4 minutes
My_Usb_Encrypton_Process
LUKS USB Encryption for Linux
performed by: jb-williams
This is the process I use to partition and encrypt usb drives.
- I have not tested tested it on anything other than usb’s, though a similar process would potentially work.
!! Notice !! Running these commands on the wrong drive could Erase All Data on that Drive!!
- Only Recoverable if You Had a Backup
- Make sure you know:
- Device Name(ie: /dev/sdb)
- Device Size(ie: 15GiB)
REQS:
-
linux
-
cryptsetup (deb package)
(depending on desired file system) -
dosfstools - FAT32, vfat (can be read by both Windows and Linux)
-
ntfs-3g - NTFS, ntfs (Windows)
-
(standard on linux) - EXT4, ext4 (Linux)
-
I use the package
udiskie
to mount and dismount the drive.
Step 1
- (Surprise) Insert the usb
- Find the desired device name for the usb
- For this walkthrough we are goinig to assume that the Computer Hard Drive is /dev/sda, the desired USB is /dev/sdb from here out
/dev/sda
- computer
/dev/sdb
- usb\
to find device name:
lsblk
example output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
|-sda1 8:1 0 100M 0 part /boot
|-sda2 8:2 0 53G 0 part /
|-sda3 8:3 0 293G 0 part /home
|-sda7 8:4 0 4G 0 part [SWAP]
|-sda5 8:5 0 30G 0 part /tmp
|-sda6 8:6 0 30G 0 part /var
sdb 8:12 1 14.7G 0 disk
|-sdb1 8:13 1 4G 0 part
`-sdb2 8:14 1 10.5G 0 part
- Then, if you wish you can switch user to root, we will be here. Also make double-check that the device is unmounted.
Remember USB is /dev/sdb.
su - && umount /dev/sdb
- Next, before we partition and encrypt the drive, we will “shred” the data on the usb. This writes over the data that exists on it in an attempt destroy any recoverable data. It can be done a specified number of times.
shred -v -n 1 /dev/sdb
Where “-v” is verbose so you can monitor the progress, and “-n 1” is the number of iterations or number of times it should be overwitten. I have read anywhere between 1-7 is ok.
Step 2
At this point the data is clear on the usb and we will start partitioning and formatting the device. During this part you can create several partitions and encrypt and format then as you prefer.
I will will go through this using fdisk and use the all the available space.
fdisk /dev/sdb
- “o” for DOS disklabel
- “n” to create new partition
- “p” set it as primary
- Use the Full Disk Sectors, would usually be the default if no sizes are specified
- “w” will write the changes
Now we are ready to begin encrypting the usb with cryptsetup and give it the name “ENCRYPTED”.
- if the following commands don’t properly name the drive. after it’s open you can open another terminal and either do
lsblk
to find the name of the drive, orls /dev/mapper/
and find the correct one.
cryptsetup luksOpen /dev/sdb1 <desired_drive_name>
cryptsetup luksOpen /dev/sdb1 ENCRYPTED
-
It will ask for a Passphrase, make sure it is a strong complex passphrase.
-
Now choose the format that best suits your needs. If you intend to use the device on GNU/Linux and Windows alike, you should opt for
FAT32
(mkfs.vfat
command, required to have thedosfstools
package installed) orNTFS
(mkfs.ntfs
command, required to have thentfs-3g
package installed). If you use only on machines with GNU/Linux,EXT4
(commandmkfs.ext4
) will be a good choice. -
The
-L
and-n
options are used to provide a recognizable name to the unit. In this example we will use in theNAME ENCRYPTED
.
To format as EXT4:
mkfs.ext4 /dev/mapper/LUKS0001 -L ENCRYPTED
To format as FAT32:
mkfs.vfat /dev/mapper/LUKS0001 -n ENCRYPTED
To format as NTFS:
mkfs.ntfs /dev/mapper/LUKS0001 -L ENCRYPTED
Finally, close the partition:
cryptsetup luksClose <desired_drive_name>
cryptsetup luksClose /dev/sdb1 ENCRYPTED
Now it is fine to get back to the regular user.
Step 3
Interacting with the drive through command-line.
- To open and mount the encrypted drive from the command line.
- best practice to run
lsblk
again to check device name.
udiskie-mount /dev/sdb1 && udiskie-mount /dev/mapper/<encrypted_dev_name>
Then to unmount you just:
udiskie-umount /dev/mapper/<encrypted_dev_name>
- If it was just and un-encrypted drive the commands would just be:
udiskie-mount /dev/sdb1
udiskie-umount /dev/sdb1
written and performed by jb williams - github