Add an encrypted hard disk to an existing Ubuntu system.
$ sudo lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931,5G 0 disk
sdb 8:16 0 447,1G 0 disk
├─sdb1 8:17 0 1M 0 part
├─sdb2 8:18 0 513M 0 part /boot/efi
├─sdb3 8:19 0 732M 0 part /boot
└─sdb4 8:20 0 445,9G 0 part
└─sda4_crypt 253:0 0 445,9G 0 crypt
├─vgubuntu-root 253:1 0 444,9G 0 lvm /
└─vgubuntu-swap_1 253:2 0 980M 0 lvm [SWAP]
Initializes a LUKS on sda device.
Remember, use the same passphrase as for the already configured encrypted LVM.
$ sudo cryptsetup luksFormat /dev/sda
WARNING: Device /dev/sda already contains a 'gpt' partition signature. WARNING! ======== This will overwrite data on /dev/sda irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sda: ************** Verify passphrase: **************
Open the LUKS device.
$ sudo cryptsetup luksOpen /dev/sda sda_crypt
Enter passphrase for /dev/sda: **************
Initialize physical volume for use by LVM.
$ sudo pvcreate /dev/mapper/sda_crypt
Physical volume "/dev/mapper/sda_crypt" successfully created.
Display physical volumes.
$ sudo pvs
PV VG Fmt Attr PSize PFree /dev/mapper/sda4_crypt vgubuntu lvm2 a-- 445,89g 0 /dev/mapper/sda_crypt vgbackup lvm2 a-- <931,50g <931,50g
Create a volume group.
$ sudo vgcreate vgbackup /dev/mapper/sda_crypt
Volume group "vgbackup" successfully created
Display volume groups.
$ sudo vgs
VG #PV #LV #SN Attr VSize VFree vgbackup 1 0 0 wz--n- <931,50g <931,50g vgubuntu 1 2 0 wz--n- 445,89g 0
Create a logical volume.
$ sudo lvcreate -n backup -l +100%FREE vgbackup
Logical volume "backup" created.
Display logical volumes.
$ sudo lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert backup vgbackup -wi-a----- <931,50g root vgubuntu -wi-ao---- <444,94g swap_1 vgubuntu -wi-ao---- 980,00m
Display information about filesystems, including UUID.
$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda crypto_LUKS 2 eb964338-22d2-44cf-8d50-ef96e17b4a54
└─sda_crypt LVM2_member LVM2 001 9BAkBH-C2uE-k80V-1KfN-bjhm-HVmi-c4xoR9
└─vgbackup-backup
sdb
├─sdb1
├─sdb2 vfat FAT32 B6A5-0995 504,2M 2% /boot/efi
├─sdb3 ext4 1.0 4ef327e9-15bc-47b8-9e74-d926bc7497dd 432M 31% /boot
└─sdb4 crypto_LUKS 2 67369c73-f0a0-4ead-907c-507246c0c43b
└─sda4_crypt LVM2_member LVM2 001 LUpQBF-ziSa-tjbo-oS02-TuxS-mQLK-6rX2Cm
├─vgubuntu-root ext4 1.0 e756ceac-6ba8-4b3a-8f84-04f4e6262cd7 88,2G 75% /
└─vgubuntu-swap_1 swap 1 00b7be11-d8b6-4b8f-9bdb-723917d6f89f [SWAP]
Inspect information about encrypted filesystems.
$ cat /etc/crypttab
sda4_crypt UUID=67369c73-f0a0-4ead-907c-507246c0c43b none luks,discard
Append information about recently created and encrypted filesystem.
$ cat <<EOF | sudo tee -a /etc/crypttab sda_crypt UUID=eb964338-22d2-44cf-8d50-ef96e17b4a54 none luks EOF
Create filesystem.
$ sudo mkfs.ext4 /dev/mapper/vgbackup-backup
mke2fs 1.45.6 (20-Mar-2020) Creating filesystem with 244186112 4k blocks and 61046784 inodes Filesystem UUID: 35784ac3-2a7c-4059-ac26-9c9ad98f7010 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done
Create mount directory.
$ mkdir /home/milosz/Backup
Display information about filesystems, including UUID.
$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda crypto_LUKS 2 eb964338-22d2-44cf-8d50-ef96e17b4a54
└─sda_crypt LVM2_member LVM2 001 9BAkBH-C2uE-k80V-1KfN-bjhm-HVmi-c4xoR9
└─vgbackup-backup ext4 1.0 35784ac3-2a7c-4059-ac26-9c9ad98f7010 869,2G 0% /home/milosz/Backup
sdb
├─sdb1
├─sdb2 vfat FAT32 B6A5-0995 504,2M 2% /boot/efi
├─sdb3 ext4 1.0 4ef327e9-15bc-47b8-9e74-d926bc7497dd 432M 31% /boot
└─sdb4 crypto_LUKS 2 67369c73-f0a0-4ead-907c-507246c0c43b
└─sda4_crypt LVM2_member LVM2 001 LUpQBF-ziSa-tjbo-oS02-TuxS-mQLK-6rX2Cm
├─vgubuntu-root ext4 1.0 e756ceac-6ba8-4b3a-8f84-04f4e6262cd7 88,2G 75% /
└─vgubuntu-swap_1 swap 1 00b7be11-d8b6-4b8f-9bdb-723917d6f89f [SWAP]
Ensure that the created filesystem will mount at boot.
$ cat <
Mount it.
$ sudo mount /home/milosz/Backup
Fix mount point permissions.
$ sudo chown milosz:milosz /home/milosz/Backup
From now on single password will unlock both of the encrypted devices.