How to encrypt media with LUKS and mount it on Debian 10 system start up

Getting ready

Prepare the device you want to encrypt. This can be a full disk, partition, mdadm device, LVM, also removable devices like USB flash drive, SD card, ZIP drive, etc. Install cryptsetup software on your system:

$ sudo apt install cryptsetup

Encrypting the media

Now it is time to format the media that you have prepared with luksFormat command. In my example I will use a mirror of two drives created with mdadm. It already has a file system on it so I will be overwriting it. Follow the instructions on the screen:

$ sudo cryptsetup luksFormat /dev/md1
WARNING: Device /dev/md1 already contains a 'ext4' superblock signature.

WARNING!
========
This will overwrite data on /dev/md1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/md1:

Format the encrypted media

Now you can format the encrypted media. But before you can do that, first you need to open it using your passphrase. Here I’m using encrypted as device identifier:

$ sudo cryptsetup luksOpen /dev/md1 encrypted
Enter passphrase for /dev/md1:

At this time you can create a file system on your new encrypted device. Here I’m creating EXT4 file system on my device that I identified as encrypted.

$ sudo mkfs.ext4 /dev/mapper/encrypted

Mounting and removing encrypted device

At this point mounting your encrypted device is the same way as mounting a not encrypted device.

$ sudo mount /dev/mapper/encrypted /mnt

When you are done with it and would like to remove it from you computer. In my example it is mounted in /mnt:

$ sudo umount /mnt

$ sudo cryptsetup luksClose /dev/mapper/encrypted

At this time you can remove the device and bring it to another machine if you need to.

Mount encrypted device on system start up, using a key

On system start up your encrypted device will be unlocked with a key file. First step is to create a key file and add created key file to your encrypted device:

$ sudo dd if=/dev/urandom of=/root/mykeyfile bs=1024 count=4

This will create a file in /root directory called mykeyfile with a size of 4096 bits. It is important to keep this file in a directory that only root user has access to. Now lets make sure that only root user can read it:

$ sudo chmod 0400 /root/mykeyfile

Now you have to add this key file to your encrypted device:

$ sudo cryptsetup luksAddKey /dev/md1 /root/mykeyfile
Enter any existing passphrase:

Before you edit the /etc/fstab file, you have to edit the /etc/crypttab. This will unlock the encrypted device before it is mounted in /etc/fstab. Here I’m identifying my encrypted device with the name of encrypted again:

encrypted         /dev/md1         /root/mykeyfile          luks

Now edit the /etc/fstab and add the following. Made sure to change /mnt to the mount location of your choice:

/dev/mapper/encrypted         /mnt         ext4           defaults             0              2

Once you have the correct entry in both files go ahead and mount your encrypted device:

$ sudo mount /mnt

Or restart your system to make sure that encrypted device will be mounted on start up. Enjoy!