harddisk encryption is important from critical data to get physically stolen

(can’t do much about data that get’s stolen while DEcrypted)

(except: to not have any physical network connection while the data is in DEcrypted state?)

hostnamectl; # tested on
  Operating System: Debian GNU/Linux 10 (buster)
            Kernel: Linux 4.19.0-17-amd64
      Architecture: x86-64

su - root
apt install cryptsetup gparted
  • hardware requirements: some empty disk space
  • start gparted and create a ext4 partition in the empty disk space
    • (using fdisk is fine too)

how to mount/open/decrypt encrypted harddisk/partition:

# decrypt it
cryptsetup --type luks open /dev/sda3 encrypted
# make mount point
mkdir -p /media/user/encrypted
# mount it
mount -t ext4 /dev/mapper/encrypted /media/user/encrypted

how to create a new encrypted partition/harddisk (ext4)

lsblk 
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 232.9G  0 disk  
├─sda1          8:1    0    59G  0 part  /
├─sda2          8:2    0     1K  0 part  
├─sda3          8:3    0 172.9G  0 part  <- the newly created partition
└─sda5          8:5    0   975M  0 part  [SWAP]
sr0            11:0    1  1024M  0 rom   

# now let's turn sda3 into an encrypted partition
# (it is also possible to target a whole harddisk like /dev/sdb)
cryptsetup luksFormat /dev/sda3
# it will ask you for YES
# and for encryption password: (twice)
Enter passphrase for /dev/sda3:
# and reformat it as encrypted partition

# let's open this partition for writing
cryptsetup open /dev/sda3 encrypted

# now the partition is unlocked and can be written to
# format it as ext4 partition
mkfs.ext4 -L LABEL /dev/mapper/encrypted

# create a mount point
mkdir /media/user/encrypted

# how to open it
cryptsetup --type luks open /dev/sda3 encrypted
mount -t ext4 /dev/mapper/encrypted /media/user/encrypted

# give non-root user write access
chown -R user: /media/user/encrypted

# now the user can copy important data on the encrypted partition

# show where it is mounted
lsblk 
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 232.9G  0 disk  
├─sda1          8:1    0    59G  0 part  /
├─sda2          8:2    0     1K  0 part  
├─sda3          8:3    0 172.9G  0 part  
│ └─encrypted 254:0    0 172.9G  0 crypt /media/user/encrypted
└─sda5          8:5    0   975M  0 part  [SWAP]
sr0            11:0    1  1024M  0 rom   

# how to close it
umount /mnt/encrypted
cryptsetup close encrypted

creditz:

https://linuxconfig.org/partition-encryption

admin