Encrypt non-root devices (LUKS)
If you have more than one hard disk that you need to encrypt (e.g. SSD as main disk, HDD as data disk) there are a few things to keep in mind to ensure continued smooth operation without any loss of convenience.
The layout is as follows:
| Type | File System | Description |
|---|---|---|
| Home File System | LUKS2 | Stores user home directories and personal files |
Preparing the disk
Determine the disks that are installed on your system. This can easily be done with fdisk:
fdisk -l
Start partitioning the disk with cfdisk:
WARNING: Make sure you are modifying the correct device, else you will lose data!
cfdisk /dev/sda
If the disk has no partition table yet, cfdisk will ask you to specify one. The default partition table format for UEFI systems is gpt. Create a layout with at least 3 partitions:
| Size | FS Type |
|---|---|
| (disk size) | Linux home |
NOTE: Specifying the correct file system type allows some software to automatically detect and assign appropriate mount points to partitions. See Discoverable Partitions Specification for more details.
Formatting partitions
Before writing a file system to the disk a LUKS container needs to be created with the cryptsetup utility:
WARNING: Do NOT forget your passphrase! In case of loss you won't be able to access the data inside the container anymore!
NOTE: Using /dev/sda as an example of a SATA HDD that is intended to be mounted at /home.
cryptsetup luksFormat /dev/sda1
Open the newly created LUKS container and supply the passphrase you just set:
NOTE: crypthome is used as an example here. It is the "mapper name" under which the opened LUKS container will be available at, in this example: /dev/mapper/crypthome. You may use whatever name you like.
cryptsetup open /dev/sda1 crypthome
Formatting and mounting partitions
Create a file system for the home file system:
mkfs.ext4 /dev/mapper/crypthome
Mount the file systems:
mount --mkdir /dev/mapper/crypthome -o noatime /mnt/home