====== Format a hard drive with LUKS and BTRFS ====== Simple mode, adding to this site to serve as reference for friends. This guide assumes `sda` as the drive letter, and `sda1` as your partition ==== Format the disk ==== sudo cfdisk /dev/sda * choose GPT if you have a MBR vs GPT option * pick create, choose max size (or whatever you want) * then write to disk That should create /dev/sda1 as a partition. ==== Setup encryption ==== sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --sector-size 4096 /dev/sda1 pick your password the luks is like a shell/container/box around your actual filesystem. \\ big abstraction layer like HTTPS. then unlock so we can create a partition in it. sudo cryptsetup luksOpen /dev/sda1 foobar-hdd Note ^ above is not name of disk, just what the decrypted drive name is ==== Make a filesystem ==== Then, make a filesystem. I like btrfs, but ext4 and XFS are also good options sudo mkfs.btrfs -L yolohdd -f /dev/mapper/foobar-hdd then you can mount it sudo mount /dev/mapper/foobar-hdd /mnt/your-mountpoint Then make a subvolume if you want sudo btrfs subvolume create /mnt/your-mountpoint/@your-subvolume ==== Automount on boot ==== === Get UUIDs === With this, do an lsblk -f and take note of the UUIDs. You will need it (or you can use labels, but UUID is better since you can have duplicate labels) to automount at boot, here is my UUIDs as an example NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS sda `-sda1 crypto_LUKS 2 208fae7b-ed03-48cd-a4f6-f37f9dd28732 `-hdd btrfs HDD fbd95406-4a52-4fe2-b1a7-17743a037149 991.4G 45% /hdd === Update crypttab to decrypt === in /etc/crypttab, add this disk. this does decryption hdd UUID=208fae7b-ed03-48cd-a4f6-f37f9dd28732 none First is the name when decrypted. The UUID is the UUID of the encrypted shell, that is the one in sda1 This will decrypt it, then we can mount the filesystem in the encrypted container === Add to fstab to mount === now add it to /etc/fstab to handle auto mounting # /dev/sda1 LABEL=hdd UUID=fbd95406-4a52-4fe2-b1a7-17743a037149 /hdd btrfs rw,relatime,nofail,space_cache=v2,compress=zstd The UUID in here is the one of the filesystem, not the LUKS, so notice how it's under the hdd name in my lsblk. You can also just use /dev/mapper/hdd or your decrypted name, but UUID is more predictable. nofail will make it so if it fails to mount, your computer can still turn on (highly recommend)