USB encryption with Luks
- October 30th, 2009
- Write comment
Here is an easy way of encrypting USB thumb drives with Luks. Examples below assume your thumb drive is/dev/sdb
First, check the device for bad blocks:
~]# badblocks -c 10240 -s -w -t random -v /dev/sdb
Next create the partition on the drive itself.
~]# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x99faf680.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): p
Disk /dev/sdb: 4066 MB, 4066377728 bytes
126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680
Device Boot Start End Blocks Id System
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1016, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1016, default 1016):
Using default value 1016
Command (m for help): p
Disk /dev/sdb: 4066 MB, 4066377728 bytes
126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680
Device Boot Start End Blocks Id System
/dev/sdb1 1 1016 3968465 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
Now create the password and encrypt the device. This will encrypt the device with AES256.
~]# cryptsetup luksFormat -v -y -s 256 -c aes /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
To open the encrypted drive type:
cryptsetup luksOpen /dev/sdb1 usbdrive
It will then prompt for the password.
***WARNING*** Do not lose your password, there is no way to recover it!
Now format the drive. This example shows how to format the drive with ext4 however ext3 will also work if you are running an older distro.
~] # mkfs.ext4 /dev/mapper/usbdrive
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
248000 inodes, 991859 blocks
49592 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1019215872
31 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Mount the drive:
~]# mount /dev/mapper/usbdrive /media/thumbdrive/
Now your drive is encrypted 
Gnome should automatically ask the next time you insert your usb drive for the password. However if you are using the cli, here are the steps to mount/unmount the drive.
Mount the device
~]# cryptsetup luksOpen /dev/sdb1 usbdrive
~]# mount /dev/mapper/usbdrive /media/usbdrive
Unmount the device
~]# umount /media/usbdrive
~]# cryptsetup luksClose usbdrive
