- Generate 2048 cryptographically secure random bytes.
dd bs=512 count=4 if=/dev/urandom of=/path/to/backup-drive-key
- Set up a LUKS2 encrypted volume.
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha256 --use-urandom luksFormat --type luks2 /dev/sda /path/to/backup-drive-key
- Open the volume, which makes
/dev/mapper/vault
available to mount.
cryptsetup open --type luks2 --key-file /path/to/backup-drive-key /dev/sda vault
- Make an
ext4
filesystem (pick anymkfs.*
command, as desired).
mkfs.ext4 /dev/mapper/vault
- Close the volume.
cryptsetup close vault
Repeat steps (3) and (5) on subsequent use.