After some experiences of re-partitioning my laptop, breaking my partition table and subsequently spending sleepless night(s) trying to recover as many files as possible, I became more conscientious in doing backups.
Best practice is to use multiple media and locations. I am using a combination of cloud backups, archive BluRays (Verbatim M-Disc) and external hard disks.
Naturally, my laptop’s hard drive is encrypted so it does not make much sense to store an unencryped backup of the hard disc side by side with my laptop. Therefore, I decided to also encrypt the external hard discs which I use for backups.
Windows users use BitLocker, Linux users use LUKS (and I have more trust in open source software when it comes to security). So here is how I encrypt my external hard disc:
- Identify the correct device: First I connect my brand new hard disc to the computer. For the next steps it is very important to identify the correct device and not accidentally wipe the wrong hard disc. This command can help:
root@server:~# lsblk -Sfo +sizeHere is an example output:
root@server:~# lsblk -Sfo +size
NAME HCTL TYPE VENDOR MODEL REV SERIAL TRAN FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS SIZE
sda 4:0:0:0 disk ATA ST800 SC61 ZA14VC sata 7,3T
sdb 5:0:0:0 disk ATA ST800 SC61 ZA14TM sata 7,3T
sdc 6:0:0:0 disk WD WDC W 1031 8LHNGP usb crypto 2 db3180e3-ed9b-4113-8051-42af5e4d8cc3 16,4TYou can see that I have four HDDs connected to my computer. The first two (sda and sdb) are my internal RAID 1 drives. sdc and sdd are two external USB drives which I already encrypted with LUKS.
2. Wipe it: For the following we will work with the external drive sdc. If it is a brand new drive, it is typically formatted by the vendor and has some files like manuals or software provided by the vendor on it. I don’t use this and want to start with a blank drive so let’s wipe all content first.
To delete existing partitions you can use fdisk:
root@server:~# fdisk /dev/sdcOnce in the fdisk console you can display all existing partitions with “p” and delete partitions with “d”. Once finished with the changes, they have to be written to the disc by using the “w” command.
If the disc has already been used (unencrypted) before it contains some old data. You can overwrite all old data with random data before proceeding but this can take hours:
root@server:~# dd bs=2M if=/dev/urandom of=/dev/sdcSince I started with a new drive, I skipped this step.
3. Encrypt it: Next we can encrypt the drive:
root@server:~# cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/sdcSince cryptsetup ≥ 2.1.0, LUKS2 is used by default. You can check this:
root@server:~# cryptsetup luksDump /dev/sdc
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: db3180e3-ed9b-4113-8051-42af5e4d8cc3
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 5
Memory: 1048576
Threads: 4
Salt: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
AF stripes: 4000
AF hash: sha512
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 202584
Salt: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
Digest: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11As you can see, I created a LUKS2 volume.
4. Backup: Just in case the LUKS header gets broken it’s a good idea to backup the header and store it separately:
root@server:~# cryptsetup luksHeaderBackup /dev/sdc --header-backup-file LUKS_header_sdc_WDElements.bak5. Create a file system: First we need to open newly created LUKS device:
root@server:~# cryptsetup luksOpen /dev/sdc luks_wdelementsThe device is now accessible as virtual device under: /dev/mapper/luks_wdelements and can be treated as a “normal” unencrypted device.
I am using a standard ext4 file system so let’s create one:
root@server:~# mkfs.ext4 /dev/mapper/luks_wdelementsNow we can mount it:
root@server:~# mount /dev/mapper/luks_wdelements /mnt6. Use the drive: Now you can use it and e.g. copy files to the drive. It is accessible under /mnt
7. Close and unmount: Once done, you can unmount the filesystem and close the LUKS device:
root@server:~# umount /dev/mapper/luks_wdelements
root@server:~# cryptsetup luksClose /dev/mapper/luks_wdelements