Encrypting whole disk with Luks (instead of one big encrypted partition)

partition encryption luks
5,466

The cryptsetup FAQ mentions whole-disk encryption using LUKS. Basically, cryptsetup doesn’t care what the LUKS device is, partition, disk, or loop device, so you can use whichever is appropriate.

sudo cryptsetup -v -y luksFormat /dev/sda

will create a LUKS container using all of /dev/sda.

Section 2.2 of the FAQ recommends this for external disks:

Fully encrypted raw block device: For this, put LUKS on the raw device (e.g. /dev/sdb) and put a filesystem into the LUKS container, no partitioning whatsoever involved. This is very suitable for things like external USB disks used for backups or offline data-storage.

Note that cryptsetup doesn’t need /etc/crypttab.

Share:
5,466

Related videos on Youtube

Attilio
Author by

Attilio

Updated on September 18, 2022

Comments

  • Attilio
    Attilio almost 2 years

    Context

    Encrypting whole new external hard drive with Luks. I.e. it is not a system drive (will be used only to store data, not to boot the OS), and it is completely blank.

    Observation

    All descriptions that I found about how to achieve this go along the lines of:

    1. create a new partition, which is the same size as the whole disk
    2. encrypt that partition

    Some examples:

    From here:

    Creating a new encrypted partition:

    [...]

    Encrypting an existing partition

    Or here.

    Question

    Is it possible to encrypt the whole disk, instead of having one big encrypted partition?

    Probably the answer will be no, so the real question is why not?

    In other words

    What would happen if instead of typing

    sudo cryptsetup -v -y luksFormat /dev/sda1

    I would type

    sudo cryptsetup -v -y luksFormat /dev/sda

    (without having created sda1)?

    • Atul Vekariya
      Atul Vekariya over 4 years
      The module to decrypt this filesystem need to read /etc/crypttab which is impossible if you encrypt the entire disk (boot disk)
    • Attilio
      Attilio over 4 years
      @RomeoNinov: I said explicitly this is not a boot disk, but a data disk. Also, it is external (I don't know much about how crypttab works, but surely I can mount a new external encrypted HDD, even if it was not in crypttab before, right?)
  • Uwe Geuder
    Uwe Geuder over 4 years
    Yes, I do this for my external drives. Some desktop environments offer you an "Unlock" option automatically when the drive is plugged in. If yours doesn't do it you can use udisksctl unlock -b /dev/sda from the command line.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot format device /dev/sda4 which is still in use
How can I shrink a LUKS partition, what does `cryptsetup resize` do?
How to determine what encryption is being used a LUKS partition?
How to remove LUKS encryption?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition
How do I move/home folder to a luks encrypted external drive?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
"Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?
Ecrypfts to LUKS on ext4 partition
How do I get Grub2 to boot a Truecrypt-encrypted MBR?