Context
Encrypting whole new external hard drive with Luks.
I.e. it is not a system drive (will be used only to store data, not to boot the OS), and it is completely blank.
Observation
All descriptions that I found about how to achieve this go along the lines of:
- create a new partition, which is the same size as the whole disk
- encrypt that partition
Some examples:
From here:
Creating a new encrypted partition:
[…]
Encrypting an existing partition
Or here.
Question
Is it possible to encrypt the whole disk, instead of having one big encrypted partition?
Probably the answer will be no, so the real question is why not?
In other words
What would happen if instead of typing
sudo cryptsetup -v -y luksFormat /dev/sda1
I would type
sudo cryptsetup -v -y luksFormat /dev/sda
(without having created sda1
)?
Best Answer
The
cryptsetup
FAQ mentions whole-disk encryption using LUKS. Basically,cryptsetup
doesn’t care what the LUKS device is, partition, disk, or loop device, so you can use whichever is appropriate.will create a LUKS container using all of
/dev/sda
.Section 2.2 of the FAQ recommends this for external disks:
Note that
cryptsetup
doesn’t need/etc/crypttab
.