Help with procedure, to format and Encrypt an external HDD

I have a somewhat unique situation, maybe not too unique, but from what I’ve been able to find online so far, it’s not super common.
I have an external HDD it is currently only 46% full of Data, that being said it’s large enough I can not back up the Data elsewhere. It is currently formatted NTFS.
I want to convert the drive to EXT4 and Encrypt it.

What I intend to do, is partition the drive in half, copy all the data to the newly created EXT4 partition, then format the original remaining partition and resize the new EXT 4 partition.

My understanding is that this “should” work, but then you throw in the Encryption, and I’m not sure.
I need advice, on how to do this properly. I don’t want to just “try” it and end up loosing data.
I have no feasible way to back up all the data. With 3 other systems in my house, all put together, I still wouldn’t have enough room. So the split / format/ resize procedure is really my only option (as far as I know).

I’m running KDE, so I have access to KDE’s partition manager, I’ve also installed G-Parted
I really much prefer GUI if at all possible.

There is no safe way to do what you are describing. Modifying partitions always carries a risk of failure and data loss.

The best advice I can give you is to use kde partitionmanager to backup your partition table before each set of changes, make changes carefully and test between each action.

I would also consider using Windows to shrink the ntfs partition if you have a Windows machine available to you.


If the data is really important, get a second HDD. One terabyte is about 40 USD. I recommend Western Digital Blue, very reliable and affordable drives, fairly slow, though.

If this data is important to you, you should have a backup whether you do this or not. All important data should be backed up. HDDs fail all the time.


I appreciate that what I “should” do is spend money on a new hard drive
I Can not do that
I repeat
I do not have any other option period, full stop. I understand that to some people, $40 doesn’t seem like much, for me, my income vs expenses, that’s something that would take me 2 - 3 months to save for.
it’s just not an option right now.

As for HDD’s failing all the time, maybe I’m just lucky, but in the last 30 years I’ve never had a WD drive fail on me, ever, not once. Don’t get me started on my 10 returns to Seagate though.

Using Windows to shrink the Partition is feasible. When I go to make the new EXT4 partition, though, How do I go about encrypting it and still being able to resize it afterwards.

It is simply not rational to give you advice on how to do this, because there is such a high chance of it going wrong – nobody wants to be responsible for telling you how to do this and causing you to lose your data.

It’s like giving advice on the internet on how to use a table saw to make a toothpick.

If making a backup is not feasible, and the data is important, the only advice I can give you is not to touch that drive at all until you figure out how to back it up.


I just checked, a drive big enough to back up my existing data would be over $120. No way.

I did not realize that the act of partitioning and resizing a disk was so treacherous.
The truth is then that I’m done. My situation is not going to change anytime soon.
Most of the data is recoverable, but redownloading several terabytes of Data can take a LONG LONG time even with a good internet connection.

I’m sorry to have wasted your time.

Well, the other way could be to ask a friend for spare drive on a few days


Personally, I wouldn’t even think of repartitioning a drive with important data on it, if I didn’t have at least two backup copies of it.

But that’s just me, I am fairly risk-averse, having lost important data in the past. But there are people who don’t mind playing Russian roulette.

In this case, I would go through the data, determine which parts of it can be downloaded again (and make sure they indeed are available) and which parts cannot, and then just selectively backup what is important.

I would not attempt repartitioning the drive without first being at peace with the very possible scenario of total data loss.


lets ignore the data
screw it

Formatting an external HDD
And just format and encrypt like normal?
KPartitionmanager ?

What are my best options?


I can’t agree more with @Kresimir, if one has no backup then one has no data. Period.

That being said, if you decide to ‘‘screw it’’, then what you planned in the first place sounded good.
The ‘‘safest’’ (if any…) way to do it (well, the easiest at least… maybe…) would be to:

  • shrink the ntfs partition from Windows disk manager (and hope to be able to shrink it enough in the 1st place)
  • use gparted or whatever to make an ext4 partion
  • move the data
  • expand the partition
  • encrypt with VeraCrypt or whatever
  • cry after/before any of those steps cause you lost your movies (as long as it exist somewhere else, not the worst loss imho)

Keeping sh**ty ntfs and just encrypt ain’t an option though?


2 Likes (It’s file based encryption tho)

If for whatever reason you nuke your ntfs partition you can still recover it if you don’t overwrite the data on those sectors

P. S. This is a tutorial for full-disk encryption if you’re interested

1 Like

I… suppose? My idea had been full disk encryption with Luks originally.
Going to see what I can do about borrowing 5TB from somewhere, go from there.

Not sure if you want disk encryption for the sake of it or rather your data being encrypted? If it’s the later, you maybe want to consider this simple alternative:

Drop the disk encryption idea and instead create a Cryptomator/VeraCrypt/etc. container on your existing NTFS partition/disk and simply copy stuff over.

Once things have completed you can delete the original data. Same result just different means.


Okay, I’ll bite … but this statement worries me a bit. EndOS is a terminal centric distro after all.

I would read up on the what luks encryption is and how it works before you go down this path. The Arch Wiki is your friend.

It is not difficult to learn, but it is not point & click, set and forget, idiot proof either. Some learning will be required.

Each time you encrypt a drive you blow away its contents, important to remember.

Conceptually the order of steps is :

1 . Backup original data from external drive
2 . Create new partition table for external drive
3 . Partition your external drive
4 . Create luks container(s) for partition(s) you want encrypted
5 . Open luks partition
6 . Format opened luks partition with file system of choice
7 . Mount your encrypted partition
8 . Check permissions
9 . Copy data back
10 . Optionally configure automount at boot

Assume going forward your connected ext drive partition is /dev/sdXn .

How you could do these steps for ext4 encryption :

1 . Copy data to another drive, maybe compress all contents first if space limited

2 . Use gparted to create a gpt partition table for external drive

3 . Use gparted to make at least one partition

4 . Use cryptsetup command in the terminal to encrypt that partition

sudo cryptsetup -y -v luksFormat /dev/sdXn

If you want to decrypt with a keyfile instead of typing a password

sudo cryptsetup luksAddKey /dev/sdXn [keyfile-path]

See Arch wiki for more info on luks keyfile creation, config and use cases

5 . Open your luks partition

sudo cryptsetup open /dev/sdXn data

data is just a label, use whatever you wish. Opened luks containers are accessed through device mappers (ie /dev/mapper).

6 . Format with ext4 filesystem

sudo mkfs.ext4 /dev/mapper/data

data is the same label used in open command

7 . Now mount your encrypted ext4 filesystem to whatever directory you wish

sudo mount /dev/mapper/data [directory-path]

8 . Make sure your user has ownership of the mount directory (post mount), check with ls -al. If not change with

sudo chown [username]:[username] [directory-path]

9 . Copy your data back to your encrypted partition through your mount directory

10 . You can automount encrypted partitions at boot by adding entries in both /etc/crypttab

luks-data UUID=[Partition-UUID] [keyfile-path] luks nofail

and /etc/fstab

/dev/mapper/luks-data  [directory-path] ext4 defaults,noatime 0 0

Use sudo lsblk -f to get [Partition-UUID], omit the [keyfile-path] if not using keyfiles.

Otherwise just manually use the cryptsetup and mount commands in a terminal when required, suggest simplifying usage with .bashrc aliases.

alias ext-open='sudo cryptsetup open /dev/sdXn ext && sudo mount /dev/mapper/ext [directory-path]'
alias ext-close='sudo umount [directory-path] && sudo cryptsetup close ext && sudo udisksctl power-off -b /dev/sdXn'

Don’t forget to unmount and close your external luks partition when done using it, not good practice to shutdown with it still open.

Some DE file managers allow you to open & mount encrypted partitions on the fly, I prefer to do it manually, experiment yourself and see what works best for you.


For what it’s worth, it’s not that I’m uncomfortable with the terminal, but I still prefer GUI.
I know EndeavourOS is Terminal centric, as a distro, but I’m also assuming there’s few people here that use only CLI programs.

I came here from Manjaro, I had issues with it, but loved the AUR, I love the idea of rolling releases. There is no one Arch based distro that ticks all my boxes, So Endavour is what I use, and I’ve been very happy with it for nearly two years now, I especially love the community it has. But yes, I still prefer GUI solutions when available. It’s easier on my arthritis than a lot of typing in most cases, so here I am

1 Like

Terminal centric does not mean eschewing any and all GUI programs. Terminal-centric distro means that the terminal is the preferred user interface for system-related operations, like package management, as well as for tasks where terminal is arguably the better user interface than the GUI (such as the one which is the subject of this thread).

Of course, for some tasks, nobody disputes that the GUI is more suitable in most cases. The examples of the latter are: web browsing, multimedia creation and editing, 3D modelling, video games. Even though all of these tasks are possible solely in the terminal, there is no doubt that the GUI makes them significantly more effective.


I would add a couple more things to the list of “GUI preferred” items… such as writing an ISO to a USB drive (mintstick), or doing a mission critical rsync transfer (grsync) and other such tasks that a GUI allows an easier ‘final check’ before launching!

I am not sure I can agree on that one. Unless you are very GUI-centric, rsync is much easier to work with on the terminal and can even do dry runs if you want to test something.

1 Like

Sorry, if you are searching for GUI tools but this kind of procedure you want to do can be something really dangerous to your data. Many of the GUI tools only wrap around commands in the terminal and you have to trust that the GUI tool is doing everything right. In terminal you can see every command and check whether it is correct or not. And additionally some of the steps in your procedure can only be done in terminal because there is no GUI tool to do this step.


Exactly the point I was making - the ‘dry run’ is prominent in the GUI as well - which might maker it easier (more accessible) for the safer option! I’m sure I’m not alone in occasionally missing the obvious in a long command string - seeing the options separately can be helpful in those circumstances.