We are required to use hard drive encryption on all devices allocated to members of the department. Unlike on Windows and Mac, with Linux it is necessary to set a passphrase to decrypt the hard drive on boot-up. We keep a list of the passphrases so we can access the hard drive in the event of a problem or the user losing the passphrase.

These passphrases are randomly generated so are hard to remember. It is possible, however, to add your own passphrase to the drive encryption, so it can be unlocked with something that's easy to remember. It could even be the same passphrase as your DCS login, although this is not recommended.

To achieve this, you need to know the device name of the encrypted partition on the drive. If you run sudo cat /etc/crypttab is lists the encrypted volumes. For example:

ac1mde@dcs31652:~$ sudo cat /etc/crypttab
nvme0n1p3_crypt UUID=fd11d274-d095-4a29-a5aa-9e06514a18fe none luks,discard

The encrypted partition is nvme0n1p3_crypt (yours will likely be different!). The device node path associated with this is /dev/nvme0n1p3. This is needed in the next command which allows you to add your own passphrase to the 'crypted partition. Using this example, the command is:

sudo cryptsetup luksAddKey /dev/nvme0n1p3

Make sure you use your own device instead of the one in the example. It will ask for the currently set passphrase, and then you can enter your own that you want to use. To check you can use it, reboot the computer and enter your new passphrase when it asks to unlock the drive.

Assuming it works, the final stage is to dispose of any hard copies of the original hard-to-remember passphrase!