harddisk encryption is important from critical data to get physically stolen
(can’t do much about data that get’s stolen while DEcrypted)
(except: to not have any physical network connection while the data is in DEcrypted state?)
hostnamectl; # tested on Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-17-amd64 Architecture: x86-64 su - root apt install lvm2 cryptsetup gparted
- hardware requirements: some empty disk space
- start gparted and create a ext4 partition in the empty disk space
- (using fdisk is fine too)
how to mount/open/decrypt encrypted harddisk/partition:
# decrypt it cryptsetup --type luks open /dev/sda3 encrypted # or simply cryptsetup open /dev/sda3 encrypted # if there are two volume groups with the same name, it might be required to rename one of em blkid /dev/sda1: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="cb9eee44-01" /dev/sda2: LABEL="swap" UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" TYPE="swap" PARTUUID="cb9eee44-02" /dev/sdb1: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" BLOCK_SIZE="1024" TYPE="ext2" PARTUUID="d610e74e-01" /dev/sdb5: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" TYPE="crypto_LUKS" PARTUUID="d610e74e-05" vgdisplay vgrename [VG UUID] new_name modprobe dm-mod # activate volume groups and their logical volumes vgchange -ay 2 logical volume(s) in volume group "old-top-lap" now active lvscan ACTIVE '/dev/old-top-lap/root' [<475.49 GiB] inherit <-that's the one the user wants to mount ACTIVE '/dev/old-top-lap/swap_1' [980.00 MiB] inherit mkdir /media/user/old-top-lap mount /dev/old-top-lap/root /media/user/old-top-lap/ # make mount point mkdir -p /media/user/encrypted # mount it mount -t ext4 /dev/mapper/encrypted /media/user/encrypted
how to create a new encrypted partition/harddisk (ext4)
lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 232.9G 0 disk ├─sda1 8:1 0 59G 0 part / ├─sda2 8:2 0 1K 0 part ├─sda3 8:3 0 172.9G 0 part <- the newly created partition └─sda5 8:5 0 975M 0 part [SWAP] sr0 11:0 1 1024M 0 rom # now let's turn sda3 into an encrypted partition # (it is also possible to target a whole harddisk like /dev/sdb) cryptsetup luksFormat /dev/sda3 # it will ask you for YES # and for encryption password: (twice) Enter passphrase for /dev/sda3: # and reformat it as encrypted partition # let's open this partition for writing cryptsetup open /dev/sda3 encrypted # now the partition is unlocked and can be written to # format it as ext4 partition mkfs.ext4 -L LABEL /dev/mapper/encrypted # create a mount point mkdir /media/user/encrypted # how to open it cryptsetup --type luks open /dev/sda3 encrypted mount -t ext4 /dev/mapper/encrypted /media/user/encrypted # give non-root user write access chown -R user: /media/user/encrypted # now the user can copy important data on the encrypted partition # show where it is mounted lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 232.9G 0 disk ├─sda1 8:1 0 59G 0 part / ├─sda2 8:2 0 1K 0 part ├─sda3 8:3 0 172.9G 0 part │ └─encrypted 254:0 0 172.9G 0 crypt /media/user/encrypted └─sda5 8:5 0 975M 0 part [SWAP] sr0 11:0 1 1024M 0 rom # how to close it umount /mnt/encrypted cryptsetup close encrypted
creditz:
https://linuxconfig.org/partition-encryption
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!