I recently added an external eSATA drive to my home computer so I could back up critical data from my home network to one drive. I bought a Western Digital 1TB “green” drive and a Thermaltake external hard drive enclosure with eSATA and USB connectors.
Since my internal hard drives are encrypted it didn’t make sense to back up all of that data to an unencrypted external drive. I’d read Uwe Hermann’s excellent how-to article on disk encryption, but he didn’t cover setting up an LVM partition, which I always use so I can change drive volume sizes on the fly.
This is what I did to set up an external encrypted drive with LVM on an Ubuntu system:
- Open a terminal
- Get a root prompt:
sudo /bin/bash
- Watch the system log:
tail -f /var/log/messages
- Attach the external drive. The system log tells me that it was detected as /dev/sdc.
- Check the drive for bad blocks (takes a couple of hours):
badblocks -c 10240 -s -w -t random -v /dev/sdc
- Write random data to the entire drive. This step takes all night, but it ensures that never-written drive space can’t be differentiated from encrypted data if someone ever tries to crack the drive. (If you’re going to do this, you might as well do it right.)
shred -v -n 1 /dev/sdc
- Create one big LVM partition on the drive using fdisk. Set up one big primary partition /dev/sdc1, set the tag to system id “8e” LVM, and write the changes to disk:
> fdisk /dev/sdc Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0xa6846916. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. The number of cylinders for this disk is set to 121575. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): p Disk /dev/sdc: 999.9 GB, 999989182464 bytes 255 heads, 63 sectors/track, 121575 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0xa6846916 Device Boot Start End Blocks Id System Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-121575, default 1): [ENTER] Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-121575, default 121575): [ENTER] Using default value 121575 Command (m for help): t Selected partition 1 Hex code (type L to list codes): 8e Changed system type of partition 1 to 8e (Linux LVM) Command (m for help): p Disk /dev/sdc: 999.9 GB, 999989182464 bytes 255 heads, 63 sectors/track, 121575 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0xa6846916 Device Boot Start End Blocks Id System /dev/sdc1 1 121575 976551156 8e Linux LVM Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. - Use cryptsetup to encrypt the drive:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1
- Unlock the drive:
cryptsetup luksOpen /dev/sdc1 backupexternal
- Create the LVM physical volume:
pvcreate /dev/mapper/backupexternal
- Create the LVM volume group:
vgcreate xbackup /dev/mapper/backupexternal
- Create a logical volume within the volume group:
lvcreate -L 500G -n backupvol /dev/xbackup
- At this point you have a device named /dev/xbackup/backupvol, so create a filesystem on the logical volume:
mkfs.ext4 /dev/xbackup/backupvol
- Mount the volume:
mount /dev/xbackup/backupvol /mnt/backup
- To get the volume to mount automatically at boot time add this line to your /etc/fstab file:
/dev/xbackup/backupvol /mnt/backup ext4 defaults 0 5
- To be prompted for the decryption key / passphrase at boot time first get the drive’s UUID:
ls -l /dev/disk/by-uuid
(In my example I use the UUID for /dev/sdc1)
- Then add this line to the /etc/crypttab file:
backupexternal UUID=[the UUID of the drive] none luks
That’s it. You now have an external, encrypted hard drive with LVM installed. You’ve created one 500GB volume that uses half the disk, leaving 500GB free for other volumes, or for expanding the first volume.
Hope you find this useful.