GNU Linux howto – create LUKS2 encrypted harddisk drive or usb stick + label

Creating an encrypted USB stick under GNU/Linux is fairly ease. First lets install required packages and erase everything from the stick

gives good overview of where is what: (in a tree view style)

hostnamectl; # tested on
Operating System: Debian GNU/Linux 12 (bookworm)  
          Kernel: Linux 6.1.0-13-amd64
    Architecture: x86-64

su - root

# study carefully where is what
lsblk -o 'NAME,MAJ:MIN,RM,SIZE,RO,FSTYPE,MOUNTPOINT,UUID'

# alternatively: before connecting the new disk
while true; do dmesg; sleep 3; clear; done;
# connect the new disk, dmesg should tell infos about drive and new drive letter

this used to work well, but failed once for NVMe USB drive 🙁

so for NVMe USB drive better use gparted to make an UNFORMATTED partition and then continue with the luks commands.

# Warning! DOUBLE TRIPPLE CHECK TO GET THE RIGHT DRIVE LETTER!
export USB_STICK="/dev/sdX"

apt-get install parted cryptsetup-bin

# optional if it is a new disk
shred -n 10 -v -z "${USB_STICK}"

process can take some time depending on the stick’s size. After it’s finished, we can create a partition table

parted -s -a optimal "${USB_STICK}" -- mklabel msdos mkpart primary ext2 1 -1

# if it is a disk larger than 4TB it will throw an error?
Error: partition length of 7814033408 sectors exceeds the msdos-partition-table-imposed maximum of 4294967295

# use gpt partition table then
parted -s -a optimal "${USB_STICK}" -- mklabel gpt mkpart primary ext2 1 -1

finally create an AES encrypted partition

it might be needed to 1) sync 2) disconnect 3) reconnect the stick now

export ENCRYPTED_PART="${USB_STICK}1"

# double-tripple check this worked
echo "will create new encrypted partition as: "$ENCRYPTED_PART

# how to label the new drive
export ENCRYPTED_PART_NAME="CryptStick"

cryptsetup --verify-passphrase luksFormat "${ENCRYPTED_PART}" --cipher aes --key-size 256 --hash sha256

WARNING!
========
This will overwrite data on /dev/sdX1 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES

Enter passphrase for /dev/sdX1:
verify:

cryptsetup luksOpen "${ENCRYPTED_PART}" "${ENCRYPTED_PART_NAME}"

Enter passphrase for /dev/sdX1: # enter the password just used for encryption

mkfs.ext4 -L "${ENCRYPTED_PART_NAME}" "/dev/mapper/${ENCRYPTED_PART_NAME}"

cryptsetup close "${ENCRYPTED_PART_NAME}"

sync

Now the encrypted stick is ready to use!
simply unplug it and re-attach it, and it should ask for password to decrypt and mount the drive

like this:

or: manually mounting the drive:

export USERNAME=user;

echo "will mount the drive for: "$USERNAME

export MOUNTPOINT="/media/${USERNAME}/${ENCRYPTED_PART_NAME}"
# double check
echo "mountpoint: "${MOUNTPOINT}
mkdir -p "${MOUNTPOINT}"

cryptsetup luksOpen "${ENCRYPTED_PART}" "${ENCRYPTED_PART_NAME}"

mount "/dev/mapper/${ENCRYPTED_PART_NAME}" "${MOUNTPOINT}"

# check that it was mounted correctly
mount|grep "${ENCRYPTED_PART_NAME}"

# should show
/dev/mapper/EncryptedBackup2 on /media/user/EncryptedBackup2 type ext4 (rw,relatime)

# alternatively:
lsblk|less

# test write to the newly created encrypted disk
echo "testfile was successfully written to encrypted drive :D" > "${MOUNTPOINT}/file.txt"

# read from testfile
# to verify it is working :D
cat "${MOUNTPOINT}/file.txt"
sync
umount "${MOUNTPOINT}"

cryptsetup close "${ENCRYPTED_PART_NAME}"

congratz! 😀

celebrate at least 3 min to this electronic music (or this analogue music) or other music 😀

how to filesystem check the device?

# find out what mapper calls the device
lsblk -o 'NAME,MAJ:MIN,RM,SIZE,RO,FSTYPE,MOUNTPOINT,UUID'
unmount /dev/mapper/luks-e2889390-8542-4a07-a59c-123123123123
fsck -y -v -f /dev/mapper/luks-e2889390-8542-4a07-a59c-123123123123

creditz: https://www.wyb.cz/2016/02/21/creating-encrypted-usb-stick/