When I installed Debian 12 (Kernel version 6.11.5+bpo-amd64 (64-bit)), the advanced installer lets me choose to encrypt certain partitions as well as the second hard drive. During boot, I’m asked to provide the encryption password, and all partitions get decrypted, even the second hard drive (mount point /data), which uses the same password.
Now, I’d like to do the same with my Expansion Cards. The DVD installer won’t let me create the encrypted partition, because I’m not creating a root partition at the same time.
KDE Partition Manager lets me create an encrypted ext4 partition, but doesn’t seem to offer options like encryption algorithm or key size. Also, when I try to set a mount point and update fstab using KDE Partition Manager, Debian boots into an emergency text mode on next restart. I’m able to get it working again by logging in as root and deleting the new line in /etc/fstab.
I’m pretty new to Debian and still learning, Unfortunately, I couldn’t find a solution on this forum or on the Internet. Maybe I was using the wrong terms. Any help is appreciated.
I think most of what is in there might be a step-by-step guide, albeit some small differences for your particular device. So for example, if you want to zero the second drive, a block size of only 1024 may take a very long time. You could probably use 1M for example and speed things up a bit.
If you choose not to use a LVM, which you probably don’t need to do, you’ll skip that section and have to setup the partition and mounts differently. Probably something like:
sudo mkfs.ext4 /dev/mapper/[foo]_crypt
sudo mkdir /mnt/data
sudo mount /dev/mapper/[foo]_crypt /mnt/data
Replace [foo] with what your device is and change /mnt/data to where you want your partition to be and named off root.
The recipe that @jtk linked may be sufficient for your needs. I prefer to encrypt the entire device and only use LVM2 to sub-divide the storage if my application requires it. The encrypted removable device on my FW13 has no partition table and the entire (decrypted) LUKS container contains a single ext4 filesystem.
$ lsblk /dev/sdb
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sdb 8:16 1 477.5G 0 disk
└─bkup_crypt 252:7 0 477.5G 0 crypt /mnt/backup
If the data you store on your encrypted expansion cards must be recoverable, I encourage you to investigate and follow the technique and nomenclature scheme that the Debian installer used to set up your second hard drive (that you told us was mounted on /data). That technique will be captured in readable (and hopefully documented) source code.
If you do this, all your storage devices will be encrypted similarly which greatly simplifies the process of accessing the data on another system should the host system ever fail.
Whatever approach you choose, I also encourage you to document the encryption scheme(s) you used and ensure you know–or have scripted–and have tested the process required to access the encrypted data on a second system.