Hi all,
I was looking for an alternative to Veracrypt for Full Disk Encryption (FDE), and learned about LUKS for external drives. I noticed that Gnome Disks allows for encrypting a partition with ext4 with LUKSv2. I wanted to know if there were any downsides from a security perspective for this. I did notice that using the command-line (cryptsetup), you can customize the hashing algorithm a bit, so I wanted to see if that was worth it. This is part of a broader workflow I am working on for new drives I purchase.
Extra context:
This is the current workflow I had envisioned:
- Smart Long Test -
smartctl -t long /dev/drive - Input output check -
sudo fio --filename=/dev/sdxx --name=randwrite --ioengine=sync --iodepth=1 --rw=randrw --rwmixread=50 --rwmixwrite=50 --bs=4k --direct=0 --numjobs=8 --size=300G --runtime=7200 --group_reporting - Use dd to random write to the whole drive - used for plausible deniability-
sudo dd if=/dev/urandom of=/dev/sdb iflag=nocache oflag=direct bs=4096 - Use Gnome disks (without formatting the drive) to create partition and then apply luksv2 on it with ext4 as file system
- Backup Linux Header -
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img - (Maybe) Remove the Luks key so someone would have to work harder to brute-force it if the drive gets lost -
cryptsetup luksRemoveKey .... - (Maybe pt.2) After removing the header, use
cryptsetup luksHeaderRestore /dev/drive --header-backup-file /path/to/backup_header_fileto restore the full header back anytime I needed to access the contents on the drive.
I’m pretty new to this niche of Linux+privacy. I would love to hear your thoughts on any oversights on my part.
Thanks