I have a non-Linux partition I want to encrypt with LUKS. The goal is to be able to store it by itself on a device without Linux and access it from the device when needed with an Ubuntu Live CD.

I know LUKS can't encrypt partitions in place, so I created another, unformatted partition of the EXACT same size (using GParted's "Round to MiB" option) and ran this command:

sudo cryptsetup luksFormat /dev/xxx

Where xxx is the partition's device name. Then I typed in my new passphrase and confirmed it. Oddly, the command exited immediately after, so I guess it doesn't encrypt the entire partition right away? Anyway, then I ran this command:

sudo cryptsetup luksOpen /dev/xxx xxx

Then I tried copying the contents of the existing partition (call it yyy) to the encrypted one like this:

sudo dd if=/dev/yyy of=/dev/mapper/xxx bs=1MB

and it ran for a while, but exited with this:

dd: writing `/dev/mapper/xxx': No space left on device

just before writing the last MB. I take this to mean the contents of yyy was truncated when it was copied to xxx, because I have dd'd it before, and whenever I have dd'd to a partition of the exact same size, I never get that error. (and fdisk reports they are the same size in blocks).

After a little Googling I discovered all luksFormat'ted partitions have a custom header followed by the encrypted contents. So it appears I need to create a partition exactly the size of the old one + however many bytes a LUKS header is.

What size should the destination partition be, no. 1, and no. 2, am I even on the right track here?

• UPDATE

I found this in the LUKS FAQ:

• I think this is overly complicated. Is there an alternative?

Yes, you can use plain dm-crypt. It does not allow multiple passphrases, but on the plus side, it has zero on disk description and if you overwrite some part of a plain dm-crypt partition, exactly the overwritten parts are lost (rounded up to sector borders).

So perhaps I shouldn't be using LUKS at all?