Skip to content

Instantly share code, notes, and snippets.

@MahdadGhasemian

MahdadGhasemian/secure_external_ssd.md

Last active January 8, 2026 06:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MahdadGhasemian/788c3dc831f8f19a05ba32fbee7a570f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MahdadGhasemian/788c3dc831f8f19a05ba32fbee7a570f to your computer and use it in GitHub Desktop.
Download ZIP
A concise guide to securely partitioning, encrypting, and formatting an external SSD for Linux use.
Raw
secure_external_ssd.md

Secure External SSD

Make your external SSD partitions with ext4 filesystem for Linux

To prepare your external SSD for use in Linux, you can use the following tools:

  • Use lsblk or fdisk -l to identify your external SSD device.
  • Use fdisk or parted to create and manage partitions on the SSD.
  • Use mkfs.ext4 to format the created partitions with the ext4 filesystem.
  • For a graphical interface, consider using gparted.

Make it Secure with Encryption

Identify the SSD

lsblk

sda           8:0    0   1.8T  0 disk 
├─sda1        8:1    0  1000G  0 part /media/<USER>/SP-Part1
├─sda2        8:2    0   700G  0 part /media/<USER>/SP-Part2
└─sda3        8:3    0   100G  0 part /media/<USER>/SP-Part3

Install cryptosetup

# Install cryptosetup
sudo apt install cryptsetup

Encrypt the partition and format it with ext4

# Unmound
sudo umount /dev/sda1

# Remove filesystem signatures
sudo wipefs -a /dev/sda1

# Encrypt the disk
sudo cryptsetup luksFormat /dev/sda1

# Open the encrypted volume
sudo cryptsetup open /dev/sda1 SP-Part1

# Format with ext4
sudo mkfs.ext4 /dev/mapper/SP-Part1

# Mount it (change <USER> with your username)
sudo mkdir -p /media/<USER>/SP-Part1
sudo mount /dev/mapper/SP-Part1 /media/<USER>/SP-Part1

# Unmound and lock (change <USER> with your username)
sudo umount /media/<USER>/SP-Part1
sudo cryptsetup close SP-Part1

# Backup the LUKS header
sudo cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file ~/LUKS-SP-Part1-header-backup.bin

Rename (If needed)

Plug out and plug in the SSD again. After unlocking the partition, If you see random alphanumeric name, you can change it to a more friendly name.

Find the mapped devices with:

ls /dev/mapper/

You should see something like:

luks-753c957e-c028-4d50-b86c-0dca83314b67

Label the filesystem:

sudo e2label /dev/mapper/luks-753c957e-c028-4d50-b86c-0dca83314b67 SP-Part1

Restore if LUKS header gets corrupted:

sudo cryptsetup luksHeaderRestore /dev/sda1 --header-backup-file ~/LUKS-SP-Part1-header-backup.bin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment