Okay, I’ll bite … but this statement worries me a bit. EndOS is a terminal centric distro after all.
I would read up on the what luks encryption is and how it works before you go down this path. The Arch Wiki is your friend.
It is not difficult to learn, but it is not point & click, set and forget, idiot proof either. Some learning will be required.
Each time you encrypt a drive you blow away its contents, important to remember.
Conceptually the order of steps is :
1 . Backup original data from external drive
2 . Create new partition table for external drive
3 . Partition your external drive
4 . Create luks container(s) for partition(s) you want encrypted
5 . Open luks partition
6 . Format opened luks partition with file system of choice
7 . Mount your encrypted partition
8 . Check permissions
9 . Copy data back
10 . Optionally configure automount at boot
Assume going forward your connected ext drive partition is /dev/sdXn
.
How you could do these steps for ext4 encryption :
1 . Copy data to another drive, maybe compress all contents first if space limited
2 . Use gparted to create a gpt partition table for external drive
3 . Use gparted to make at least one partition
4 . Use cryptsetup
command in the terminal to encrypt that partition
sudo cryptsetup -y -v luksFormat /dev/sdXn
If you want to decrypt with a keyfile instead of typing a password
sudo cryptsetup luksAddKey /dev/sdXn [keyfile-path]
See Arch wiki for more info on luks keyfile creation, config and use cases
5 . Open your luks partition
sudo cryptsetup open /dev/sdXn data
data
is just a label, use whatever you wish. Opened luks containers are accessed through device mappers (ie /dev/mapper
).
6 . Format with ext4 filesystem
sudo mkfs.ext4 /dev/mapper/data
data
is the same label used in open command
7 . Now mount your encrypted ext4 filesystem to whatever directory you wish
sudo mount /dev/mapper/data [directory-path]
8 . Make sure your user has ownership of the mount directory (post mount), check with ls -al
. If not change with
sudo chown [username]:[username] [directory-path]
9 . Copy your data back to your encrypted partition through your mount directory
10 . You can automount encrypted partitions at boot by adding entries in both /etc/crypttab
luks-data UUID=[Partition-UUID] [keyfile-path] luks nofail
and /etc/fstab
/dev/mapper/luks-data [directory-path] ext4 defaults,noatime 0 0
Use sudo lsblk -f
to get [Partition-UUID], omit the [keyfile-path] if not using keyfiles.
Otherwise just manually use the cryptsetup and mount commands in a terminal when required, suggest simplifying usage with .bashrc
aliases.
alias ext-open='sudo cryptsetup open /dev/sdXn ext && sudo mount /dev/mapper/ext [directory-path]'
alias ext-close='sudo umount [directory-path] && sudo cryptsetup close ext && sudo udisksctl power-off -b /dev/sdXn'
Don’t forget to unmount and close your external luks partition when done using it, not good practice to shutdown with it still open.
Some DE file managers allow you to open & mount encrypted partitions on the fly, I prefer to do it manually, experiment yourself and see what works best for you.