How to encrypt a disk and automatically mount it at boot

$ sudo badblocks -b 8192 -vw -o badblocks.dat /dev/sdX

Checking for bad blocks in read-write mode
From block 0 to 610471321
Testing with pattern 0xaa:
### ...... this takes several days before I'm sure it is OK ...
### My recommendation: If it shows any bad sectors, don't use it for anything important.

$ sudo fdisk -l /dev/sdX

Disk /dev/sdX: 4.56 TiB, 5000981077504 bytes, 9767541167 sectors
Disk model: One Touch HDD   
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

# Next, encrypt the entire disk. Make sure you don't forget the passphrase.

$ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdX

WARNING!
========
This will overwrite data on /dev/sdX irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdX: 
Verify passphrase: 
Key slot 0 created.
Command successful.

# I temporarily name the disk 5T and luksOpen it. It will be named
# more permanently in /etc/crypttab below.

$ sudo cryptsetup luksOpen /dev/sdX 5T

Enter passphrase for /dev/sdX: 

# Here I display the relevant entries to see what fdisk reports. Notice where the 5T is.

$ sudo fdisk -l

Disk /dev/sdX: 4.56 TiB, 5000981077504 bytes, 9767541167 sectors
Disk model: One Touch HDD   
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Disk /dev/mapper/5T: 4.56 TiB, 5000964300288 bytes, 9767508399 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

# Next step, make the filesystem.

$ sudo mkfs.ext4 /dev/mapper/5T 

mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 1220938549 4k blocks and 152621056 inodes
Filesystem UUID: 1697a287-e7de-4b5c-966f-62a58389dec7
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
	102400000, 214990848, 512000000, 550731776, 644972544

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done  

# Operating system is not run on this disk, so squeeze a
# little extra space, here about 300 GB.  

$ df -h

Filesystem                     Size  Used Avail Use% Mounted on
/dev/mapper/5T                 4.6T   89M  4.3T   1% /media/bob/1697a287-e7de-4b5c-966f-62a58389dec7

$ sudo tune2fs -m 0 /dev/mapper/5T

tune2fs 1.45.5 (07-Jan-2020)
Setting reserved blocks percentage to 0% (0 blocks)

$ df -h

Filesystem                     Size  Used Avail Use% Mounted on
/dev/mapper/5T                 4.6T   89M  4.6T   1% /media/bob/1697a287-e7de-4b5c-966f-62a58389dec7

# In the above, I don't really want that to be the mount point.

# Some selected relevant info.

$ sudo blkid 

/dev/sdX: UUID="ef30dd54-69de-4af1-8d2b-123e4b6186c4" TYPE="crypto_LUKS"
/dev/mapper/5T: UUID="1697a287-e7de-4b5c-966f-62a58389dec7" TYPE="ext4"

The file /dev/fstab can include the following where I have to make the directory /home/bob/5T

/dev/mapper/5T  /home/bob/5T ext4 defaults 0 2

The file /dev/crypttab can include

5T UUID=ef30dd54-69de-4af1-8d2b-123e4b6186c4  /root/.keyfile luks,discard


# Create a crypto key file if you need one. It must be on an encrypted disk, otherwise
# encryption of this disk is pointless. Don't overwrite an existing one lest your
# other encrypted disks that use it will not automatically mount using it.

$ sudo dd if=/dev/urandom of=/root/.keyfile bs=512 count=8
8+0 records in
8+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.000631541 s, 6.5 MB/s

# See what header information is on the disk, add the crytpo key file to the disk,
# and recheck.

$ sudo cryptsetup luksDump /dev/sdX

LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	ef30dd54-69de-4af1-8d2b-123e4b6186c4
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  5
	Memory:     1048576
	Threads:    4
	Salt:       7d 5a c4 c6 ac ad 32 a5 ee 3a d3 18 df 7f 15 ba 
	            63 f2 86 df 55 ce 9b bc 83 be 62 a9 c9 1f 16 50 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 108863
	Salt:       be b1 2d d7 54 71 f7 4a d2 a2 ba a5 bf d9 d6 74 
	            12 9e 4c 9a 14 6b 8d 90 ab 4e 73 80 56 44 fc bd 
	Digest:     28 8c 21 4a 16 5f dc 66 f8 8c 74 22 a1 6d 1e 3b 
	            c6 81 46 31 ba fb 25 39 ec 07 06 70 5b b7 4a 70 


$ sudo cryptsetup luksAddKey /dev/sdX /root/.keyfile

Enter any existing passphrase:

# Notice how there is another keyslot, numbered 1.
# to remove it, luksKillSlot /dev/sdX 1 (don't kill all your keys!)

$ sudo cryptsetup luksDump /dev/sdX
LUKS header information
Version:       	2
Epoch:         	6
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	ef30dd54-69de-4af1-8d2b-123e4b6186c4
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  5
	Memory:     1048576
	Threads:    4
	Salt:       7d 5a c4 c6 ac ad 32 a5 ee 3a d3 18 df 7f 15 ba 
	            63 f2 86 df 55 ce 9b bc 83 be 62 a9 c9 1f 16 50 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
  1: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  5
	Memory:     1048576
	Threads:    4
	Salt:       ef 11 27 16 0f 1e de f7 1b 98 a2 e6 84 65 58 31 
	            d4 79 49 99 96 11 4f 93 1a 42 1d f2 10 a8 ed 22 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:290816 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 108863
	Salt:       be b1 2d d7 54 71 f7 4a d2 a2 ba a5 bf d9 d6 74 
	            12 9e 4c 9a 14 6b 8d 90 ab 4e 73 80 56 44 fc bd 
	Digest:     28 8c 21 4a 16 5f dc 66 f8 8c 74 22 a1 6d 1e 3b 
	            c6 81 46 31 ba fb 25 39 ec 07 06 70 5b b7 4a 70 


# I find this also very useful, but your mileage will vary.
$ sudo chmod go+rwx /home/bob/5T
$ sudo chown bob:bob /home/bob/5T


# If it were a spinning disk, and not accessed frequently, I would
# spin it down after being idle. Here is one way. Install hd-idle
# and put in the file: /etc/defaults/hd-idle

START_HD_IDLE=true
HD_IDLE_OPTS="-i 1800 -l /var/log/hd-idle.log"

# You can specify disks by id, but this config will spin down all the
# spinning disks after 1800 seconds and log the change in the log file.
# I believe it will not spin down the main system disk, but in recent
# years I recommend always using an SSD for the main drive (with the
# OS on it. It will ignore non-spinning disks. It seems to work fine,
# and the disks spin up a few seconds after a read or write request
# to a "resting" disk. Don't make the time too short, that may damage them.

# You can check with the following. Note that each time you reboot or replug,
# the same disk might be assigned a different value of /dev/sdX.

$ sudo hdparm -C /dev/sdX


Done.