HOWTO Setup encrypted external drive mounted at boot

Share your own howto's etc. Not for support questions!

HOWTO Setup encrypted external drive mounted at boot

Postby tylerdurden » 2018-07-11 15:34

This explains how I encrypted an external 1Tb hard drive with an XFS file system which is mounted automatically at boot when present. I'm using it for backup purposes.

System used:

Code: Select all
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux


This assumes the device is /dev/sdb.
Everything must be done as root.

Partition disk if needed by setting up a Linux lvm partition:
Code: Select all
$ cfdisk /dev/sdb

Code: Select all
$ fdisk /dev/sdb

Wipe the partition. WARNING: will take a while.
Code: Select all
$ dd if=/dev/zero of=/dev/sdb bs=4M

Setup encryption on device:
Code: Select all
$ cryptsetup luksFormat /dev/sdb1

Open encrypted partition:
Code: Select all
$ cryptsetup luksOpen /dev/sdb1 backup  # creates /dev/mapper/backup

Create XFS file system:
Code: Select all
$ mkfs.xfs /dev/mapper/backup           # install "xfsprogs" if absent


Allow device, if present, to be mounted automatically at boot, and be prompted for password.

Create mountpoint, e.g. /backup
Code: Select all
$ mkdir /backup

Find out UUID of /dev/sdb1 with any of the following:
Code: Select all
$ blkid
$ ls -lha /dev/disk/by-uuid
$ lsblk -f

For instance:
Code: Select all
$ lsblk -f
└─sdb1                  crypto_LUKS       e616b645-de31-46d0-9cf6-82e10d4f861b   
  └─backup              xfs               b9931a95-3197-41d4-943f-69af29fc6eb8

Edit /etc/crypttab by adding the following line:
Code: Select all
backup  UUID=<uuid of /dev/sdb1>     none    luks,nofail

"None" means the system will ask for the password as we're not using a keyfile. The "nofail" option will ensure that the system doesn't hang when the device isn't present. See "man crypttab" for more options.

Add the encrypted file system to /etc/fstab:
Code: Select all
/dev/mapper/backup  /backup     xfs     nofail,noatime,rw,user,x-systemd.device-timeout=30  0   2

The systemd device timeout is optional. See here for more info.

Mount all with:
Code: Select all
mount -a

Reboot the system. While booting, the system will attempt to mount the device and prompt for a password, if it's plugged in. If not, it will ignore it.


Allow users to read and write to the external harddrive without changing ownership and permissions of the mountpoint /backup when the device is not mounted.

As root, mount /backup and then change ownership as needed. For instance:
Code: Select all
$ mount /backup
$ chown user:users /backup

When mounted, ownership/permissions will then be:
Code: Select all
$ ls -ld /backup

    drwxr-xr-x 3 user users 57 jui 11 00:46 /backup

When not mounted, ownership/permissions will be:
Code: Select all
$ ls -ld /backup
    drwxr-xr-x 2 root root 4096 jui 10 20:05 /backup

When the external hard drive is plugged in, the system will notify you and ask for a password. Alternatively, mount the drive from the desktop. It will ask you to provide the password for device /dev/mapper/backup. It will be mounted under /backup if you followed this tutorial.

Hope this is useful. Comments and additional tips are welcome.
Last edited by tylerdurden on 2018-07-11 17:01, edited 1 time in total.
Debian 9.5 Stretch
User avatar
Posts: 1
Joined: 2018-07-11 14:43
Location: /home

Re: HOWTO Setup encrypted external drive mounted at boot

Postby cds60601 » 2018-07-11 16:13

See this thread for an alternative way (possibly easier)
Yeah, 220, 221. Whatever it takes.
User avatar
Posts: 83
Joined: 2017-11-25 05:58

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests