I recently had two colleagues pass away at work over the same weekend; one expectedly, the other unexpectedly. Tasked to retrieve/secure/archive their computers, it got me thinking about all the enduring digitalia we leave behind. As with everything on a computer, some of it could be work-related and some of it could be personal. But the fact of the matter is that it is there.
Foremost, the importance of having a valid and accessible Will cannot be understated. Even more so, have your passwords readily available or not – the choice is yours, but should you choose the former, make it easy on those that you leave behind. Work data can be accessed far easier than personal data; there are admins. Personal data of course is up to the person. What are you leaving on your work computer? Personal computer? Cloud storage? Maybe you don’t give a fuck because you’re dead. I don’t know. But it got me thinking… I’ve got multiple computers, drives, websites, social media accounts, etc. and what will become of all that when I die. Circling back, all can be addressed in a Will.
Encryption should be standard practice in 2023. Bitlocker, FileVault and LUKS are easy to setup and use. If you know the password, you’re in, if you don’t. you’re out. Now say you have some digital files that you want to die with you. The best way to deal with that is to delete them before you go. The next best way is to put them on an encrypted drive and through away the key.
Linux systems use the cryptsetup command to implement Linux Unified Key Setup (LUKS). Here’s the steps I took to install and encrypt a drive in my Linux box.
After installing a new drive in my computer, I booted up but got an error. Ugh. It wasn’t initialized. From the error console, I quickly did the following:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 1.8T 0 disk
sdb 8:16 0 3.6T 0 disk /mnt/data
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
└─nvme0n1p2 259:2 0 238G 0 part /
Great! there’s the new 1.8TB drive on /dev/sda. Now let’s get a file system on it so we can get reboot and not see errors:
sudo mkfs -t ext4 /dev/sda
You could do this with fdisk (which might be better) and also edit /etc/fstab to get the drive to mount, but the idea here behind an encrypted drive is only to access it upon demand. Without intervention, it should be a paperweight.
I installed cryptsetup using:
sudo apt install cryptsetup-bin
To create an entire encrypted drive, I did the following commands. Foremost, reverify that your drive has is the same device name. Then, create a mapping to the partition with a LUKS container, I’ll call mine “cryptpart”. You’ll get a warning about erasing everything that’s on the drive, but that’s fine in my case. Be sure to check cryptsetup’s man for more options. Then enter your passcode twice and never forget it and never write it down. Next step is to create a filesystem inside the LUKS container or it won’t mount. Use the -L option for “label name”. Finally, create a mount point; mine is in /mnt, but you could also make one in /media. Be sure to give it appropriate ownership for access after creating.
lsblk
sudo cryptsetup luksFormat /dev/sda
sudo mkfs.ext4 /dev/mapper/cryptpart
sudo mkdir /mnt/here
sudo chown user:group /mnt/here
That’s it, you’ve created the encrypted drive. Now let’s mount it, and then unmount it:
sudo cryptsetup luksOpen /dev/sda cryptpart
sudo mount /dev/mapper/cryptpart /mnt/here
cd /mnt/here
sudo umount cryptpart
sudo cryptsetup luksClose cryptpart
Easy, right? There are a lot of options, like using crypttab and a keyfile for auto-mounting, but again, I want it to be a paperweight that no-one can access but me. You may want to back the LUKS headers on the drive, or do a luksdump in case of drive failure. Which also brings up the final point to be made: BACK UP EVERYTHING. If you have one drive that’s encrypted, you’ll need another backup drive of it that’s also encrypted.
the itjerk 
Recent Comments