Linux Unified Key Setup (LUKS) is a utility for disk encryption based on the DMCrypt kernel module.

It is not recommended to encrypt a partition that already contains data due to the risk of data loss.

The safer approach is to attach a new volume to the system, encrypt it, and then copy the files over.

Edit the partition table of the new volume:

sudo fdisk -l
sudo fdisk /dev/sdb

Press the following keys:

  • p
    • Prints the existing partitions (should have none yet).
  • n
    • Creates a new partition.
      • p
        • Primary
          • 1
            • Partition number.
              • <Enter>
              • <Enter>
  • p
    • Prints the partition table with the newly created partition.
  • w
    • Writes the changes to the disk.

Install cryptsetup:

sudo apt-get install cryptsetup -y

Encrypt the partition:

sudo cryptsetup luksFormat /dev/sdb1

Type YES, set a passphrase, and save it securely in a key vault or password manager.

Open (unlock) the partition and give it a meaningful name:

sudo cryptsetup luksOpen /dev/sdb1 partitionName

Inspect the partition:

lsblk

Format the new partition:

sudo mkfs.ext4 /dev/mapper/partitionName

Create a mount point and mount the partition:

sudo mkdir -p /encryptedVolume
sudo mount /dev/mapper/partitionName /encryptedVolume

MOUNTING ON BOOT

sudo nano /etc/crypttab

Find the UUID of the new partition:

sudo blkid

Add the following line:

# <target name> <source device> <key file> <options>
partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e none luks

Note: For a passphrase, use none in the third column. If using a key file, add its path instead. luks is the mount option.

Now edit fstab:

sudo nano /etc/fstab

Append the following line:

UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /encryptedVolume ext4 defaults 0 0

Note: During boot you will be prompted for the passphrase. Not all distributions handle this well and may not prompt for it correctly.

Alternatively, create a key file for the volume:

sudo cryptsetup luksAddKey /dev/sdb1 /boot/volume.key

Verify the key was added correctly:

sudo cryptsetup luksDump /dev/sdb1

Then, in /etc/crypttab, enter the path to the key file:

# <target name> <source device> <key file> <options>
partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /boot/volume.key luks

BONUS

1 – If the drive header gets corrupted, the rest of the drive cannot be decrypted. Back it up with:

cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file LUKS-Header.bin

2 – To restore the header:

cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file LUKS-Header.bin

3 – Press TAB to see all available commands:

cryptsetup <TAB>

4 – Change the passphrase:

cryptsetup luksChangeKey /dev/sdb1

5 – Add multiple keys:

cryptsetup luksAddKey /dev/sdb1

BONUS

Encrypt drives, partitions, or create a container of encrypted files with VeraCrypt [Link]. This open-source app is compatible with Windows, Linux, and MacOS, and also runs on ARM devices such as Raspberry Pis.