If you have an external SSD (or some other drive) connected to your Raspberry Pi, it's good practice to encrypt it.

Install Required Software

sudo apt-get install cryptsetup

Identify Hard Disk

Now you need to identify your hard disk - we wouldn't want to wipe the wrong one, right?

In both examples, our external drive is /dev/sda

Using fdisk


sudo fdisk -l


Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Disk model:                 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Using lsblk


sudo lsblk


sda           8:0    0 465.8G  0 disk  
└─storage   254:0    0 465.7G  0 crypt /storage
mmcblk0     179:0    0  59.5G  0 disk  
├─mmcblk0p1 179:1    0   256M  0 part  /boot
└─mmcblk0p2 179:2    0  59.2G  0 part  /

Enable Modules

sudo modprobe dm-crypt sha256 aes

Encrypt the disk

Make sure you change /dev/sda to represent your drive.

sudo cryptsetup --verify-passphrase luksFormat /dev/sda -c aes -s 256 -h sha256

Open Encrypted Partition

Now that the partition is formatted, we need to open it and map it. Instead of storage you can use whichever name you want.

sudo cryptsetup luksOpen /dev/sda storage

Format Mapped Partition

If you used a name other than storage replace it below. This will format the partition using the ext4 file system.

sudo mkfs -t ext4 -m 1 /dev/mapper/storage

Create Mount Point

Now we need to create the mount point, ie the destination path where the encrypted partition will be mounted.

Usually people use a directory under /mnt but I prefer to keep it out of there (no real reason, just a preference) in /storage.

sudo mkdir /storage
sudo chown -R $USER:$USER /storage

First command will create the directory, and the second one will change its owner to your current user (usually it's pi).

Mount Partition

sudo mount /dev/mapper/storage /storage/

Set Permissions in the Partition

Reset the owner of everything within the empty partition to your user.

sudo chown $USER:$USER /storage

All Done

Now, every time you reset the RPi you will need to mount the partition using:

sudo cryptsetup luksOpen /dev/sda storage

Which will ask for a passphrase. You could add a cron job to mount it automatically on boot by using:

echo -n "YOUR-PASSPHRASE" | sudo cryptsetup luksOpen /dev/sda storage


As it's unsafe to be hard-coding passwords in scripts, you may want to use a service such as RemotePassword which was designed especially for scenarios as this.