LUKS – Encrypting Whole Disk Instead of One Partition

encryptionlukspartition

Context

Encrypting whole new external hard drive with Luks.
I.e. it is not a system drive (will be used only to store data, not to boot the OS), and it is completely blank.

Observation

All descriptions that I found about how to achieve this go along the lines of:

create a new partition, which is the same size as the whole disk
encrypt that partition

Some examples:

From here:

Creating a new encrypted partition:

[…]

Encrypting an existing partition

Or here.

Question

Is it possible to encrypt the whole disk, instead of having one big encrypted partition?

Probably the answer will be no, so the real question is why not?

In other words

What would happen if instead of typing

sudo cryptsetup -v -y luksFormat /dev/sda1

I would type

sudo cryptsetup -v -y luksFormat /dev/sda

(without having created sda1)?

Best Answer

The cryptsetup FAQ mentions whole-disk encryption using LUKS. Basically, cryptsetup doesn’t care what the LUKS device is, partition, disk, or loop device, so you can use whichever is appropriate.

sudo cryptsetup -v -y luksFormat /dev/sda

will create a LUKS container using all of /dev/sda.

Section 2.2 of the FAQ recommends this for external disks:

Fully encrypted raw block device: For this, put LUKS on the raw device (e.g. /dev/sdb) and put a filesystem into the LUKS container, no partitioning whatsoever involved. This is very suitable for things like external USB disks used for backups or offline data-storage.

Note that cryptsetup doesn’t need /etc/crypttab.

Context

Observation

Question

In other words

Best Answer

Related Solutions

Filesystems – Extend a LUKS Encrypted Partition to Fill Disk

Related Question