Ubuntu - external hard disk encryption

Do I need encryption?

First question you should ask yourself - do I need an encrypted hard disk. If it's portable you might loose it at some point in time, and in case the drive contains sensitive information, lets say project data from your customers, in my opinion the answer should be yes. Also in office buildings sometimes computers are stolen!

With encryption you should keep in mind, that its harder to recover the data from the disk in case something gets broken and you need data recovery or in case you forget your password. Therefore it is always good to have a backup concept in the first place and a way how to keep the backup updated (e.g. unison).

Also I tend to only encrypt the hard disk with my data. The SSD where my operating system is installed I don't encrypt for performance reasons. This is kind of a security problem since some of your files will be accessible from the unencrypted SSD, e.g. as temporary files or from swap space. I take this risk but you might want to consider.

Any Windows machines involved?

Next question is if you want to connect your external hard disk to linux machines only, or to windows machines as well. This article deals more with the linux only variant but I will give you some pointers for a mixed environment.

Truecrypt used to be the way to go. They support(ed) Linux, Windows and Mac OS. Unfortunately since version 7.2 they stopped development and - in order to encourage users to move to other software - removed the "create new volume" functionality. "Fortunately", if you can live with the reduced security (my guess: yes) heise.de still offers version 7.1a for download. So off you go!

Also there are some other software solutions, so you might want to have a look at them.

Linux encryption with LUKS

For all of you wanting just the linux option: cryptsetup and luks are a way to go. In the following I will describe how to create an encrypted hard disk container via Ubuntu GUI, how to mount it via GUI and via command line script.

In Ubuntu creating an encrypted external hard disk is actually surprisingly simple. Just search in the application lens for "disks" (or in German "Laufwerke")

image disks

Starting the application you can select the disk you want to format.

  • Make sure to pick the right disk
  • You will loose all the data on this disk

Of course you can also encrypt only partitions, but for these details better check the LUKS help page of the distribution of your choice.

image select device

Anyways select "format disk" from the menu hidden behind the little wheel icon on the bottom of the picture above. When asked for the format of the file system just select the one with encryption (LUKS+Ext4) - thats it.

image format device

In Ubuntu - whenever you plugin the device you are asked for your password - and that's it. Pretty easy.

Connecting your disk from command line

Let's say you want to connect your hard disk to a machine without graphical user interface, e.g. a server, or a machine where Unity Desktop won't help you, since there is only a strange tiling window manager (e.g. qtile) installed.

There are probably many options: I ended up making two custom scripts (see also my post about custom scripts) using udisksctl:

Script for mounting:

# script for mounting my encrypted usb-disk
# -b for block devices like my disk
udisksctl unlock -b /dev/sdb1
udisksctl mount -b /dev/mapper/luks*

Script for unmounting:

# -b for block devices like my disk
udisksctl unmount -b /dev/mapper/luks*
udisksctl lock -b /dev/sdb1
udisksctl power-off -b /dev/sdb1
echo "Disk sdb1 removed, locked and powered off"

The -b options is for blockdevice since I encrypted a whole hard disk. Please also note that I picked sdb1 as external device - you might want to adapt this to your actual setup. You will find the existing names of your hard disks in /dev:

ls -l /dev/sd*

Note to self: I really might want to change the mount command to volume LABEL or UUID instead of sdb...

Another thing to be aware of: luks* works for me since I only mount one encrypted volume. If you are mounting several ones this won't work for you.


PS: The script is work in progress, so if you come up with a better solution, please let me know ed.rutkafunamnetadoeg@tkatnok