Ever have a hard drive go bad, yet hesitate to RMA it? That’s understandable. Who knows what people on the other end will do, once it is repaired. Once simple solution is to encrypt the contents of the hard disk. This is made easy using cryptsetup.
For example, I just plugged in a 1TB external USB drive. Looking at my dmesg output, I see it is /dev/sde.
# dmesg ... [710452.205068] sd 9:0:0:0: Attached scsi generic sg4 type 0 [710452.206899] sd 9:0:0:0: [sde] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) [710452.208131] sd 9:0:0:0: [sde] Write Protect is off [710452.208361] sd 9:0:0:0: [sde] Mode Sense: 00 38 00 00 [710452.208364] sd 9:0:0:0: [sde] Assuming drive cache: write through [710452.210121] sd 9:0:0:0: [sde] Assuming drive cache: write through [710452.226260] sde: [710452.228245] sd 9:0:0:0: [sde] Assuming drive cache: write through [710452.228472] sd 9:0:0:0: [sde] Attached SCSI disk
To install encryption, I use the cryptsetup command:
# cryptsetup --verbose --verify-passphrase luksFormat /dev/sde WARNING! ======== This will overwrite data on /dev/sde irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Now, I need to install assign a device to the encrypted device:
# cryptsetup luksOpen /dev/sde BACKUP Enter passphrase for /dev/sde:
Finally, I’ll make a filesystem on it and mount it:
# mke2fs -j -m 0 -L BACKUP /dev/mapper/BACKUP mke2fs 1.41.12 (17-May-2010) Filesystem label=BACKUP OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 61054976 inodes, 244190134 blocks 0 blocks (0.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 7453 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 33 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. # mount /dev/mapper/BACKUP /mnt # df -k /mnt Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/BACKUP 961432608 204568 961228040 1% /mnt
Being able to unplug this USB drives means I need to issue the following:
# umount /mnt # cryptsetup luksClose /dev/mapper/BACKUP
There are many nice features in cryptsetup. One is that you can have multiple passwords.
To add a pass phrase to my USB drive I first have to authenticate using an original pass phrase, then I can add a new one:
# cryptsetup luksAddKey /dev/sde Enter any passphrase: Enter new passphrase for key slot: Verify passphrase: