How To Use Linux LUKS Full Disk Encryption For Internal / External / Boot Drives


Thank you TOM! I believe I was the first one to request a video on this to be made. Now i can enjoy and learn.
Thanks a lot!

I encourage everyone in the community to watch this video!

1 Like

Thanks again Tom for the tutorial. I have two general questions each with related sub questions:

  1. Re LUKS header backups:
    Where do you store your header backups - on another LUKS encrypted drive that will also need its header backed up? I chose gpg encryption of the individual exported header files stored on my primary drive and backed up. How do you keep the header files straight? I named them after the drive label they belong to. Just looking for good practice here and I’m assuming someone could use the header to brute force crack the password(s) so they need to be protected.

  2. Is it possible to mount several LUKS encrypted drives using fstab and only enter the password once (they will each have same pwd)? Background: I use a primary Data drive that I manually mirror with internal and external (USB connected) Data drives using an rsync script. Will I need to enter the password for each drive at boot?

Apologies if this is obvious to everyone. I’m new to drive encryption.

  1. I don’t back the headers up. I have the data on those drives backed up to other LUKS drives so I don’t worry about the headers. Also, I am not saying it is not possible, but I have never had a header be the reason that I could not get data off the drive, it was always drive failure.

  2. Not without writing some script that you would pass that data too.

Thanks Tom,

Re booting: I figured that would be the case. But fstab to mount should work, right? Would UUID, be the luks-hexstring? (EDIT: got UUID via $ sudo blkid)

Re headers: you’re backing up to a NAS, so you just restore. I don’t have that level of sophistication here. Do you see anything wrong about my paradigm: export headers and store encrypted with gpg?

I am using FreeNAS for my backups and storing the headers on a USB drive should be fine

When I mount and unmount Luks encrypted drives. I see the following errors in the logs:

Buffer I/O error on dev dm-0, logical block 0, async page read

Is this indicating an error in configuration or normal & should I just ignore it?