When Stuart Burns was told to lurk around the data centre, he brought a packed lunch and his laptop running Ubuntu 24.04.
This guide assumes your primary installation disk is already encrypted. If this is not the case, you will have to re-install the OS and when the installer gets to the Disk Setup page, select Advanced Features and choose the Encrypt With LVM option. It asks you for a passphrase and offers to set a backup key on the disk being encrypted, to be moved somewhere else later (if you forget the passphrase). Picking a good passphrase is critical. If you want to get nerdy, the EFF has a take on creating a secure passphrase with dice: https://bit.ly/3y2wHGI
It can’t be stressed strongly enough how critical it is to have a backup of this and a good passphrase. Losing it means reinstallation and no chance of data recovery.
Assuming the OS disk is encrypted, the encryption of additional disks is quite straightforward. The first step is to ensure that the cryptsetup package is installed on your system.
This package provides the necessary tools for managing encrypted volumes and LUKS encryption. On Ubuntu use sudo apt-get install cryptsetup -y or other Apt-based package systems.
Once the partition has been prepared, initialise (create) LUKS encryption on the partition using the cryptsetup command. Replace /dev/sdX with the appropriate partition identifier. Quadruple-check the right disk is chosen. To check, it’s advisable to run sudo lsblk to show all the block devices connected to the system and their properties. Once the correct disk has been verified, use the following command to prepare the LUKS encrypted disk: $ sudo cryptsetup luksFormat /dev/sdX
You are prompted to confirm the encryption (you need to type YES here), set a passphrase and verify it. Choose a strong passphrase and keep it secure, as it will be required to unlock the encrypted volume. Understand that this is a destructive operation and erases any contents from the disk or partition selected!
It’s important to understand that every encryption command we use (luksOpen, luksClose, luksformat) is a parameter (or simply switch) of the cryptsetup command. Once you get that it’s essentially crypsetup lukOpen , cryptsetup lukClose it is much easier to understand conceptually.
After initialising LUKS encryption, open the encrypted container using cryptsetup luksOpen . This can be thought of as unlocking the disk. $ sudo cryptsetup luksOpen /dev/sdX encrypted_ volume
