LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption
apt-get install cryptsetup
Note
- In example was used a external device "/dev/sdb" with one partition "/dev/sdb1" created with format "ext4"
- The directory used in mount command was "/mnt/folder-crypt/"
Encrypt volume with 'cryptsetup' and formats a LUKS device
sudo cryptsetup luksFormat /dev/sdb1
In this moment you will inform the passphrase for the encrypted volume.
At open the volume is necessary to assign a name for him
sudo cryptsetup luksOpen /dev/sdb1 secret
Format with ext4 (or any other) this volume, and it will be ready to be mounted
sudo mkfs.ext4 /dev/mapper/secret
sudo mount /dev/mapper/secret /mnt/folder-crypt
From this moment the folder "/mnt/folder-crypt/" is ready to be used
First dismount the volume, after close the encrypter
sudo umount /mnt/folder-crypt
sudo cryptsetup luksClose secret
Cryptsetup allow that a volume has 'until' 8 passwords (passphrases and/or keyfiles)
Checking how many passwords the LUKS volume has:
sudo cryptsetup luksDump /dev/sdb1
Will be listed 8 key slots (0 to 7)
LUKS header information for /dev/sdb1
...
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
...
In this example, only a key "0" is being used
To add other passphrase in a slot "DISABLED"
sudo cryptsetup luksAddKey --key-slot 1 /dev/sdb1
And inform the passphrase
Note In this example the file used was created with command:
dd if=/dev/urandom of=/path/to/keyfile bs=1024 count=4
sudo cryptsetup luksAddKey /dev/sdb1 /path/to/keyfile
And to open the encrypted volume with a keyfile
sudo cryptsetup --key-file=/path/to/keyfile luksOpen /dev/sdb1 secret