I am guilty for not having considered encrypting my hard drives for too long, I confess. As soon as I joined Telenor Digital (or, actually, early in the process but a bit too late…) I was commanded to encrypt my data and I couldn’t delay any more. To my utter surprise, the process was surprisingly simple in my Debian jessie! Here is a short checklist for your convenience.

Say you have an external hard drive with one partition attached to the system as /dev/sdb1. To encrypt the filesystem you will:

• ensure that the partition is not mounted;
• install cryptsetup;
• run cryptsetup -y luksFormat /dev/sdb1 – that will ask you for a passphrase (twice to verify that you didn’t mistype) and initialize LUKS on the partition;
• if now you run cryptsetup open /dev/sdb1 backupdisk you will unlock the encrypted partition by create a mapping between the device /dev/mapper/backupdisk and /dev/sdb1. You can think of the former as the interface to latter: the system will read and write to /dev/mapper/backupdisk like if it was a plain drive while, behind the scenes, it is reading and writing data to /dev/sdb1 that is decrypted/encrypted on the fly;
• create a filesystem on the mapped drive: mkfs.ext4 /dev/mapper/backupdisk
• and the drive is now ready for use! You can mount it: mount /dev/mapper/backupdisk /mnt
• and do operations on it: ls -l /mnt
• and unmount it when you are done: umount /mnt

When you are doing operations on the command line you are also supposed to close the drive when you are done, that is (in this specific case): remove the association between /dev/mapper/backupdisk and /dev/sdb1. But there is a nice bonus: if you are running GNOME or any other desktop environment that supports a keyring, the desktop environment can save your passphrase and open/close the drive automatically for you!

And that’s all for now. I hope to have some time shortly to write about how you can encrypt a partition on your system/laptop. Until then, enjoy!