Imagine that you have an unencrypted drive containing your private data and one day it starts throwing a bunch of errors. You have backups of the data so you’ve got that part covered, but would you feel comfortable sending the drive in to be warrantied? You have no control over who has access to that drive, and due to the drive failing you can’t format it as well.

Do you take the financial hit and buy a new drive, or send it in regardless and risk someone looking through your files?

I’ve bought and sold a bunch of hard drives and SSD-s over the years1, and warrantied a few of them. I encrypt the disk on my personal and work machines because of the obvious security benefits, but for a long time I avoided doing the same for other storage devices.

Then I realized that I can just encrypt them and use almost anything as the key. All you need is a reasonably sized file to pass to cryptsetup as a key-file, refer to that key-file in /etc/crypttab, and you’re good to go!

Be creative! The key file can be anything:

  • a dank meme
  • a very short low resolution cat video
  • an adorable photo of your dog
  • a precious family photo
  • Twilight fan fiction that you wrote back in 2011
  • your letter of resignation at your last job

Just mind the size, cryptsetup wasn’t very happy with a 17MB full resolution image. A JPEG that’s less than a megabyte in size worked well enough for me.

On Linux, you can encrypt a partition with a cat picture using a command like this:

cryptsetup luksFormat /dev/sdx1 --key-file /path/to/cat.jpg

You can make sure that the drive gets automatically decrypted at boot by defining it in /etc/crypttab. Find the UUID of the encrypted partition by running ls -lah /dev/disk/by-uuid and see which one matches with /dev/sdx1. If the UUID is ef277bc2-d953-44c4-88af-8320aca76969, then a line in /etc/crypttab would look like this:

encryptedcatdrive UUID=ef277bc2-d953-44c4-88af-8320aca76969 /path/to/cat.jpg

Once unlocked, your decrypted partition will be available as /dev/mapper/encryptedcatdrive.

Just make sure that the key file isn’t placed on the encrypted drive itself, otherwise you’ll lock yourself out for good.

For more information on LUKS disk encryption and its capabilities, see this handy Arch Wiki page.

This approach comes with some great benefits and a few downsides.

On the bright side, you don’t have to worry about a stranger getting their hands on your data when selling a storage device or sending it in to be warrantied, assuming that you haven’t posted the key file on social media or anywhere else.2 Just do a quick format of the drive, or format a very specific part to clear the LUKS headers, and the contents of the drive are gone!

If you can’t format the drive due to hardware issues, then you should still be safe, the attacker would have to first fix the drive (which isn’t a guaranteed success) and then figure out the key, which will require a lot of effort and time.

The one obvious downside is that if you lose the key file, you lose the data. You can mitigate this by either adding multiple key files as a backup option, or setting a strong password that you can use in case you lose your original key file.

If the drive contains something of value to your family members, then it may be a good idea to specify those details in a will, or by taping the backup password with instructions on the drive itself. If you end up selling the drive before your personal expiration date arrives, then you can simply remove the instructions. Just make sure that your family members or relatives know to plug in the drive to a Linux machine.3

I also like the thrill of hiding a key in plain sight. Did I use the cover photo of this post to encrypt my drives? You’ll never know, and that’s what makes it fun!

If you’re paranoid or targeted by state actors, then you probably shouldn’t follow this advice, except the part where I encourage encrypting stuff.

  1. Hello, my name is Herman, and I’m a recovering data hoarder. ↩︎

  2. if we use a simple .jpg as an example key file, then it’s highly likely that this won’t be an issue as most messaging and social media platforms compress the hell out of the image. The compression is also lossy, meaning that the process is irreversible and the end result is a completely different file from the perspective of the encrypted disk. ↩︎

  3. if you’ve ever plugged in a drive with a Linux filesystem on a Windows machine, then you’ll know that it will happily recommend formatting it. Oh, goodie. ↩︎