LUKS USB Encryption for Linux

performed by: jb-williams

This is the process I use to partition and encrypt usb drives.

  • I have not tested tested it on anything other than usb’s, though a similar process would potentially work.

!! Notice !! Running these commands on the wrong drive could Erase All Data on that Drive!!

  • Only Recoverable if You Had a Backup
  • Make sure you know:
    • Device Name(ie: /dev/sdb)
    • Device Size(ie: 15GiB)

REQS:

  • linux

  • cryptsetup (deb package)
    (depending on desired file system)

  • dosfstools - FAT32, vfat (can be read by both Windows and Linux)

  • ntfs-3g - NTFS, ntfs (Windows)

  • (standard on linux) - EXT4, ext4 (Linux)

  • I use the package udiskie to mount and dismount the drive.

Step 1

  • (Surprise) Insert the usb
  • Find the desired device name for the usb
  • For this walkthrough we are goinig to assume that the Computer Hard Drive is /dev/sda, the desired USB is /dev/sdb from here out
    /dev/sda - computer
    /dev/sdb - usb\

to find device name:

lsblk

example output:

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 931.5G  0 disk 
|-sda1   8:1    0   100M  0 part /boot
|-sda2   8:2    0    53G  0 part /
|-sda3   8:3    0   293G  0 part /home
|-sda7   8:4    0     4G  0 part [SWAP]
|-sda5   8:5    0    30G  0 part /tmp
|-sda6   8:6    0    30G  0 part /var
sdb      8:12   1  14.7G  0 disk 
|-sdb1   8:13   1     4G  0 part 
`-sdb2   8:14   1  10.5G  0 part
  • Then, if you wish you can switch user to root, we will be here. Also make double-check that the device is unmounted.
    Remember USB is /dev/sdb.
su - && umount /dev/sdb
  • Next, before we partition and encrypt the drive, we will “shred” the data on the usb. This writes over the data that exists on it in an attempt destroy any recoverable data. It can be done a specified number of times.
shred -v -n 1 /dev/sdb

Where “-v” is verbose so you can monitor the progress, and “-n 1” is the number of iterations or number of times it should be overwitten. I have read anywhere between 1-7 is ok.

Step 2

At this point the data is clear on the usb and we will start partitioning and formatting the device. During this part you can create several partitions and encrypt and format then as you prefer.

I will will go through this using fdisk and use the all the available space.

fdisk /dev/sdb
  • “o” for DOS disklabel
  • “n” to create new partition
  • “p” set it as primary
  • Use the Full Disk Sectors, would usually be the default if no sizes are specified
  • “w” will write the changes

Now we are ready to begin encrypting the usb with cryptsetup and give it the name “ENCRYPTED”.

  • if the following commands don’t properly name the drive. after it’s open you can open another terminal and either do lsblk to find the name of the drive, or ls /dev/mapper/ and find the correct one.
cryptsetup luksOpen /dev/sdb1 <desired_drive_name>
cryptsetup luksOpen /dev/sdb1 ENCRYPTED
  • It will ask for a Passphrase, make sure it is a strong complex passphrase.

  • Now choose the format that best suits your needs. If you intend to use the device on GNU/Linux and Windows alike, you should opt for FAT32 (mkfs.vfat command, required to have the dosfstools package installed) or NTFS (mkfs.ntfs command, required to have the ntfs-3g package installed). If you use only on machines with GNU/Linux, EXT4 (command mkfs.ext4) will be a good choice.

  • The -L and -n options are used to provide a recognizable name to the unit. In this example we will use in the NAME ENCRYPTED.

To format as EXT4:

mkfs.ext4 /dev/mapper/LUKS0001 -L ENCRYPTED

To format as FAT32:

mkfs.vfat /dev/mapper/LUKS0001 -n ENCRYPTED

To format as NTFS:

mkfs.ntfs /dev/mapper/LUKS0001 -L ENCRYPTED

Finally, close the partition:

cryptsetup luksClose <desired_drive_name>
cryptsetup luksClose /dev/sdb1 ENCRYPTED

Now it is fine to get back to the regular user.

Step 3

Interacting with the drive through command-line.

  • To open and mount the encrypted drive from the command line.
  • best practice to run lsblk again to check device name.
udiskie-mount /dev/sdb1 && udiskie-mount /dev/mapper/<encrypted_dev_name>

Then to unmount you just:

udiskie-umount /dev/mapper/<encrypted_dev_name>
  • If it was just and un-encrypted drive the commands would just be:
udiskie-mount /dev/sdb1
udiskie-umount /dev/sdb1

written and performed by jb williams - github