partition ext4