A question in regards to encrypting external Hard Drives

I chose to encrypt my HDD with LUKe at the time of install and I am thinking about doing the same with my backup HDDs as I have the same data on them. Is it a good idea? How safe or reliable is it? I read that I have to wipe out all the data on my drive to do such a thing Protect external storage with this Linux encryption system | Opensource.com. Is there a better option? I use restic too for back up but that is for larger hard drives with multiple version, some drives are small and can only keep one version of the data so I want to back up to them via rsync -auv --delete. What should I do?

Very much depends on what you’re defending against.

If your main system is a(n actually ported) portable device that you can lose or that can get stolen fairly easily then encryption makes some sense for that at least – and if it isn’t it tends to by and large do not. As to your externals pretty much the same: if they leave the house, sure, if not, meh.

You do take some additional risk: an encrypted volume can through physical or other block-level damage become in a practical sense fully undecryptable whereas with unencrypoted data you have way more chances of recovering at least some even if not all. Yet if they are actual backups then the same things holds as for backups generally, i.e., both sources needing to experience an issue at the same time for the data to be in fact gone. So, meh…

What it boils down to is that only you can decide whether or not it makes sense (but I would watch out for leaning towards “makes sense” just because it sounds all cool and stufff).

LUKS enctryption would still count as more or less best and the article you link to seems good. Other options would be e.g. fscrypt to encrypt on the filesystem rather than block-device level. My personal advise would be to not bother with that until you’re confident enough around Linux to deal with potential disasters; LUKS is the well-tested (and fastest) method. Yes, in-place encryption won’t work.

I personally use self-written shell scripts to backup with rsync. The graphical shell grsync around rsync as available from the repositories is slightly higher level and something you may like.

1 Like

Thanks, those were very useful info for me.

Very interesting. I like to know what happens when we encrypt a filesystem. Like how it is going to look like.

In the case of LUKS an entire filesystem is encrypted, in the case of fscrypt the granularity is directories. This will probably help:


But note then that my preference would for the time being be good ol’ LUKS.

1 Like

So I tried it and I think I blow out my HDD. I used dd count=4096 to wipe out the partition table but now I can’t use cryptsetup luksFormat command to encrypt it, I can’t even open it up with fdisk anymore. I just shows up on lsblk command. What should I do? Did I mess something up?

sudo fdisk /dev/sdb

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

fdisk: cannot open /dev/sdb: Input/output error

This wouldn’t be intrinsically to do with that dd (more completely as per your own original link with if=/dev/zero and of=/dev/sdb I take it) which should be fine. Have you tried simply eject sdb and unplugging/plugging the drive? How is it connected in any case? USB?

Be very sure by the way to make sure it’s on re-plugging still /dev/sdb.

I did unplug and replug it, still no change. I tried gparted and it says I need to create a partition table. I am looking into these stuff and have not seen before.


Ok looks like that fdisk command only is for creating partitions not partition table itself. and there is another cli command by the name of gpart for this. What type Should I choose? Is ms-dos is the same as MBR? What are all those other options? I thought there is only GPT and MBR for this.

Your originally linked article operates in the context of a USB-stick and doesn’t partition it but, yes, normally you’d partition a harddrive.

However, that’s unrelated here: the I/O error you got from fdisk earlier is not going to be other for gparted and it’ll no doubt bum out in the same way once you’d apply. Also would have nothing to do with any of this. No, fdisk is for creation of a partition table indeed.

Yes, “msdos” is MBR but don’t for now concern yourself with this. If fdisk is still giving you an I/O error that needs solving first; I’d reboot and see again.

Ok let me reboot then. I thought since this drive has nothing to do with my OS and is external it is not going to be related to booting. I will try it anyway.

Point is that I’d want a clean slate both as to drive and as to system. But assuming you after reboot still have that I/O error: how is the drive connected? USB? (or eSATA, or …). Does sudo hdparm -I /dev/sdb work? Does it at the end of its output have a Security section? Could you paste that back?

still not working, same I/o error

Also the command you said is not there, should I install it?

❯ sudo hdparm -I /dev/sdb
sudo: hdparm: command not found

Oh, yes, sudo pacman -Syu hdparm

Here is the whole out put, there is security stuff in it too, I hope I have not bricked my HDD using dd :frowning:

❯ sudo hdparm -I /dev/sdb


ATA device, with non-removable media
        Model Number:       WDC WD10JPVX-22JC3T0
        Serial Number:      WD-WXD1EB3JCR79
        Firmware Revision:  01.01A01
        Transport:          Serial, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
        Supported: 9 8 7 6 5
        Likely used: 9
        Logical         max     current
        cylinders       16383   16383
        heads           16      16
        sectors/track   63      63
        CHS current addressable sectors:    16514064
        LBA    user addressable sectors:   268435455
        LBA48  user addressable sectors:  1953525168
        Logical  Sector size:                   512 bytes
        Physical Sector size:                  4096 bytes
        Logical Sector-0 offset:                  0 bytes
        device size with M = 1024*1024:      953869 MBytes
        device size with M = 1000*1000:     1000204 MBytes (1000 GB)
        cache/buffer size  = 8192 KBytes
        Nominal Media Rotation Rate: 5400
        LBA, IORDY(can be disabled)
        Queue depth: 32
        Standby timer values: spec'd by Standard, with device specific minimum
        R/W multiple sector transfer: Max = 16  Current = 0
        Advanced power management level: 96
        DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
             Cycle time: min=120ns recommended=120ns
        PIO: pio0 pio1 pio2 pio3 pio4
             Cycle time: no flow control=120ns  IORDY flow control=120ns
        Enabled Supported:
           *    SMART feature set
                Security Mode feature set
           *    Power Management feature set
           *    Write cache
           *    Look-ahead
           *    Host Protected Area feature set
           *    WRITE_BUFFER command
           *    READ_BUFFER command
           *    NOP cmd
           *    DOWNLOAD_MICROCODE
           *    Advanced Power Management feature set
                Power-Up In Standby feature set
           *    SET_FEATURES required to spinup after power up
                SET_MAX security extension
           *    48-bit Address feature set
           *    Device Configuration Overlay feature set
           *    Mandatory FLUSH_CACHE
           *    FLUSH_CACHE_EXT
           *    SMART error logging
           *    SMART self-test
           *    General Purpose Logging feature set
           *    64-bit World wide name
           *    IDLE_IMMEDIATE with UNLOAD
           *    {READ,WRITE}_DMA_EXT_GPL commands
           *    Segmented DOWNLOAD_MICROCODE
           *    Gen1 signaling speed (1.5Gb/s)
           *    Gen2 signaling speed (3.0Gb/s)
           *    Gen3 signaling speed (6.0Gb/s)
           *    Native Command Queueing (NCQ)
           *    Host-initiated interface power management
           *    Phy event counters
           *    Idle-Unload when NCQ is active
           *    NCQ priority information
           *    Host automatic Partial to Slumber transitions
           *    Device automatic Partial to Slumber transitions
           *    READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
                DMA Setup Auto-Activate optimization
                Device-initiated interface power management
                Software settings preservation
           *    SMART Command Transport (SCT) feature set
           *    SCT Write Same (AC2)
           *    SCT Features Control (AC4)
           *    SCT Data Tables (AC5)
                unknown 206[12] (vendor specific)
                unknown 206[13] (vendor specific)
                unknown 206[14] (vendor specific)
        Master password revision code = 65534
        not     enabled
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
Logical Unit WWN Device Identifier: 50014ee6aef78946
        NAA             : 5
        IEEE OUI        : 0014ee
        Unique ID       : 6aef78946
Checksum: correct

You’d as far as I know through many USB-bridges in fact see an indication of said bridge in the model strings which I’m not seeing there so just to be very, very sure: that seems to be a 1T Western Digital 2.5" SATA drive. Are you sure you’re looking at the right drive? Is this your external? And once again, if, yes, how is it connected?

Yes I am sure it is it, I have on internal HDD and one External SSD connected to it via USB. I used it daily to backup my data without a problem.

Weird I did it via Gparted and it actually worked. Now I can do all kinds of things with it like normal. And I can open it via fdisk now.

Well, okay then; my next suggestion is going to be to firmware-level erase that drive and wanted to as such make really sure I wouldn’t be instructing you to erase a system drive…

First: no, that dd really can not have done anything bad as such, although it seems to have laid bare an issue with the drive. So let us fully reinitialize it. As the above hdparm output says, this will take some 190 minutes, i.e., 3 hours+. Make sure to be plugged in if this is a laptop; don’t want to run out of battery halfway through.

You do:

$ sudo hdparm --security-set-pass foo /dev/sdb
$ sudo hdparm --security-erase foo /dev/sdb

If the first command errors out that would be unfortunate; if not, the second will take approx 190 minutes to return you to the prompt.

When it does you have that drive as “factory-reset” as possible. You should then be able to with e.g. sudo fdisk /dev/sdb or gparted or whatever you feel like first create a partition table (which, yes, is on an HDD better than working directly on the device itself as per that article).

Did not see your second message before posting; okay, no need then for the long erase.

Ok, any idea what happened there and why? i suppose if I run the same commands there is going to get into the same trouble.