Adding new encrypted hard disk to Fedora



In this tutorial we will use the command cryptsetup on Fedora 25 to add a new disk to the current system. We will left all the OS files in the current disk, we will use the new disk for data storage. Remeber that chaging the /etc/fstab could break your system, be careful with the steps in this tutorial and we recommend to do a backup before follow this step.

Step 1: Create partition with fdisk

We are going to use as an example the disk sdX, change it to the disk you want to encrypt. Open the disk with fdisk:

sudo fdisk /dev/sdX

If you want to use the full disk in one partition, just type n and hit enter until no more questions are returned by fdisk. When everything is done type w to save the new partition to the disk.

Step 2: Format the disk with luks

First we are going to execute luksForms to create the encrypted partition. Then we will open it to use it as a normal disk.

sudo cryptsetup luksFormat /dev/sdX1
sudo cryptsetup luksOpen /dev/sdX1 cryptmap
sudo mkfs.ext4 /dev/mapper/cryptmap

Step 3: Mount the encrypted partition at boot

First create a random key to add it with cryptsetup:

sudo dd if=/dev/urandom of=key.sdX1 bs=1024 count=4
sudo cryptsetup luksAddKey /dev/sdX1 key.sdX1
sudo cryptsetup luksUUID /dev/sdX1

The last command will return the UUID to add it on the /etc/crypttab. Open the crypttab file and add the following entry:

sdX1 /dev/disk/by-uuid/XXXXXXXXXXXXXXXX COMPLETE_PATH/key.sdX1 luks

Replace XXXXXXXXXXXXXXXX with the key obtained before and COMPLETE_PATH to match the path where you saved the random key.

Finally we need to mount the unencrypted partition at boot, edit the /etc/fstab and add the following line:

/dev/mapper/sdX  /media/sdX     ext4    defaults        0       2

You are ready to reboot or just:

sudo mount -a