Data drive encryption

Encryption on Debian 9

  1. Install dm-crypt
    apt-get install cryptsetup
  2. If you encrypted data drives during initial system setup, your swap space will be encrypted as well. First remove the swap encryption.
    sudo mkswap -f /dev/sda6
    sudo swapon /dev/sda6
  3. Add the swap space to /etc/fstab. If you have swap on multiple drives, where the remaining space is allocated to a software RAID, add the swap partitions with the same priority.
    /dev/hda6	none	swap	sw,pri=1	0	0
  4. Remove the fstab entry for mounting the encrypted volume
  5. Add the following commands to rc.local executed as root
    echo "volume password" | sudo cryptsetup luksOpen /dev/mapper/vg-lv my_encrypted_volume
    mount /dev/mapper/my_encrypted_volume /mount/point
  6. To lock the container again, it needs to be unmounted first
    sudo umount /media/my_device
    sudo cryptsetup luksClose my_encrypted_volume

Encrypt volume

  1. Find the Block Device Name of Your Partition
    lsblk
  2. Set Up LUKS Header
    sudo cryptsetup luksFormat /dev/mapper/<vg name>-<lv name>
  3. Create a Filesystem on the Partition. You have to map this physical device to a virtual device. What gets written to the virtual device will be encrypted before being stored on the physical device.
    sudo cryptsetup luksOpen /dev/mapper/<vg name>-<lv name> mapper/<vg name>-<lv name>_crypt
    sudo mkfs.ext4 /dev/mapper/<vg name>-<lv name>_crypt
  4. Mount Encrypted Partition
    sudo mount /dev/mapper/<vg name>-<lv name>_crypt /mountpoint
  5. If you need a directory tree to be copied from a backup location back to the newly encrypted drive, do it with rsync
    rsync -av --progress --exclude '/home/user/VirtualBox VMs' /home/user /mountpoint/