Full Drive Encryption with Debian 9.4 or Ubuntu 18.04 LTS

This tutorial will show you step by step how to encrypt a full drive with Cryptsetup on Debian 9.4 or Ubuntu 18.04 LTS (Bionic Beaver). The drive that get’s encrypted may not be part of an LVM volume.

Assumptions

1. Drive to be encrypted is not be part of LVM.

2. cryptsetup has already been installed

3. You already know the device you wish to encrypt (I will be using /dev/sdb1 in this example)

4. You have already saved any and all data on the drive you wish to encrypt otherwise you will lose it all

5. You need to know how to use sudo or su –

Notes & WARNINGS

You have already saved any and all data on the drive you wish to encrypt otherwise you will lose it all

The process I am presenting, worked for me – YMMV

Please see the referring links at the end for a complete overview of other options and processes as this tutorial is a compilation from these link to suite my needs.

… and finally, You have already saved any and all data on the drive you wish to encrypt otherwise you will lose it all

And now, for something completely different… The process:

Create a key-file for authentication – you will want this if you intend to use auto mount on boot:

dd if=/dev/urandom of=/root/drive_key bs=1024 count=4

Protect the key-file to be read only by root:

chmod 0400 /root/drive_key

Initialize the LUKS file system and use the key-file to authenticate instead of a password:

cryptsetup -d=/root/drive_key -v luksFormat /dev/sdb1

Create the LUKS mapping using the key-file:

cryptsetup -d=/root/drive_key luksOpen /dev/sdb1 data

Create your file system (I use ext4):

mkfs.ext4 /dev/mapper/data

Create your mount point on the system (some folks use /media):

mkdir /mnt/data

Mount the new file system at the mount point:

mount /dev/mapper/data /mnt/data

Create the mapper for fstab to use by adding the following line to /etc/crypttab:

data /dev/sdb1 /root/drive_key luks

Add the mount point to /etc/fstab:

/dev/mapper/data /mnt/data ext4 defaults 0 2

At this point all you need to do is either reboot or use mount -a. I myself find it’s much cleaner to simply reboot the system.

This setup works very will with either Debian or Ubuntu. I have als interchanged this setup between the two.

What this means is, if you create an encrypted drive outlined above in Debian (as I have done with 9.4), I can mount the same drive under Ubuntu 18.04 as long as I use the same process and key file outlined above.

The key to that is to ensure you have at least tarballed your root directory (or at least the keyfile) and moved it to the same location with the same rights as under the previous operating system.

Referencing links for further reading:

1. Linux Hard Disk Encryption With LUKS

2. Automatically Unlock LUKS Encrypted Drives With A Keyfile

3. How to Recover a LUKS Encrypted Disk