or How to Keep Fuzz Out of Your Filesi.
Note: at the time of writing, Debian 7.0 is still in it's testing phase, so if you're reading from the future, your mileage my vary.
Assumption 1: You've got a running Debian 7.0 system Assumption 2: You have a partitioned disk and you know which partition you want to encrypt. Assumption 3: You've backed up any data you care about on the partition we're about to encrypt.
Apart from that you need to ensure you have this package installed:
Install it as follows:
$ sudo aptitude install crytpsetup
Once they're on, we're done and we can move into the real action
Not just any partition, the one you wish to encrypt. This is done to avoid pattern based encryption attacks. This dd command is used to write random data to the partition. It can take ages, depending on the entropy data generated by your system. I had one 500GB disk take about 12 hours:
# openssl rc4 -e -kfile /dev/urandom -in /dev/zero | dd bs=1M of=/dev/sdX1
Now for the juicy stuff, encryption. Cryptsetup is our weapon of choice and the below command encrypts your partition with 256-bit AES XTS algorithm. The NSA are building the worlds largest data centre just to break it.
$ sudo cryptsetup -h sha256 -c aes-xts-plain -s 256 luksFormat /dev/sdX1
When prompted, enter in your passphrase for this partition. Make it difficult, memorable and FFS, don't write it down.
Here we set the name of our encrypted partition for dev mapper. You can choose any name, I've gone with "privates":
$ sudo cryptsetup luksOpen /dev/sdX1 privates Enter LUKS passphrase:
Now your encrypted partition is available to your system as /dev/mapper/privates. Now we make a file system and label it:
$ sudo mkfs.ext4 -L Privates /dev/mapper/privates
Create a mount point and mount the partition:
$ sudo mkdir /media/privates $ sudo mount /dev/mapper/privates /media/privates $ sudo chown -R myusername.myusername /media/privates
Now the encrypted partition is available in /media/privates directory. Go nuts copying stuff to it.
Unmount it from the system, then use cryptsetup to close the connected protection.
$ sudo umount /media/privates $ sudo cryptsetup luksClose /dev/mapper/privates
In many GUI environments, when you reconnect this encrypted disk it will be automatically detected and present you with a mount dialog. Such is the Linux love these days :)