Disclaimer
It is not easily possible to use most of the methods described here to encrypt existing drives without having to make and restore a backup.
Preparation: Making a backup
It is necessary to create a backup of your drive as encrypting will erase your data.
SquashFS
I like to use SquashFS as I don't have much backup space:
apt update
apt install squashfs-tools
mksquashfs /media/drive/mountpoint /media/backup/mountpoint/drive.sqsh
The above commands all need to be run as root.
A major disadvantage of SquashFS is its slowness. It uses all CPU cores but still takes a long time to complete depending on how much data is being squashed.
tar
If you can afford to store a raw copy, you can create it with tar
.
The tar
command is faster than cp
or rsync
for copying many
large files. Here's how to use it:
tar -c -C /media/drive/mountpoint . | \
tar --same-owner -xp -C /media/backup/location
Make sure you run this as root.
This is much faster compared to squashing but it requires much more storage space.
Wiping
This is optional but it's highly recommended to do if unencrypted data used to be stored on the drive. Some encryption tools such as OS installers do this automatically, but pure cryptsetup does not. To be safe, wipe manually:
dd bs=1M if=/dev/urandom of=/dev/sdX
Once again only root can do this.
Replace /dev/sdX
with the device file of the drive you want to encrypt.
You can specify a partition number if you only want to wipe a single
partition.
If you're still using an old kernel (<4.8) this is going to be slow.
Replace /dev/urandom
with /dev/zero
to counter this.
Encrypting
There are three methods I have used.
LVM + LUKS
This is recommended for drives with an operating system.
Do a complete reinstall and select the "encrypted LVM" option when partitioning. Make sure to use a secure passphrase that you can still remember.
This sets up LVM and LUKS.
LUKS
Use this for external drives that are always connected to the same machine.
Run the following commands as root:
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/sdXY
cryptsetup luksOpen /dev/sdXY sdXY-crypt
mkfs.ext4 /dev/mapper/sdXY-crypt
cryptsetup luksClose sdXY-crypt
where sdXY is the name of the device file of the partition.
VeraCrypt volume
This is useful if you want to use your drive in other places or on other platforms. Follow the VeraCrypt instructions for this.
Restoring the backup
No matter how you made your backup, tar
is the way to restore it.
Before you do that you have to take care of some other things.
SquashFS
Mount the SquashFS image:
mount /media/squashfs/location/drive.sqsh /media/backup/mountpoint
You now need to mount the encrypted device. This is quite easy to do
with VeraCrypt volumes. When you mount one the mountpoint is usually
/media/veracryptX
. For LUKS it works like this:
cryptsetup luksOpen /dev/sdXY sdXY-crypt
mount /dev/mapper/sdXY-crypt /media/drive/mountpoint
LVM + LUKS is slightly different:
cryptsetup luksOpen /dev/sdXY sdXY-crypt
lvchange -ay hostname-vg/partitionname
mount /dev/hostname-vg/partitionname /media/drive/mountpoint
Now restore the backup:
tar -c -C /media/backup/mountpoint . | \
tar --same-owner -xp -C /media/drive/mountpoint
Cleaning up
Now unmount the encrypted volume (if you don't want to use it yet) and delete the SquashFS. Unmounting VeraCrypt volumes is easy enough to not be documented here.
Unmounting LUKS
umount /media/drive/mountpoint
cryptsetup luksClose sdXY-crypt
Unmounting LVM + LUKS
umount /media/drive/mountpoint
lvchange -an hostname-vg/partitionname
cryptsetup luksClose sdXY-crypt
WARNING: Store the SquashFS image on an encrypted drive
or wipe it securely! A simple rm
won't do, especially with
solid state storage!