16

Context

Encrypting whole new external hard drive with Luks. I.e. it is not a system drive (will be used only to store data, not to boot the OS), and it is completely blank.

Observation

All descriptions that I found about how to achieve this go along the lines of:

  1. create a new partition, which is the same size as the whole disk
  2. encrypt that partition

Some examples:

From here:

Creating a new encrypted partition:

[...]

Encrypting an existing partition

Or here.

Question

Is it possible to encrypt the whole disk, instead of having one big encrypted partition?

Probably the answer will be no, so the real question is why not?

In other words

What would happen if instead of typing

sudo cryptsetup -v -y luksFormat /dev/sda1

I would type

sudo cryptsetup -v -y luksFormat /dev/sda

(without having created sda1)?

Improve this question
2
  • The module to decrypt this filesystem need to read /etc/crypttab which is impossible if you encrypt the entire disk (boot disk)
    – Romeo Ninov
    Commented Dec 22, 2019 at 12:43
  • 2
    @RomeoNinov: I said explicitly this is not a boot disk, but a data disk. Also, it is external (I don't know much about how crypttab works, but surely I can mount a new external encrypted HDD, even if it was not in crypttab before, right?)
    – Attilio
    Commented Dec 22, 2019 at 13:01

1 Answer 1

Reset to default
22

The cryptsetup FAQ mentions whole-disk encryption using LUKS. Basically, cryptsetup doesn’t care what the LUKS device is, partition, disk, or loop device, so you can use whichever is appropriate.

sudo cryptsetup -v -y luksFormat /dev/sda

will create a LUKS container using all of /dev/sda.

Section 2.2 of the FAQ recommends this for external disks:

Fully encrypted raw block device: For this, put LUKS on the raw device (e.g. /dev/sdb) and put a filesystem into the LUKS container, no partitioning whatsoever involved. This is very suitable for things like external USB disks used for backups or offline data-storage.

Note that cryptsetup doesn’t need /etc/crypttab.

Improve this answer
1
  • Yes, I do this for my external drives. Some desktop environments offer you an "Unlock" option automatically when the drive is plugged in. If yours doesn't do it you can use udisksctl unlock -b /dev/sda from the command line.
    – Uwe Geuder
    Commented Dec 22, 2019 at 14:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .