**:!: Do not use this for securing important data! :!:**
The method described below is like writing your password on a post-it note in your top-drawer! It only provides any security at all if you remove the encrypted disk from the machine permanently!
**:!: Never rely on any security mechanism that you don't understand! Copy-pasting commands from the internet is not a valid security technique! :!:**
Execute all commands as root (i.e. ''sudo su'' first).
Create a key-file for this disk, so it can be automatically unlocked on boot.
dd if=/dev/random of=/etc/crypttab.d/DISK_NAME.key bs=4096 count=1
Format the partition with LUKS, you can use the whole disk (e.g. ''/dev/sdX'') but using a partition makes it more obvious what is on the disk and less likely to be overwritten by accident.
cryptsetup luksFormat --type luks2 /dev/sdX1 /etc/crypttab.d/DISK_NAME.key
Unlock and mount the encrypted volume.
cryptsetup open /dev/sdX1 DISK_NAME --key-file /etc/crypttab.d/DISK_NAME.key
Add a recovery pass-phrase to the volume (in case the key gets wiped). You will be prompted to type in the password.
cryptsetup --key-file /etc/crypttab.d/DISK_NAME.key luksAddKey /dev/sdX1
Take a backup of the LUKS header (in case the header gets wiped).
cryptsetup luksHeaderBackup /dev/sdX1 --header-backup-file /etc/crypttab.d/DISK_NAME.header
Find the UUID of the encrypted volume.
lsblk -o name,size,type,mountpoint,uuid
NAME SIZE TYPE MOUNTPOINT UUID
sdX 2T disk
└─sdX1 2T part long-string-of-hexadecimal
Copy the UUID and add it to the ''crypttab'' to have it auto-unlocked and mounted at boot.
nano -w /etc/crypttab
DISK_NAME UUID=long-string-of-hexadecimal /etc/crypttab.d/DISK_NAME.key
====== ZFS ======
The equivalent on ZFS goes as follows:
dd if=/dev/urandom bs=32 count=1 of=/etc/crypttab.d/tank.key
zpool create -O encryption=on -O keyformat=raw -O keylocation=file:///etc/crypttab.d/tank.key tank sda