Howto Encrypt Your Removeable Media on Linux

Data security is an area that people are becoming increasingly aware of. Between companies losing customer details, and the growing risk of identity theft, its becoming increasingly important that removeable media be encrypted.



So how does one go about creating an encrypted hard drive/USB stick on Linux? This article will take you through it step by step. The instructions are most relevant to (K)Ubuntu but should work on most distributions.


In order to create and access the encrypted partition, you'll need cryptsetup. On (K)Ubuntu you can install it by running

sudo apt-get install cryptsetup

Connect the USB device, now we need to know the device node so check the kernel log

dmesg

You're looking for something like sdb or sdc (We'll assume it's sdb). We now want to fill the disk with random data in order to help improve the security of your encrypted partition (bury the random data in random data in other words).

Note: If you're using Flash Memory (i.e. a USB Stick), you may wish to consider skipping this step in order to protect the write life of your device

sudo badblocks -c 10240 -s -w -t random -v /dev/sdb

This may take a while, the system will check for bad blocks on your disk. It'll then overwrite each block with random data.

Next we need to create a filesystem. So run

fdisk /dev/sdb

This will take you into fdisk, enter the following

n
p
1
[ENTER]
[ENTER]
w

The partition has now been created and written to the disk. Now we need to encrypt the partition, but first there are a list of modules that we need to make sure are loaded. So;

sudo -s
[PASSWORD]
modprobe dm-crypt
modprobe sha256
modprobe aes
exit

Now we need to encrypt the partition, we are going to use a password as the key so make sure you use a strong password (aim for a minimum of 8 characters, letters and numbers, upper and lowercase)

sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256

The system will ask you to verify the password to prevent mistakes. Make sure you do not lose/forget the password, there is no 'backdoor' if you lose the key you will not be able to access your data. The command above uses a 256 bit AES algorithm, which is currently considered computationally secure. This means that even with a supercomputer the time and effort needed to crack the code is prohibitive.

That said, the algorithm is only as good as the password that you set, so make sure it was good and strong.

Now that we have created the encrypted partition, we need to make it usable. First the device needs to be mapped to a node in dev, so run

sudo cryptsetup luksOpen /dev/sdb1 MySecuredDrive

You can use a different name if you wish, however this article will continue to use MySecuredDrive

So the state of play is, we have an encrypted partition mapped to a node on our system. Now all we need is a useable filesystem.

sudo mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/MySecuredDrive

You've now created an encrypted filesystem!! In order to use the drive, simply plug it into the USB port of the computer again. On (K)Ubuntu, the system will ask for the password. Once you've entered this the filesystem will be mounted and you can write to it as if it was a standard device. Files are encrypted on the fly so there'll be no increase in unmount times.


References:

Ubuntu Help for reminders of the steps I forgot