How to encrypt portable external hard drive

Encrypt portable external hard drive using Linux Unified Key Setup to protect data in transit.

Connect new and empty portable external hard drive to identify it.

[Mon Mar 19 04:20:11 2018] usb 3-2: new SuperSpeed USB device number 6 using xhci_hcd
[Mon Mar 19 04:20:11 2018] usb 3-2: New USB device found, idVendor=125f, idProduct=a35a
[Mon Mar 19 04:20:11 2018] usb 3-2: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[Mon Mar 19 04:20:11 2018] usb 3-2: Product: HD650
[Mon Mar 19 04:20:11 2018] usb 3-2: Manufacturer: ADATA
[Mon Mar 19 04:20:11 2018] usb 3-2: SerialNumber: 4810358C3023
[Mon Mar 19 04:20:11 2018] scsi host4: uas
[Mon Mar 19 04:20:11 2018] scsi 4:0:0:0: Direct-Access     ADATA    HD650            0    PQ: 0 ANSI: 6
[Mon Mar 19 04:20:11 2018] sd 4:0:0:0: Attached scsi generic sg1 type 0
[Mon Mar 19 04:20:11 2018] sd 4:0:0:0: [sdb] Spinning up disk...
[Mon Mar 19 04:20:12 2018] .
[Mon Mar 19 04:20:13 2018] .
[Mon Mar 19 04:20:14 2018] .
[Mon Mar 19 04:20:15 2018] .
[Mon Mar 19 04:20:15 2018] ready
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] 3907029168 512-byte logical blocks: (2.00 TB/1.82 TiB)
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] 4096-byte physical blocks
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] Write Protect is off
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] Mode Sense: 43 00 00 00
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[Mon Mar 19 04:20:15 2018]  sdb: sdb1
[Mon Mar 19 04:20:15 2018] sd 4:0:0:0: [sdb] Attached SCSI disk

It will likely W95 FAT32 filesystem by default.

$ sudo sfdisk --list /dev/sdb
Disk /dev/sdb: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xf7316823

Device     Boot Start        End    Sectors  Size Id Type
/dev/sdb1  *     2048 3907026943 3907024896  1.8T  c W95 FAT32 (LBA)

Unmount if it was mounted automatically.

$ mount | grep sdb
/dev/sdb1 on /media/milosz/ADATA HD650 type vfat (rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2)

$ sudo umount /dev/sdb1 

Initialize LUKS partition and set password.

$ sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 /dev/sdb1 

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:  ****************
Verify passphrase: ****************

Diplay header information of LUKS partition.

$ sudo cryptsetup luksDump /dev/sdb1 
LUKS header information for /dev/sdb1

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	65535
MK bits:       	256
MK digest:     	67 fe f5 dc 74 de fa 82 7a 19 67 cd a2 e3 41 61 94 bc 34 3f 
MK salt:       	a8 63 0b 89 26 16 9b 05 4d aa 19 dd a7 7c dd 6d 
               	d8 32 4d 1e c4 bd fd 50 0c 5b f8 6f c4 cd e4 e6 
MK iterations: 	84500
UUID:          	780554cb-5335-4dc0-80fc-43e7bb4cf16c

Key Slot 0: ENABLED
	Iterations:         	343163
	Salt:               	83 10 7e 0c d5 60 3e 2a 72 2f 44 fd 6c 47 93 d2 
	                      	ab e7 46 61 4a 26 62 5e a8 4e 6a a1 fb 62 95 d3 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Open LUKS partition and map it as homeext after successful verification.

$ sudo cryptsetup luksOpen /dev/sdb1 homeext
Enter passphrase for /dev/sdb1: ****************

Format encrypted homext virtual block device.

$ sudo mkfs.ext4 /dev/mapper/homeext 
mke2fs 1.42.13 (17-May-2015)
/dev/mapper/homeext contains a ext4 file system
	created on Wed Mar 28 20:03:45 2018
Proceed anyway? (y,n) y
Creating filesystem with 488369920 4k blocks and 122093568 inodes
Filesystem UUID: 68100a88-4049-427d-ba0d-85ab54c936bd
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
	102400000, 214990848

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done       

Create mount directory and mount virtual block device.

$ sudo mkdir /mnt/homeext
$ sudo mount /dev/mapper/homeext /mnt/homeext/
$ sudo chown milosz:milosz /mnt/homeext
$ sudo chmod 770 /mnt/homeext/

Unmount and close virtual block device after required data is copied.

$ sudo umount /mnt/homeext 
$ sudo cryptsetup luksClose homeext

Use luksOpen,mount and unmount, luksClose operations next time.

You can benchmark available algorithms using the following command.

$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1052787 iterations per second
PBKDF2-sha256     688041 iterations per second
PBKDF2-sha512     578046 iterations per second
PBKDF2-ripemd160  651289 iterations per second
PBKDF2-whirlpool  227555 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   592.2 MiB/s  2362.0 MiB/s
 serpent-cbc   128b    79.5 MiB/s   507.3 MiB/s
 twofish-cbc   128b   164.9 MiB/s   320.2 MiB/s
     aes-cbc   256b   438.2 MiB/s  1899.4 MiB/s
 serpent-cbc   256b    79.9 MiB/s   492.6 MiB/s
 twofish-cbc   256b   168.7 MiB/s   319.9 MiB/s
     aes-xts   256b  1425.9 MiB/s  1419.8 MiB/s
 serpent-xts   256b   498.3 MiB/s   486.5 MiB/s
 twofish-xts   256b   294.9 MiB/s   311.0 MiB/s
     aes-xts   512b  1231.8 MiB/s  1157.3 MiB/s
 serpent-xts   512b   496.8 MiB/s   484.4 MiB/s
 twofish-xts   512b   312.3 MiB/s   319.1 MiB/s