Linux System Administration and Security » encryption http://www.jasonbrown.us Wed, 18 Aug 2010 16:42:23 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 USB encryption with Luks http://www.jasonbrown.us/2009/10/usb-encryption-with-luks/ http://www.jasonbrown.us/2009/10/usb-encryption-with-luks/#comments Fri, 30 Oct 2009 13:59:59 +0000 jason http://www.jasonbrown.us/?p=25 Here is an easy way of encrypting USB thumb drives with Luks. Examples below assume your thumb drive is/dev/sdb

First, check the device for bad blocks:

~]# badblocks -c 10240 -s -w -t random -v /dev/sdb

Next create the partition on the drive itself.

~]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x99faf680.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes
126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1016, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1016, default 1016):
Using default value 1016

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes

126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System
/dev/sdb1 1 1016 3968465 83 Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now create the password and encrypt the device. This will encrypt the device with AES256.
~]# cryptsetup luksFormat -v -y -s 256 -c aes /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

To open the encrypted drive type:

cryptsetup luksOpen /dev/sdb1 usbdrive

It will then prompt for the password.

***WARNING*** Do not lose your password, there is no way to recover it!

Now format the drive. This example shows how to format the drive with ext4 however ext3 will also work if you are running an older distro.

~] # mkfs.ext4 /dev/mapper/usbdrive
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
248000 inodes, 991859 blocks
49592 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1019215872

31 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount the drive:

~]# mount /dev/mapper/usbdrive /media/thumbdrive/

Now your drive is encrypted ;-)

Gnome should automatically ask the next time you insert your usb drive for the password. However if you are using the cli, here are the steps to mount/unmount the drive.

Mount the device

~]# cryptsetup luksOpen /dev/sdb1 usbdrive
~]# mount /dev/mapper/usbdrive /media/usbdrive

]]> http://www.jasonbrown.us/2009/10/usb-encryption-with-luks/feed/ 0