LUKS Crypt

Aug 21, 2022

This is handy to encrypt a portable flash drive. Its also relevant for any linux install on with encryption. My Pop_OS! install was encrypted and I still have and access the boot disk. These instructions are the basics of LUKS setup and usage.

creating an encrypted partition

attach media and check its label:

sudo dmesg | tail 
sdd1: 14.3 GiB

sudo fdisk -l /dev/sdd1
Disk /dev/sdd1: 14.32 GiB, 15374221312 bytes, 30027776 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

write it with random data to prepare for encryption:

$ sudo dd if=/dev/urandom of=/dev/sdd1 bs=4M status=progress

erase and create a new partition table and partition

sudo fdisk /dev/sdd1

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.

Command (m for help): o
Created a new DOS disklabel with disk identifier 0xd756b789.

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-31116287, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31116287, default 31116287):

Created a new partition 1 of type 'Linux'.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

if a specific partition size is desired, the Last sector command can be supplied an incremental value such as +25M or +2G instead of accepting the default.

use LUKS to encrypt the new partition

sudo cryptsetup luksFormat /dev/sdd1

This will overwrite data on /dev/mmcblk0p1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/mmcblk0p1:
Verify passphrase:

open the encrypted partition:

sudo cryptsetup open /dev/sdd1 secret
Enter passphrase for /dev/sdd1:

create a filesystem

sudo mkfs.ext2 /dev/mapper/secret -L filesystem-label
Creating filesystem with 9216 1k blocks and 2304 inodes
Superblock backups stored on blocks:

Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

close the partition

sudo cryptsetup close secret

using the encrypted device

# open the encrypted partition
sudo cryptsetup open /dev/sdd1 secret

# create mount dir
mkdir /mnt/encrypted-secret

# mount the open partition
sudo mount /dev/mapper/secret /mnt/encrypted-secret

# the device can now be accessed and used 

# unmount the open partition
sudo umount /mnt/encrypted-secret

# close the encrypted partiion
sudo cryptsetup close secret