Lately I bought new backup HDDs and wanted to store data on them in encrypted form (as always). Although I did that several times before, I had again problems with recalling how it was, so... I decided to write it here, so it is easy to find it again. And maybe can be useful for someone else too.
Encrypted backups: dm-crypt vs loop-aes
No need to convince anyone that backups are important. I have them on external usb HDD and push data on HDD using rsync.
And the HDD is encrypted using
dm-crypt to protect data in case I lost the HDD.
I used to use
loop-aes, but resigned from it in favor of
dm-crypt because of the following reasons:
- Loop-eas required compiling an additional kernel module. It is not a problem (
module-assistentin Debian did the job well), but it was just one more thing to remember... Support for
dm-cryptis a part of the kernel, so it works out of the box.
dm-crypthave very similar performance.
Loop-aesallows storing the key on a separate medium - like usb stick. That is great, but I don't need that feature.
How to encrypt a HDD in few steps
All below is about debian system.
Install cryptsetup and cryptsetup-bin.
After connecting the new disk check which dev it is. It is /dev/sdb in my case. To create encrypted partition I use this:
cryptsetup luksFormat /dev/sdb
I could have done it differently: making partition first (e.g. using
cfdisk making /dev/sdb1) and then encrypting only
this one. But I prefer to make the whole HDD for my own reasons :)
- Open it
cryptsetup luksOpen /dev/sdb backup
You will need to enter the same password here as you provided in the previous step. If you succeed you will get /dev/mapper/backup block device which you can use in next step.
- Format it, like so:
mkfs.ext4 -m 0 -L backup /dev/mapper/backup
As you can see - using ext4, nothing reserved for root and with some label.
- Once that is done - I just mount it:
mount /dev/mapper/backup /mnt/backup
- ...and use it :-) To make it easier I have a simple mount script doing this:
cryptsetup luksOpen /dev/sdb backup && mount /dev/mapper/backup /mnt/backup
umount /mnt/backup && cryptsetup luksClose backup
I hope you can find this description useful. If not - no problem, it will be surely good for refreshing my memory next time I need it :)