harddisk encryption is important from critical data to get physically stolen

(can’t do much about data that get’s stolen while DEcrypted)

(except: to not have any physical network connection while the data is in DEcrypted state?)

hostnamectl; # tested on
  Operating System: Debian GNU/Linux 10 (buster)
            Kernel: Linux 4.19.0-17-amd64
      Architecture: x86-64

su - root
apt install lvm2 cryptsetup gparted
  • hardware requirements: some empty disk space
  • start gparted and create a ext4 partition in the empty disk space
    • (using fdisk is fine too)

how to mount/open/decrypt encrypted harddisk/partition:

# decrypt it
cryptsetup --type luks open /dev/sda3 encrypted

# or simply
cryptsetup open /dev/sda3 encrypted

# if there are two volume groups with the same name, it might be required to rename one of em
blkid
/dev/sda1: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="cb9eee44-01"
/dev/sda2: LABEL="swap" UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" TYPE="swap" PARTUUID="cb9eee44-02"
/dev/sdb1: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" BLOCK_SIZE="1024" TYPE="ext2" PARTUUID="d610e74e-01"
/dev/sdb5: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" TYPE="crypto_LUKS" PARTUUID="d610e74e-05"

vgdisplay

vgrename [VG UUID] new_name

modprobe dm-mod

# activate volume groups and their logical volumes
vgchange -ay
  2 logical volume(s) in volume group "old-top-lap" now active

lvscan
  ACTIVE            '/dev/old-top-lap/root' [<475.49 GiB] inherit <-that's the one the user wants to mount
  ACTIVE            '/dev/old-top-lap/swap_1' [980.00 MiB] inherit

mkdir /media/user/old-top-lap
mount /dev/old-top-lap/root /media/user/old-top-lap/

# make mount point
mkdir -p /media/user/encrypted

# mount it
mount -t ext4 /dev/mapper/encrypted /media/user/encrypted

how to create a new encrypted partition/harddisk (ext4)

lsblk 
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 232.9G  0 disk  
├─sda1          8:1    0    59G  0 part  /
├─sda2          8:2    0     1K  0 part  
├─sda3          8:3    0 172.9G  0 part  <- the newly created partition
└─sda5          8:5    0   975M  0 part  [SWAP]
sr0            11:0    1  1024M  0 rom   

# now let's turn sda3 into an encrypted partition
# (it is also possible to target a whole harddisk like /dev/sdb)
cryptsetup luksFormat /dev/sda3
# it will ask you for YES
# and for encryption password: (twice)
Enter passphrase for /dev/sda3:
# and reformat it as encrypted partition

# let's open this partition for writing
cryptsetup open /dev/sda3 encrypted

# now the partition is unlocked and can be written to
# format it as ext4 partition
mkfs.ext4 -L LABEL /dev/mapper/encrypted

# create a mount point
mkdir /media/user/encrypted

# how to open it
cryptsetup --type luks open /dev/sda3 encrypted
mount -t ext4 /dev/mapper/encrypted /media/user/encrypted

# give non-root user write access
chown -R user: /media/user/encrypted

# now the user can copy important data on the encrypted partition

# show where it is mounted
lsblk 
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 232.9G  0 disk  
├─sda1          8:1    0    59G  0 part  /
├─sda2          8:2    0     1K  0 part  
├─sda3          8:3    0 172.9G  0 part  
│ └─encrypted 254:0    0 172.9G  0 crypt /media/user/encrypted
└─sda5          8:5    0   975M  0 part  [SWAP]
sr0            11:0    1  1024M  0 rom   

# how to close it
umount /mnt/encrypted
cryptsetup close encrypted

creditz:

https://linuxconfig.org/partition-encryption

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin