Setup Encrypted Disk on Raspberry Pi

• Related
• Links
• Identify Disk
• Clear Disk (Optional)
• Install CryptSetup
• Format Device for LUKS /dev/xxx
• Open Encrypted Volume /mapper/xxx
• Format Volume with Filesystem
• Mount Volume
• Label Disk
• Testing

Identify Disk

sudo fdisk -l

Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: M3 Portable     
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Clear Disk (Optional)

sudo dd if=/dev/zero of=/dev/sda bs=1M status=progress

Install CryptSetup

sudo apt install cryptsetup -y

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
python-colorzero
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
cryptsetup-bin cryptsetup-initramfs cryptsetup-run
The following NEW packages will be installed:
cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 609 kB of archives.
After this operation, 2,012 kB of additional disk space will be used.
Do you want to continue? [Y/n]

Format Device for LUKS

sudo cryptsetup luksFormat --type luks2 /dev/sda

WARNING: Device /dev/sda already contains a 'gpt' partition signature.

WARNING!
========
This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase for /dev/sda: 
Verify passphrase:

sudo cryptsetup -q luksFormat /dev/sda

Enter passphrase for /dev/sda: 

************************************************************************************************

Open Encrypted Volume

sudo cryptsetup luksOpen /dev/sda mydata

Alias for the container Is the final argument
It will be accessible through the mapper : “/dev/mapper/mydata”

************************************************************************************************

Format Volume with Filesystem

sudo mkfs.ext4 /dev/mapper/mydata

Mount Volume

sudo mkdir /mnt/mydata
sudo mount /dev/mapper/mydata /mnt/mydata

Label Disk

sudo cryptsetup config /dev/nvme0n1 --label mylabel

see Label a disk in Linux to set an entry in /dev/disk/by-label/

GUI

If you have a GUI installed and this disk is plugged in. You should get a pop up.

Enter a passphrase to unlock the volume
The passphrase is needed to access encrypted data
Password[ ]
(*) Forget password immediately
( ) Remember password until you log out
( ) Remember forever
[Cancel][Connect]

Testing

If is a LUKS disk

DEV_LUKS=/dev/sda
if (( $(/usr/sbin/cryptsetup isLuks $DEV_LUKS) ));
then
echo "LUKS Disk"
else
echo "NOT LUKS Disk
fi

If Opened/Unlocked

DEV_LUKS=/dev/sda
if (( test -b /dev/disk/by-id/dm-uuid-*$(cryptsetup luksUUID $DEV_LUKS | tr -d -)* ));
then
echo "opened"
else
echo "closed"
fi

Related

• Label a disk in Linux
• LUKS: Linux Unified Key Setup Essentials
• /etc/fstab Basics

Links

• https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md