User Tools

Site Tools


Disk Encryption

You may want to encrypt your external disk to improve privacy (in case other people have physical access to your router) or so that you can securely reuse the disk later for another purpose if it's flash (see SSDs prove difficult to securely erase).

Install encryption packages:

# opkg install kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc cryptsetup

Install ext4 packages:

# opkg install kmod-fs-ext4 e2fsprogs

There are different ways of handling the encryption key. In this example we generate a new random key on every mount.

Don't follow these instructions blindly! If you use this example, your previous data will be inaccessible when the disk is unmounted because we're not storing the key.

# cryptsetup --cipher=aes-xts-plain64 --key-file=/dev/random create encrypted /dev/sda

This step may take a long time while /dev/random gathers enough entropy to generate the key.

Format and mount the encrypted volume:

# mkfs.ext4 /dev/mapper/encrypted
# mount /dev/mapper/encrypted /mnt


# umount /mnt
# cryptsetup remove encrypted


A video demonstration on OpenWrt 14.07 Barrier Breaker using LUKS: (broken link, 07.Mar.2016)

doc/howto/disk.encryption.txt · Last modified: 2016/03/03 11:56 by Max Hopper