Cryptsetup

lsblk -o NAME,MODEL,RM,SIZE,TYPE,MOUNTPOINTS

sudo cryptsetup luksFormat /dev/sdb
## Enter passphrase for /dev/sdb:

sudo cryptsetup luksOpen /dev/sdb storage_crypt
## Enter passphrase for /dev/sdb:

sudo mkfs.ext4 /dev/mapper/storage_crypt
## ...
## Allocating group tables: done
## Writing inode tables: done
## Creating journal (131072 blocks): done
## Writing superblocks and filesystem accounting information: done

sudo mkdir -p /mnt/storage
sudo mount /dev/mapper/storage_crypt /mnt/storage

sudo blkid /dev/sdb
## /dev/sdb: UUID="12345678-90ab-cdef-1234-567890abcdef" TYPE="crypto_LUKS"

sudo vi /etc/crypttab
## storage_crypt UUID=12345678-90ab-cdef-1234-567890abcdef none luks,discard

sudo vi /etc/fstab
## /dev/mapper/storage_crypt /mnt/storage ext4 defaults,nofail 0 2

sudo mkdir -p /etc/keys
sudo chmod 700 /etc/keys
sudo dd if=/dev/urandom of=/etc/keys/storage_crypt.key bs=4096 count=1
sudo chmod 400 /etc/keys/storage_crypt.key

sudo cryptsetup luksAddKey /dev/sdb /etc/keys/storage_crypt.key
## Enter any existing passphrase:

sudo vi /etc/crypttab
## storage_crypt UUID=12345678-90ab-cdef-1234-567890abcdef /etc/keys/storage_crypt.key luks,discard

sudo cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 /dev/sdb2
sudo cryptsetup luksOpen /dev/sdb2 luks
sudo mkfs.ext4 -L ENCRYPTED /dev/mapper/luks
sudo mount /dev/mapper/luks /mnt/secure

sudo cryptsetup luksOpen /dev/sdb2 luks
sudo mount /dev/mapper/luks /mnt/secure

sudo umount /mnt/secure
sudo cryptsetup luksClose luks

https://science-as-a-candle-in-the-dark.hatenablog.com/entry/2025/04/07/192919