My Profile Photo

Sheogorath's Blog


Depending on the time of the day a friend, a colleague, a wise guy. The beauty of the world is its sense of humor to show humans their way by letting them search their own.


Cover image for this blog post

How to create an LUKS-encrypted external device on Linux

Nowadays you shouldn’t leave any data on a disk unencrypted. Therefore creating an encrypted external hard drive is considered good practice to store your data, system backups and more.

Please notice that this entire tutorial requires root privileges. Done wrong, this might destroys your data, please make sure you understand each step, before executing the commands.

Initial setup

Install cryptsetup, a tool that simplifies the whole tooling around LUKS, just in case you use a very minimal setup. On Fedora Workstation, it should be around already.

dnf install cryptsetup-luks

Next step is to determine your external device. Run this before you plug in the device.

BEFORE=$(mktemp)
lsblk > "$BEFORE"

And once more after you plugged it in. Notice the different variable.

AFTER=$(mktemp)
lsblk > "$AFTER"

With the following command you can safely determinate the device you want to encrypt:

diff "$BEFORE" "$AFTER"
rm "$BEFORE" "$AFTER"

Create a LUKS partition on /dev/sdX. This will be your encrypted volume and make sure no unencrypted data hits the physical disk.

cryptsetup luksFormat /dev/sdX

Now you need to unlock (open) the encrypted volume that was just created and give it a name (in this example backup).

cryptsetup luksOpen /dev/sdX backup

And finally add a filesystem to it, to be able to mount it later. I use xfs but if you prefer ext4 or something else, go ahead.

mkfs.xfs /dev/mapper/backup

The device is set up now. When this is done once, you can just start from the next section and never have to do it again.

Mount the encrypted volume

When you just plugged the external device in, you should determine which device it is. It often stays the same /dev/sdX, but doesn’t have to.

The following command will unlock the encrypted volume as you did before. You don’t need to run this command if you already unlocked the volume.

cryptsetup luksOpen /dev/sdX backup

Mount the volume to /mnt, a standard path for temporary mounts.

mount /dev/mapper/backup /mnt

Hint: When you use a graphical desktop environment like Gnome, it may take care of all steps described in this section and you don’t need to do it in the terminal. But please notice that in this case, the paths won’t be the identical and the disk is mounted as user.

Copy your files

Now you can copy files, or do your regular backup tasks.

rsync -av ~/mystuff /mnt/$(hostname)/mystuff/$(date --iso-8601)

Remove the device safely

It’s important to make sure your files are written properly to disk to prevent data corruption.

The first command will make sure all write operations to disk are actually finished, since your OS usually keeps a cache around to speed up writing and finishes actual writing to disk later on.

sync

Then you can unmount the filesystem from /mnt.

umount /mnt

And as you opened the encrypted volume before, you lock (close) it again.

cryptsetup luksClose backup

One final step to removing the disk safely. In theory eject should do all the steps above for you, but I prefer to be safe than sorry.

eject /dev/sdX

Final words

This tutorial is just a summary for myself, that I explained a bit. There is a lot more you could do and even various graphical tools that can do this job for you, with just a few clicks.

When you use this tutorial, make sure you understand what you are doing and inform yourself about other cryptsetup commands you might need for proper management.

Comments can be sent by email or simply reach out to me on social media. But don’t blame me when you mess up your setup.

Photo by Patrick Lindenberg on Unsplash