Encrypt Your Drive | Freedom Lab NYC

Requirements

Encryption algorithm: AES-256 (more precisely AES-XTS-plain64 with a 512-bit key)
Encryption software: LUKS (Linux Unified Key Setup)

Plug the drive without mounting it and find the device name (mine is /dev/sda):

lsblk -o NAME,FSTYPE,FSSIZE,FSAVAIL

Write random bytes on the device for extra peace of mind:

sudo dd if=/dev/urandom of=/dev/sda bs=4096 status=progress

Initialize the LUKS partition and set your encryption passphrase:

sudo cryptsetup luksFormat --type luks2 /dev/sda

I recommend using a complex passphrase of 20 or more characters.

Open and map the partition to a device, enter your passphrase when prompted:

sudo cryptsetup luksOpen /dev/sda MY_PRECIOUS_USB

Check the status of the mapped device:

sudo cryptsetup -v status MY_PRECIOUS_USB

Verify that the Cipher is aes-xts-plain64 and the Cipher Key is 512 bits

Create the filesystem on the mapped device:

sudo mkfs -t ext4 -V /dev/mapper/MY_PRECIOUS_USB

Format it in exFAT instead of ext4 if you want it to work on Windows and macOS.

Mount the mapped device:

sudo mkdir /mnt/MY_PRECIOUS_USB
sudo mount /dev/mapper/MY_PRECIOUS_USB /mnt/MY_PRECIOUS_USB

Only root has write permissions. Do this to also allow your regular user:

sudo chown your_user:your_user /mnt/MY_PRECIOUS_USB

You can now copy your sensitive data to the drive:

cp my_secret_file /mnt/MY_PRECIOUS_USB/my_secret_file

When you're done you can unmount and close the mapped device:

sudo umount /mnt/MY_PRECIOUS_USB
sudo cryptsetup luksClose MY_PRECIOUS_USB

In the future, when you plug in your drive, you can use the GUI.

If you prefer to use the CLI, do this to decrypt and mount:

sudo cryptsetup luksOpen /dev/sda MY_PRECIOUS_USB
sudo mount /dev/mapper/MY_PRECIOUS_USB /mnt/MY_PRECIOUS_USB

Do this to unmount and close:

sudo umount /mnt/MY_PRECIOUS_USB
sudo cryptsetup luksClose MY_PRECIOUS_USB