➥ Ubuntu Linux encrypt seperate hdd with LUKS cryptsetup (mount and unmount)

First delete all partitions with fdisk or gparted or some other software that you want.

Open a terminal and run LUKS cryptsetup to do this (replace sd?X with the name of the partition to encrypt – for example, sdb1 or sdc2). All the necessary programs should already be installed if you’re running standard Ubuntu.

sudo cryptsetup -y -v luksFormat /dev/sdX

Then you’ll need to decrypt the new partition so that you can format it with ext4, the modern Linux filesystem preferred by Ubuntu.

sudo cryptsetup luksOpen /dev/sdX sdX_crypt
sudo mkfs.ext4 /dev/mapper/sdX_crypt

Now you can mount your new encrypted partition. The mount point can be anywhere you want, but you’ll probably want to put it either in /media/<some-folder> or /home/<your-name>/<some-folder>. You’ll need to create some-folder before mounting (make sure it’s empty!).

sudo mount /dev/mapper/sdX_crypt /<mount-point>

Technically speaking, this is all you need to do encrypt your second harddrive. It just means that you’ll have to manually mount and decrypt it every time you want to use it. If you’re using it to store sensitive, rarely used data, that might be perfect.

But if you actually want to use it as a regular, frequently accessed harddrive, there’s a way to automatically mount and decrypt your second drive on startup, when your primary harddrive is decrypted.

First you’ll need to create a keyfile, which acts as a password that you don’t have to type in every time you start up (like your primary harddrive encryption password).

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
sudo chmod 0400 /root/.keyfile
sudo cryptsetup luksAddKey /dev/sdX /root/.keyfile

Now that the keyfile’s been made, you’ll need to add the following line to /etc/crypttab to automatically use it to unlock the partition on startup.

sdX_crypt UUID=<device UUID> /root/.keyfile luks,discard # (New encrypted partition with keyfile that was generated)

To get your parition’s UUID, use this command (you need to sudo it so that all of your partitions show up):

sudo blkid

The value you want is the UUID of /dev/sd?X, not dev/mapper/sd?X_crypt. Also make sure to copy the UUID, not the PARTUUID.

Then you’ll need to add this line to /etc/fstab to actually mount the partition on startup.

/dev/mapper/sdX_crypt  /<mount-point>   ext4    defaults        0       2

Then restart and everything should work. If you find yourself unable to create files in the new partition, it’s probably still owned by root and needs to be chowned to your user. Run this command:

sudo chown <user>:<user> /<mount-point> -R

And there you have it, full disks encryption that just works.

To unmount the hdd you have to to this:
sudo umount /dev/mapper/sdX_crypt /<mount-point>
sudo cryptsetup luksClose sdaX_crypt