Encrypting your data is pretty much a must anyone who is privacy or security conscious. I find it quite handy for not only protecting my data in use, but also the best way to make recycling old disks secure and simple. I keep local backups on an external hard drive, which I keep encrypted. Encrypting a drive is pretty easy on Linux, especially with applications like GNOME Disks, which go so far as to make this possible without requiring superuser privileges. It’s even pretty straightforward on the command-line, and that’s what I demonstrate here.

Tutorial

This tutorial describes the steps necessary to encrypt an external disk, such as a hard drive or flash drive, from the command-line using Cryptsetup. Instructions for unlocking, mounting, unmounting, and locking the filesystem are provided for Cryptsetup, udisks2, and GIO. udisks2 allows users to access encrypted filesystems without superuser privileges. GIO builds on top of udisks2 to simplify mounting and utilize encryption passphrases from the user’s keyring for convenience. The encrypted filesystem will use Btrfs. The reference operating system is Ubuntu 18.04. Root access on the machine is required. Knowledge of Linux, filesystems, and the command-line is assumed.

  1. Install the Cryptsetup package.

    sudo apt -y install cryptsetup

  2. Locate the disk’s device path.

    lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda              8:0    0   1.8T  0 disk
├─sda1           8:1    0   976M  0 part  /boot
└─sda2           8:2    0   1.8T  0 part
  └─sda2_crypt 253:0    0   1.8T  0 crypt /var
sdb              8:16   0 931.5G  0 disk
└─sdb1           8:17   0 931.5G  0 part  (1)
sr0             11:0    1  1024M  0 rom
    1 sdb is the 1 TB external drive I’m going to encrypt.

    If your device appears under a different name, use that name instead of sdb in the following commands.

  3. Overwrite any existing partition tables on the disk with a new one.

    The following command will effectively obfuscate any data on the drive making it very difficult or impossible to recover.

    Here, I instruct sgdisk(8) to completely destroy any existing partition tables and create a new {GPT} partition table. The partition table includes a singular partition taking up the entirety of the disk. A descriptive label, BlackWDExtHDD, is attached to the partition.

    sudo sgdisk -Z -n 0:0:0 -c 0:"BlackWDExtHDD" /dev/sdb
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.
Setting name!
partNum is 0
The operation has completed successfully.

  4. Encrypt the partition.

    sudo cryptsetup luksFormat --type luks2 --label "Black WD easystore" /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb:
Verify passphrase:

    Only versions of Cryptsetup prior to version 2.3.4 need to explicitly specify the type as luks2.

  5. Open the encrypted volume.

    udisks2
    udisksctl unlock -b /dev/sdb1
Passphrase:
Unlocked /dev/sdb1 as /dev/dm-1.

    udisks2’s unlock subcommand creates a new device in the device tree under /dev/mapper using the the prefix luks- followed by the volume’s UUID. The device here appears at /dev/mapper/luks-0cbab673-2b14-40c0-a1f2-522bc7ff7e18. An additional symlink is created at /dev/dm-1 as mentioned in the command’s output.

    Cryptsetup
    sudo cryptsetup open /dev/sdb1 MyUSB
Enter passphrase for /dev/sdb1:

    Cryptsetup’s open subcommand creates a new device in the device tree under /dev/mapper using the name provided. In this case, the device appears at /dev/mapper/MyUSB.

  6. Create a Btrfs filesystem on top of the encrypted volume.

    udisks2
    sudo mkfs -t btrfs -L "My Backups" /dev/dm-1
btrfs-progs v4.15.1
See http://btrfs.wiki.kernel.org for more information.

Label:              My Backups
UUID:               2eb01d94-9aa1-4bd1-8c99-950be806f449
Node size:          16384
Sector size:        4096
Filesystem size:    931.48GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP               1.00GiB
  System:           DUP               8.00MiB
SSD detected:       no
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1   931.48GiB  /dev/dm-1
    Cryptsetup
    sudo mkfs -t btrfs -L "My Backups" /dev/mapper/MyUSB
btrfs-progs v4.15.1
See http://btrfs.wiki.kernel.org for more information.

Label:              My Backups
UUID:               2eb01d94-9aa1-4bd1-8c99-950be806f449
Node size:          16384
Sector size:        4096
Filesystem size:    931.48GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP               1.00GiB
  System:           DUP               8.00MiB
SSD detected:       no
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1   931.48GiB  /dev/mapper/MyUSB

  7. Now mount the Btrfs volume.

    udisks2
    udisksctl mount -b /dev/mapper/MyUSB -o noatime
Mounted /dev/dm-1 at /run/media/jordan/My_Backups

    To mount with more desirable Btrfs mount options such as autodefrag and compress=zstd, a newer version of udisks2 is necessary. Refer to Install udisks2 From Source if you want to install such a version.
    Cryptsetup
    sudo systemd-mount -o noatime,autodefrag,compress=zstd /dev/mapper/MyUSB
Started unit run-media-system-System_Backups.mount for mount point: /run/media/system/System_Backups

    For more information on mounting, see the post Adjust Mount Options.

  8. Unmount the Btrfs volume.

    udisks2
    udisksctl unmount -b /dev/dm-1
Unmounted /dev/dm-1.
    Cryptsetup
    sudo systemd-umount /run/media/system/My_Backups
Stopped unit run-media-system-System_Backups.mount for mount point: /run/media/system/System_Backups

  9. Use the close subcommand to remove the existing device mapping lock the encrypted device.

    udisks2
    udisksctl lock -b /dev/sdb1
Locked /dev/sdb1.
    Cryptsetup
    sudo cryptsetup close MyUSB

GIO

GIO makes accessing encrypted volumes easier. It handles both unlocking and mounting the encrypted volume in one command. Plus, it can use an encryption passphrase from the user’s keyring so that the user doesn’t have to enter the passphrase ever again. The following instruction demonstrate how to use GIO to easily access your newly encrypted volume.

  1. Unlock and mount the volume by passing the device to GIO’s mount subcommand via the -d flag.

    gio mount -d /dev/sdb1
Enter a passphrase to unlock the volume
The passphrase is needed to access encrypted data on WD easystore 25FC (1.0 TB Hard Disk).
Password:
Mounted /dev/sdb1 at /run/media/jordan/My_Backups

  2. Unmount and lock the volume with the mount command, the -u flag, and the mount point.

    gio mount -u /run/media/jordan/My_Backups

To store the volume’s passphrase in your keyring, the easiest method is to open the device in the Files application. This will prompt for a password. Enter the password and select the desired option for how long to save the password, and that’s it. GIO will no longer prompt for a password when opening this drive from the command-line.

Conclusion

You can now create, open, and close an encrypted partition on Linux.