How to create an encrypted USB drive? 3

Posted by bikethetam Sun, 22 Mar 2009 02:31:00 GMT

So you've got a shiny new USB drive, either a USB stick or a USB external drive. Typically it comes with a single vfat (fat32) partition. That's not too bad, it can be used (read and write) from both windows and linux and (although less secure that ext3) the vfat overhead is small compared to ext2 and ext3 leaving you more space for your own use.

But you want more: you want

  • to store sensitive data in an encrypted partition on the drive
  • to still be able to read and write to the disk on both linux an windows
  • to have a smaller clear partition to be able to move regular files around without the hassle of having to enter the password to mount the drive
  • I'll skip the TrueCrypt option which is not truly opensource to go directly to cryptsetup and cryptmount which are perfectly decent tools and that are truly free.
sudo su
apt-get install cryptsetup cryptmount

Disk setup on Linux
You then need to partition the drive. To do that you can either use the command-line tool cfdisk or use the graphic partition editor in gnome (gparted). I personally used gparted as it's easier to use (System menu --> Administration --> Partition Editor). The USB drive will probably show up as /dev/sdb but be careful to verify which drive you are going to repartition as all data on that drive will be lost. There, I deleted the existing partition and created 2 new ones:

  • the first one of type FAT32 and of size 10GB: this is going to be the unencrypted one
  • the second one of type ext2 and of size 290GB (I could have used any kind of partition and using FAT32 here too would probably have saved me around 10GB)
At this point the small clear partition is ready for use, it's /dev/sdb1 and Ubuntu will have already mounted it at /media/<partition label> where <partition label> is the label you gave to the partition in gparted. The second one is /dev/sdb2.

cryptsetup will now take over and prepare the second partition for encryption:

# unmount the partition if needed
> umount /dev/sdb2
# That creates the encrypted volume
> cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb2
WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
The default encryption mode was used (sha256 CBC), you can verify what it is by typing: 
cryptsetup luksDump /dev/sdb2

Now you have a large encrypted volume but it's not ready for use yet, what you have is a raw unformatted partition in an encrypted volume written on top of formatted partition. You need to format that volume. I chose to format it from Ubuntu with gparted but that turned out to be the wrong choice. I formatted it as FAT32, it worked fine as long as I stayed on linux but, for an unknown reason, I couldn't read it on windows. Windows insisted the partition was not formatted.

Windows access
So the right approach seems to be to let windows format the partition as NTFS. About windows, here is how to mount and access the drive. You need to download and setup FreeOTFE on your windows box.

  • Plug in the drive
  • start FreeOTFE
  • File menu --> "Linux mount partition..."
  • Select the encrypted partion and validate
  • Enter the passworf you chose on linux side and validate The drive is now mounted, FreeOTFE has selected a letter and you can see it in the explorer. When you click on it, it might say the drive is not formatted yet and propose to format it. If you have no data to lose, say "Yes" and it formats the drive as NTFS.

Back on Ubuntu

Once you plugin the drive (now NTFS formatted) it should be attached automatically but obviously you need to enter the password. In Nautilus --> "Computer", the USB drive will show up with the label "XXX GB Media", double click on it, there you will be asked for the password. If successful, the drive immediately gets mounted to "/media/disk" and you're ready to use it.

For those of us who prefer the command line, a few tricks:

1) to find the device name, look at "/dev/sd*". /dev/sda is probably your primary disk, if you have no other disk, the USB drive will be /dev/sdb.

2) to attach the encrypted partition from the command-line:

> cryptsetup luksOpen /dev/sdb2 sdb2
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

/dev/mapper/sdb2 gets created right then. Here, Ubuntu might mount the partition automatically (to /media/disk).

3) if it doesn't, you can mount it yourself:

> mount /dev/mapper/sdb2 /media/disk
> mount | grep sdb
/dev/mapper/sdb on /media/disk type fuseblk (rw,nosuid,nodev,allow_other,blksize=4096)

That's it. Your files are now safe and you can move them around freely between Linux and Windows as long as you know the password.

To cleanly remove the drive:

> umount /media/clear-fat32
> umount /media/disk
> cryptsetup luksClose sdb

Acknowledgment

Those 2 articles greatly helped me find my way around the problem:


Comments

Leave a comment

  1. paulo 2 months later:

    Great blog!!!

    As more and more clear becomes to use linux, the more people will switch to it

  2. http://vladimirklimsa.com 6 months later:

    Thanks for sharing your learning. Ubuntu is great as well as Fedora, OpenSuse etc. All are helping make our communication flow. Vladimir

  3. jtamviegas@yahoo.co.uk 10 months later:

    thank you, it just worked.

Comments