Encrypt External HardDrive that contain Data

disk-encryptionencryption

Is there an easy way to encrypt my 2To hard-drive that is completely full, without having to buy another one format / encrypt the drive, and then finally transfer all the data over ?

Best Answer

If the disk is completely full, no. There's an overhead of at least a few megabytes for an encrypted volume.

With full-disk encryption (dmcrypt), encrypting an existing volume isn't supported out of the box. However luksipc (LUKS In-Place-Conversion Tool) automates the process of creating a small encrypted volume, copying a little data onto it, growing the volume (overwriting the plaintext that was just copied), and so on until the whole volume is encrypted. I'll quote its disclaimer:

Before you attempt to do anything with the device, be warned: You may lose some of your data, even all of it (for example if you put the LUKS device key in /dev/shm and reboot your system before you add another key to the keyring). Power failures are also bad (since you will not have a resume file in that case). Furthermore, luksipc may have bugs that wreak havoc on your data. Also keep in mind that luksipc relies completely on a perfect disk. If your disk has read-problems, it likely will abort somewhere within the middle of the process (most likely also without creating a resume file). If your disk is faulty, get a new one instead of trying to crypt it. And, most importantly: Always have a backup. Now, let's be honest here: You probably don't have a backup. If you had the disk space, you wouldn't have the need to convert data in-place. Or maybe you have one and it's really old. Or the data is not really that important. In any case, please please please do not assume that everything will run smoothly. It may not. You have been warned. I will not be held responsible for any of your actions.

That said let me point out that I trusted my software (after thourough testing) enough to let it convert a 1 TB partition without having a backup. This worked nicely. However, your milage may vary.

Related Solutions

Is it possible to encrypt a hard disk with a key file instead of a password

One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).

Format your /etc/crypttab like this:

mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key \
    luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc

In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.

Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.

You can use a Yubikey 4 or Yubikey NEO among others for this purpose.

Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:

Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.

Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.

#!/bin/sh

PREREQ=cryptroot

prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

# /scripts/local-top/cryptopensc calls pcscd with the wrong path
ln -s ../usr/sbin/pcscd ${DESTDIR}/sbin/pcscd
mkdir -p "${DESTDIR}/usr/lib/x86_64-linux-gnu"
# opensc-tool wants this dynamically, copy_exec doesn't know that
cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "${DESTDIR}/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
mkdir -p "${DESTDIR}/lib/x86_64-linux-gnu"
# without this, pcscd aborts with a pthread_cancel error
cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "${DESTDIR}/lib/x86_64-linux-gnu/libgcc_s.so.1"
# this gets copied as a dangling symlink, fix it
rm "${DESTDIR}/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "${DESTDIR}/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
# pcscd needs this to open the reader once it has found it
cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "${DESTDIR}/lib/x86_64-linux-gnu/libusb-1.0.so.0"

Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:

#!/bin/sh

set -e

PREREQ=cryptopensc

prereqs()
{
    echo "$PREREQ"
}

case $1 in
    prereqs)
        prereqs
        exit 0
        ;;
esac

# because cryptopensc does not do it properly
killall pcscd

How to encrypt a btrfs subvolume

Is it possible to encrypt a btrfs subvolume only (no need to be "transparent encryption")?

No, BTRFS does not currently have built-in support for encryption. Today, to encrypt a filesystem (not just a sub-volume) you'd need DM-Crypt/LUKS. See https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F

Best Answer

Related Solutions

Is it possible to encrypt a hard disk with a key file instead of a password

How to encrypt a btrfs subvolume

Related Question