Encrypting whole disk with Luks (instead of one big encrypted partition)
The cryptsetup
FAQ mentions whole-disk encryption using LUKS. Basically, cryptsetup
doesn’t care what the LUKS device is, partition, disk, or loop device, so you can use whichever is appropriate.
sudo cryptsetup -v -y luksFormat /dev/sda
will create a LUKS container using all of /dev/sda
.
Section 2.2 of the FAQ recommends this for external disks:
Fully encrypted raw block device: For this, put LUKS on the raw device (e.g.
/dev/sdb
) and put a filesystem into the LUKS container, no partitioning whatsoever involved. This is very suitable for things like external USB disks used for backups or offline data-storage.
Note that cryptsetup
doesn’t need /etc/crypttab
.
Related videos on Youtube
Attilio
Updated on September 18, 2022Comments
-
Attilio almost 2 years
Context
Encrypting whole new external hard drive with Luks. I.e. it is not a system drive (will be used only to store data, not to boot the OS), and it is completely blank.
Observation
All descriptions that I found about how to achieve this go along the lines of:
- create a new partition, which is the same size as the whole disk
- encrypt that partition
Some examples:
From here:
Creating a new encrypted partition:
[...]
Encrypting an existing partition
Or here.
Question
Is it possible to encrypt the whole disk, instead of having one big encrypted partition?
Probably the answer will be no, so the real question is why not?
In other words
What would happen if instead of typing
sudo cryptsetup -v -y luksFormat /dev/sda1
I would type
sudo cryptsetup -v -y luksFormat /dev/sda
(without having created
sda1
)?-
Atul Vekariya over 4 yearsThe module to decrypt this filesystem need to read
/etc/crypttab
which is impossible if you encrypt the entire disk (boot disk) -
Attilio over 4 years@RomeoNinov: I said explicitly this is not a boot disk, but a data disk. Also, it is external (I don't know much about how
crypttab
works, but surely I can mount a new external encrypted HDD, even if it was not incrypttab
before, right?)
-
Uwe Geuder over 4 yearsYes, I do this for my external drives. Some desktop environments offer you an "Unlock" option automatically when the drive is plugged in. If yours doesn't do it you can use
udisksctl unlock -b /dev/sda
from the command line.