Good LUKS or plain?
LUKS containers don’t make any attempt to conceal their nature, so if you encrypt a drive this way, it’s obvious you’ve something to hide. Fortunately you can use Cryptsetup in ‘plain mode’, which contains no giveaway volume headers. To anyone examining the drive, it’ll simply appear to be full of random data.
To get started, locate your chosen partition or insert a USB stick, open Terminal and wipe the drive with dd . For example, sudo dd if=/dev/urandom of=/dev/ sdb1 bs=1M .
The basic command for using Cryptsetup in plain mode is cryptsetup <options> open --type plain <device> <name> . Take some time to read through the Cryptsetup main page to see which options are right for you, for instance:
sudo cryptsetup --type plain --cipher=serpent-xts-plain64 --hash=sha512 --key-size=256 --offset=123 open /dev/sdb1 plain3. This command must be entered in exactly the same way each time you want to access the device. If you’re uncomfortable writing it all down, memorise the offset value.
Cryptsetup will ask you to choose a password. Make sure it has a high degree of entropy as no salt is used (see above). Create a file system with sudo mkfs -t ext4 /dev/ mapper/plain3 .
Next, create a mount point by running sudo mkdir / mnt/plain3 , then mount the device with sudo mount -t ext4 /dev/mapper/plain3 /mnt/plain3 . You can now write your secret files to /mnt/plain3. When you’re done, run sudo umount /dev/mapper/plain3 , then sudo cryptsetup close plain3 .
You can access the encrypted drive again by running the cryptsetup and mount options.