Create an encrypted external hard drive
I'm a Team Lead and Solutions Architect during the day, lazy "Dev Sec Ops" at night with a passion for selfhosting and data privacy. Free and Open Source advocate since 2005, I sporadically write Blog or Gemlog posts and share short notes and bookmarks on my website.
Introduction
Following the “incident”, I need to store important files outside of my laptop hard drive. I used to do that on one external drive, but now I’m going to do it on 2. This post isn’t about my new backup strategy (it doesn’t exist at this stage), that will come later.
In the meantime, I need to still think about potential hard drive lost… In any cases, even with borg backup in place, I need these files secured. So I started the first step of saving files on external drives so that I don’t loose my new GPG key, ssh keys or password store before the full backup implementation.
To store those files, I don’t want to simply copy them on an unencrypted drive, so here is a short post about encrypting an external drive with dm-crypt, cryptsetup and luks. I did this twice to save files on two external drives, but will explain here only once of course.
Find and prepare disk
First, we need to find the right disk to use. Before plugin the external drive, run lsblk to see the current state. In my case:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 931,5G 0 disk
├─nvme0n1p1 259:1 0 1000M 0 part /efi
├─nvme0n1p2 259:2 0 861,8G 0 part
│ └─luks-a0a5cca0-61b9-4607-9ab8-3ab0ce5d78a6 254:0 0 861,7G 0 crypt /var/log
│ /var/cache
│ /home
│ /
└─nvme0n1p3 259:3 0 68,8G 0 part
└─luks-aed569f1-9339-41aa-8daf-bf1aaddb5cf9 254:1 0 68,8G 0 crypt [SWAP]
Easy, I only have one drive in my laptop called nvme0n1.
And after plugging the drive:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 232,9G 0 disk
└─sda1 8:1 0 232,9G 0 part
nvme0n1 259:0 0 931,5G 0 disk
├─nvme0n1p1 259:1 0 1000M 0 part /efi
├─nvme0n1p2 259:2 0 861,8G 0 part
│ └─luks-a0a5cca0-61b9-4607-9ab8-3ab0ce5d78a6 254:0 0 861,7G 0 crypt /var/log
│ /var/cache
│ /home
│ /
└─nvme0n1p3 259:3 0 68,8G 0 part
└─luks-aed569f1-9339-41aa-8daf-bf1aaddb5cf9 254:1 0 68,8G 0 crypt [SWAP]
So in my case, the new external hard drive is sda and of course can be found in /dev/sda.
Nota: Because sda is very often used as the primary disk, I’m going to use sdX instead to avoid any breaking copy/paste for you or my future self…
If you need to erase data:
shred -v -n 1 /dev/sdX
Now that we know the disk name, let’s start the encryption!
Hard drive encryption
Before strarting, let’s find out the default option of cryptsetup with cryptsetup --help. The end of the response has the important part:
[…]
Paramètres de chiffrement compilés par défaut :
loop-AES: aes, Clé 256 bits
plain: aes-xts-plain64, Clé: 256 bits, Hachage mot de passe: sha256
LUKS: aes-xts-plain64, Clé: 256 bits, Hachage en-tête LUKS: sha256, RNG: /dev/urandom
LUKS: La taille de clé par défaut en mode XTS (deux clés internes) sera doublée.
My system is configured in French, so the response is in French, sorry is that hurt your eyes :D. Anyway, the default options are good enough for me: LUKS: aes-xts-plain64, Clé: 256 bits, Hachage en-tête LUKS: sha256, RNG: /dev/urandom.
To create the lucks container protected with a password, use cryptsetup luksformat /dev/sdX. Be careful, launching this command will erase the data on the drive (wich is a warning from the command itself as shown below… In French :D).
sudo cryptsetup luksFormat /dev/sdX
ATTENTION: Le périphérique /dev/sdX contient déjà une signature pour une partition « dos ».
ATTENTION !
===========
Cette action écrasera définitivement les données sur /dev/sda.
Êtes-vous sûr ? (Typez « yes » en majuscules) : YES
Saisissez la phrase secrète pour /dev/sda :
Vérifiez la phrase secrète :
Then, to open the new luks volume:
sudo cryptsetup open /dev/sdX poneglyph
The poneglyph part is totally up to you. One piece fans will for sure understand :). What is important here is that it will add the volume to /dev/mapper/poneglyph. Of course, if you use something other than poneglyph, you will have to adapt the next commands.
To verify that it worked correctly, you can use:
sudo cryptsetup -v status poneglyph
Adapt of course poneglyph to the name you gave.
The response should look like the following:
/dev/mapper/poneglyph is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/sdX
sector size: 512
offset: 32768 sectors
size: 488364400 sectors
mode: read/write
Commande réussie.
Then we need to create the filesystem on this drive. In my case I decided to use ext4.
➜ sudo mkfs -t ext4 -V /dev/mapper/poneglyph
Then, let’s mount the drive:
sudo mkdir /run/media/bacardi55/poneglyph
sudo mount /dev/mapper/poneglyph /run/media/bacardi55/poneglyph
At this stage you can start copying files to the drive. Once you are done, you’ll need to unmount the drive and close the luks volume:
sudo umount /run/media/bacardi55/poneglyph
sudo cryptsetup luksClose /dev/mapper/poneglyph
To mount it again, you need to open the luks volume and then mount the drive:
sudo cryptsetup open /dev/sdX poneglyph
sudo mount /dev/mapper/poneglyph /run/media/bacardi55/poneglyph
If you are using a GUI filemanager like thunar, it can do both in one click (and typing your key password).
Temporary copy script
To avoid manually doing all this as well as the files transfer, I’ve created a small script. As said in the introduction, I use 2 external drives. On the first one, a 256GB ssd drive (poneglyph), I copy the vast majority of my home, with a few exceptions like my video or temporary folders. On the other one, a 4GB usb drive (mineglyph), I only copy the ~/.ssh, ~/.gnupg, ~/.password-store and the ~/.config folders.
The script is:
#!/bin/bash
/usr/bin/notify-send "Backup" "Starting copy to poneglyph" -u "normal"
rsync -azvhP --delete --exclude 'Téléchargements/' --exclude 'test/' --exclude 'tmp/' --exclude 'Vidéos/' /home/bacardi55/ /run/media/bacardi55/252eae21-bd78-41f7-8370-5f9bfd0b758e/bacardi55
if [[ $? == 0 ]]; then
MSG="✓ Backup to external drive (poneglyph) was successful"
URGENCY="normal"
else
MSG="⚠ Backup to external drive (poneglyph) failed"
URGENCY="critical"
fi
/usr/bin/notify-send "Backup" "${MSG}" -u "${URGENCY}"
/usr/bin/notify-send "Backup" "Starting copy to mineglyph" -u "normal"
rsync -azvhP --delete /home/bacardi55/.config /home/bacardi55/.gnupg /home/bacardi55/.ssh /home/bacardi55/.password-store /run/media/bacardi55/8d2df821-f902-453d-914c-06c14e8d4f53/backup/
if [[ $? == 0 ]]; then
MSG="✓ Backup to external drive (mineglyph) was successful"
URGENCY="normal"
else
MSG="⚠ Backup to external drive (mineglyph) failed"
URGENCY="critical"
fi
/usr/bin/notify-send "Backup" "${MSG}" -u "${URGENCY}"
Nota: As I’m mounting the drive with thunar, disks are always mounted using their UUID, meaning they should always be opened in the same directory without any effort, wich is nice and easy :).
Conclusion
Well that was fast and easy and I feel better knowing that those new keys and passwords are now on 3 drives (including my laptop NVMe drive). Hopefully I won’t loose all 3 at the same time in the future!
Of course, while my gpg key won’t likely change, my password store evolve weekly, if not daily. New ssh keys may also be added from time to time so I need to make sure I run the script often enough. For now, I’ve decided that once a week on Sunday (or monday morning in case of “laptop free weekend”). I’ve not put a reminder in my calendar but definitely will if I see I don’t follow this simple rule.
Now I can get back to finishing getting all my accesses back :).
From the « Loosing all my data »: collection:
- A mix of password recovery tips
- Regaining access to my matrix admin account
- New GPG Key
- Create an encrypted external hard drive
- Regain access to nginxproxymanager
- Quick status of my journey getting back access to my servers and services
- Regain access to a raspberry pi running raspbian
- Regaining access to Proxmox VMs and Containers
- Facing my digital worse nightmare