Here we will install

The disk decryption can be made in two ways:

Setup encrypted disk

Setup luks to encrypt the disk

mkdir /etc/luks
chmod 777 /etc/luks
cd /etc/luks

Generate the key to be used for the encryption

dd bs=32 count=1 if=/dev/random | base64 > keyfile                 
chmod 777 keyfile

Network setup

This path if you want to store the keyfile somewhere else

I assume a raspberry PI with IP Ssh on the raspberry and run the following

sudo apt update
sudo apt install apache2 -y

Then go back on the "NAS" and copy the file (i assume the default login for the raspberry: pi)

cd /etc/luks
scp keyfile pi@

Then login on the raspi and change the permission

sudo chmod 555 /var/www/html/keyfile

Go back on the nas and create a new file

** /etc/luks/ **

set -e
# Request the file then pipe it through base64 -d to decode it from base64
curl -s "" | base64 -d

Then enable the and remove the keyfile

chmod 777 /etc/luks/
rm keyfile

Local setup

Create a new file

** /etc/luks/ **

set -e
# Read the file then pipe it through base64 -d to decode it from base64
cat /etc/luks/keyfile | base64 -d

And ensure that the is executable

chmod 777 /etc/luks/


Ensure the owner of this file is "root"

chown root:root /etc/luks/

Allow only the owner (root) to read and execute the script

chmod 0500 /etc/luks/

Remove the old partition on the chosen disk and cleanup

Check the name of the disk you want to use, using lsblk

> sdb                         8:16   0 465.8G  0 disk

Run fdisk. I assume the new disk is /dev/sdb

fdisk /dev/sdb

Set the partition as primary


Set the real size in GB


Confirm the changes


Then setup the new disk as ext4

mkfs.ext4 -F /dev/sdb1

Setup the disk encription

Mount the new partition

mount -t auto -v /dev/sdb1 /mnt/data

Check the name of the disk just added, using lsblk lsblk

sdb 8:16 0 465.8G 0 disk └─sdb1 8:17 0 465.8G 0 part

Encrypt the disk with the

/etc/luks/ | cryptsetup -d - -v luksFormat /dev/sdb1

Format after luks

/etc/luks/ | cryptsetup -d - -v luksOpen /dev/sdb1 data
mkfs.ext4 -F /dev/mapper/data
cryptsetup -v luksClose data

Setup the automount

To start, get the UUID of the /dev/sdb1 partition

lsblk --fs
>   sdb
>   └─sdb1                    crypto_LUKS       b27c3dd0-9799-4b23-bc84-1755dee0f0a2

Create a new service to open the data volume

** /etc/systemd/system/unlock-data.service **

Description=Open encrypted data volume

ExecStart=/bin/sh -c '/etc/luks/ | /sbin/cryptsetup -d - -v luksOpen /dev/disk/by-uuid/b27c3dd0-9799-4b23-bc84-1755dee0f0a2 data'
ExecStop=/sbin/cryptsetup -d - -v luksClose data

And another one to mount the device

** /etc/systemd/system/mnt-data.mount **




Enable and verify the disk

systemctl enable mnt-data.mount
systemctl start mnt-data.mount
systemctl is-enabled mnt-data.mount

To manually enable the disk

systemctl start mnt-data.mount

And to disable it

systemctl stop mnt-data.mount

Last modified on: June 08, 2020