On Ubuntu or Debian, it’s really simple to create an encrypted partition on a newly-purchased USB mass storage device. In my case, I had bought a 1TB hard drive which had very mixed reviews, some people saying their drives had failed very early. I wanted to be able to return the drive under warranty if it broke without worrying about personal data.
It turns out that if you want to reformat a partition on an external USB drive so that it’s encrypted, this is just a matter of doing the following:
sudo luksformat -t ext4 /dev/partitiondevice
…. where /dev/partitiondevice is the device for the drive partition you want to overwrite. Obviously, this will destroy everything that was previously on that partition.
I like to use a proper filesystem for USB mass storage devices, but if you leave out the -t ext4 then the default is to use VFAT.
When you next plug in that drive, you’ll be prompted to enter the password that you picked when creating the partition – if you type that correctly, the drive will be mounted and usable. (If you mistype it, you’re not given another chance to enter the password, so you’ll need to go to the command line and do: gvfs-mount -d /dev/partitiondevice to try again.)
One small thing is that the mount point in /media will be based on a UUID by default, but if you set the ext4 partition label, it’ll be mounted under that name in /media/ instead. To do this, starting from when your disk is mounted, you can run mount without parameters to find the unencrypted device name and then unmount it and change the label:
$ umount /dev/mapper/udisks-luks-uuid-b7bbb2c8-etc $ e2label /dev/mapper/udisks-luks-uuid-b7bbb2c8-etc topsekrit
If you unplug and plug in the disk again, it should be mounted on /media/topsekrit