Disk encryption

Create an encrypted partition

Create a partition using gparted.

sudo cryptsetup luksFormat --type=luks1 /dev/nvme0n1p7

WARNING: Device /dev/nvme0n1p7 already contains a 'ext4' superblock signature.

WARNING!
========
This will overwrite data on /dev/nvme0n1p7 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p7:
Verify passphrase:

Open

sudo cryptsetup open /dev/nvme0n1p7 crypt
# sudo cryptsetup close crypt

Format the drive as ext4 using gparted.

Mount

sudo mount /dev/mapper/crypt /mnt

Set Crypttab

Use the UUID of the encrypted disk (and NOT the decrypted one). Modify /etc/crypttab as follows:

crypt UUID=de81b7a0-ef6e-4aba-b45e-0a21a08a09c0    none                    luks

Update the boot loader (UEFI setup)

Install grub2

apt install grub2

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
update-grub

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-18-amd64
Found initrd image: /boot/initrd.img-5.10.0-18-amd64
Warning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot entries.
Found Windows Boot Manager on /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi
Found Arch Linux on /dev/nvme0n1p4
Adding boot menu entry for UEFI Firmware Settings ...
done

Crypt setup for initramfs?

apt install cryptsetup-initramfs

Update the init ramdisk (mkinitcpio for arch, update-initramfs for debian)

update-initramfs -u -k all # for Debian

Update the EFI boot directory:

apt install grub-efi
BOOTLOADER_ID=? # customize accordingly
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=${BOOTLOADER_ID}

---

• Tags: linux grub