USB stick encryption using Linux

If you were to ever lose your USB stick, all data stored on it will be lost. More importantly, your USB stick may end up in the hands of some other person, which will have access to your private files, and use that information in any way they please. This is one of many fears of USB stick users. One of the simplest solutions to this dilemma is to keep only non-private information on the USB stick. Obviously, this would defeat a primary purpose for the storage device.

Another solution is to encrypt your USB stick so it will be accessible only to those users who possess the correct password which will fit to decrypt the USB stick’s encryption. This article will deal with the second solution and that is encryption of a USB stick device. Although encrypting an USB stick seems to be the best and easiest solution, it must be said that it also comes with number of disadvantages. The first disadvantage is that decryption of the USB key must be done using a Linux system that has the dm-crypt module installed.

In other words, you cannot use your encrypted USB stick on any Windows machine and UNIX-like system with older kernels. Therefore, to encrypt only a part of the USB stick which holds only private information seems to be a good solution. In this article, we will go through the step by step instructions of encrypting part of a USB device on Linux. Read on to see how it’s done.

In this tutorial you will learn:

  • How to install cryptsetup on major Linux distros
  • How to partition a USB stick
  • How to encrypt a USB stick partition
  • How to mount encrypted partition

USB stick encryption using Linux

USB stick encryption using Linux

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software cryptsetup, fdisk, dd
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Install cryptsetup

Many Linux distros already have the cryptsetup package installed by default. In case yours does not, you can use the appropriate command below to install the software with your system’s package manager.

To install cryptsetup on Ubuntu, Debian, and Linux Mint:

$ sudo apt install cryptsetup

To install cryptsetup on CentOS, Fedora, AlmaLinux, and Red Hat:

$ sudo dnf install cryptsetup

To install cryptsetup on Arch Linux and Manjaro:

$ sudo pacman -S cryptsetup

After the software is installed, you’ll be able to follow along with us in the sections below.

Partition a USB stick

Before proceeding, bear in mind that you will lose all data currently stored on your flash drive. If there’s anything important on it, be sure to move the files to your computer for the time being, then you can put them back onto the USB stick after you’ve completed the guide.
  1. Let’s start with partitioning of our USB stick. Insert your USB stick into PC’s USB slot and as a root user execute:
    # fdisk -l

    Search the output of fdisk command and retrieve the disk file name of your USB stick. In our case, the device is /dev/sdc.

    For the sake of this tutorial we will refer to the /dev/sdc block device as /dev/sdX to avoid any accidental data damage by our readers when following the below text. Therefore, anytime you see eg. /dev/sdX or /dev/sdX2 we are in fact referring to the actual block device /dev/sdc and partition /dev/sdc2 respectively.
  2. Finding the device name in fdisk output

    Finding the device name in fdisk output

  3. Once we have a file name of our USB stick we can create partitions to be used for encryption and for storage of non-private data. In this example, we will split the USB stick into two partitions, first with size of 2GB and the rest of the space will be used to create second partition and this will produce /dev/sdX1 and /dev/sdX2 respectively. Use any partition tool you see fit for this purpose; in this article we will use fdisk.
    # fdisk /dev/sdX

  4. Execute the following commands within the fdisk interactive mode:
    Command (m for help): n
    [Press enter twice]
    Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31703005, default 31703005): +2GB
    Command (m for help): n
    [Press enter three times]
    Command (m for help): w
  5. Partitioning the USB stick with fdisk

    Partitioning the USB stick with fdisk

  6. We now have two partitions, the first one is 2GB in size and will contain our encrypted files. The other partition consumes the rest of the USB stick and will contain non-sensitive information. The two partitions are represented as /dev/sdX1 and /dev/sdX2, but yours may be different. We will now put a filesystem on the partitions. We’re using FAT32 but you may use whatever you want.
    # mkfs.fat /dev/sdX1
    # mkfs.fat /dev/sdX2
  7. To avoid pattern based encryption attacks it is advisable to write some random data to a partition before proceeding with an encryption. The following dd command can be used to write such data to your partition. It may take some time. Time depends on the entropy data generated by your system:
    # dd bs=4K if=/dev/urandom of=/dev/sdX1

Encrypt USB stick partition

Now it is time to encrypt the newly created partition. For this purpose we will use the cryptsetup tool. If cryptsetup command is not available on your system make sure that cryptsetup package installed.

The following Linux command will encrypt the /dev/sdX1 partiton with 256-bit AES XTS algorithm. This algorithm is available on any kernel with version higher than 2.6.24.

# cryptsetup -h sha256 -c aes-xts-plain -s 256 luksFormat /dev/sdX1
Encrypting a USB stick partition

Encrypting a USB stick partition

You will be prompted to set a decryption passphrase on the device, which will be used to unlock it and view the sensitive content on your encrypted partition.

Mounting USB partition and decryption

  1. In the next step we will set name of our encrypted partition to be recognized by the system’s device mapper. You can choose any name. For example we can use the name “private”:
    # cryptsetup luksOpen /dev/sdX1 private
  2. After executing this command your encrypted partition will be available to your system as /dev/mapper/private. Now we can create a mount point and mount the partition:
    # mkdir /mnt/private
    # mount /dev/mapper/private /mnt/private
    # chown -R myusername.myusername /mnt/private
  3. Now your encrypted partition is available in /mnt/private directory. If you do not wish to have an access to your USB stick’s encrypted partition anymore you need to first unmount it from the system and then use cryptsetup command to close the connected protection.
    # umount /mnt/private 
    # cryptsetup luksClose /dev/mapper/private

Desktop mount of an encrypted USB partition

Your desktop may react to an encrypted partition by pop-up dialog to prompt you to enter a password for your encrypted partition.

We are prompted for a password when inserting the USB stick into our computer

We are prompted for a password when inserting the USB stick into our computer

However, some Linux systems may not provide any facility to mount encrypted partitions and you would have to do it manually ( see section “Mounting USB encrypted partition” for details ). In any case make sure that you have cryptsetup package installed and thus md_crypt module loaded in to the running kernel in order to use your encrypted USB stick.

Closing Thoughts

In this guide, we saw how to create an encrypted partition to protect sensitive files on a USB stick. This included creating a separate partition on the USB device and then using cryptsetup to encrypt it. We also learned how to mount and unmount the partition. Following these instructions will give you peace of mind when carrying around a USB stick that contains important data which you wouldn’t want someone else to stumble across.

Comments and Discussions
Linux Forum