I am guilty for not having considered encrypting my hard drives for too long, I confess. As soon as I joined Telenor Digital (or, actually, early in the process but a bit too late…) I was commanded to encrypt my data and I couldn’t delay any more. To my utter surprise, the process was surprisingly simple in my Debian jessie! Here is a short checklist for your convenience.
Say you have an external hard drive with one partition attached to the system as
/dev/sdb1. To encrypt the filesystem you will:
- ensure that the partition is not mounted;
cryptsetup -y luksFormat /dev/sdb1– that will ask you for a passphrase (twice to verify that you didn’t mistype) and initialize LUKS on the partition;
- if now you run
cryptsetup open /dev/sdb1 backupdiskyou will unlock the encrypted partition by create a mapping between the device
/dev/sdb1. You can think of the former as the interface to latter: the system will read and write to
/dev/mapper/backupdisklike if it was a plain drive while, behind the scenes, it is reading and writing data to
/dev/sdb1that is decrypted/encrypted on the fly;
- create a filesystem on the mapped drive:
- and the drive is now ready for use! You can mount it:
mount /dev/mapper/backupdisk /mnt
- and do operations on it:
ls -l /mnt
- and unmount it when you are done:
When you are doing operations on the command line you are also supposed to close the drive when you are done, that is (in this specific case): remove the association between
/dev/sdb1. But there is a nice bonus: if you are running GNOME or any other desktop environment that supports a keyring, the desktop environment can save your passphrase and open/close the drive automatically for you!
And that’s all for now. I hope to have some time shortly to write about how you can encrypt a partition on your system/laptop. Until then, enjoy!