or How to Keep Fuzz Out of Your Filesi.

Note: at the time of writing, Debian 7.0 is still in it's testing phase, so if you're reading from the future, your mileage my vary.

1. Pre-requisites

Assumption 1: You've got a running Debian 7.0 system Assumption 2: You have a partitioned disk and you know which partition you want to encrypt. Assumption 3: You've backed up any data you care about on the partition we're about to encrypt.

Apart from that you need to ensure you have this package installed:

Install it as follows:

$ sudo aptitude install crytpsetup

Once they're on, we're done and we can move into the real action

2. Write Random Data to the Partition

Not just any partition, the one you wish to encrypt. This is done to avoid pattern based encryption attacks. This dd command is used to write random data to the partition. It can take ages, depending on the entropy data generated by your system. I had one 500GB disk take about 12 hours:

# openssl rc4 -e -kfile /dev/urandom -in /dev/zero | dd bs=1M of=/dev/sdX1

3. Encrypt the Partition

Now for the juicy stuff, encryption. Cryptsetup is our weapon of choice and the below command encrypts your partition with 256-bit AES XTS algorithm. The NSA are building the worlds largest data centre just to break it.

$ sudo cryptsetup -h sha256 -c aes-xts-plain -s 256 luksFormat /dev/sdX1

When prompted, enter in your passphrase for this partition. Make it difficult, memorable and FFS, don't write it down.

4. Mounting the Partition and Decryption

Here we set the name of our encrypted partition for dev mapper. You can choose any name, I've gone with "privates":

$ sudo cryptsetup luksOpen /dev/sdX1 privates
Enter LUKS passphrase:

Now your encrypted partition is available to your system as /dev/mapper/privates. Now we make a file system and label it:

$ sudo mkfs.ext4 -L Privates /dev/mapper/privates

Create a mount point and mount the partition:

$ sudo mkdir /media/privates
$ sudo mount /dev/mapper/privates /media/privates
$ sudo chown -R myusername.myusername /media/privates

Now the encrypted partition is available in /media/privates directory. Go nuts copying stuff to it.

5. Unmounting the Encrpyted Partition

Unmount it from the system, then use cryptsetup to close the connected protection.

$ sudo umount /media/privates 
$ sudo cryptsetup luksClose /dev/mapper/privates

Done :)

Desktop Notes

In many GUI environments, when you reconnect this encrypted disk it will be automatically detected and present you with a mount dialog. Such is the Linux love these days :)