In case you will loose your USB stick, all data stored on it will be lost and what is more important they will be most likely in hands of some other person which will then have an access to your private information and use this information in any way s/he sees fit. This is one of many fears of USB stick users. One solution which can be easily applied is to not to store any private information on USB stick, however this will diminish a prime usage of your USB stick to a bare minimum as all non-private data usually do not have to be stored on USB since they can be almost always downloaded anytime and anywhere from the Internet. Another solution is to encrypt your USB stick so it will be accessible only to those users who posses a correct password which will fit to decrypt an used encryption method. This article will deal with the second solution and that is encryption of an USB stick device.
Although encrypting an USB stick seems to be the best and easiest solution it must be said that it also comes with number of disadvantages. The first disadvantage is that decryption of the USB key must be done using a Linux system with kernel version 2.6 and higher which has a "dm_crypt" module loaded in the running kernel. In other words, you cannot use your encrypted USB stick on any Windows machine and UNIX-like system with kernel version below 2.6. Therefore, to encrypt only a part of USB stick which holds only a private information seems to be a good solution. In this article we will use USB stick of capacity 16GB known to the system as a block device /dev/sdc. We first partition the disk to hold two partitions, one for encrypted data and the other for non-private data and then encrypt only single partition intended to hold private data.
All data on your USB stick will be destroyed so Back up your USB stick before continuing. Replace /dev/sdX with file name of your USB block device.
Partitioning an USB stick
Let's start with partitioning of our USB stick. Insert your USB stick into PC's USB slot and as a root user execute:
# parted -l
Search the output of parted command and retrieve a Disk's file name of your USB stick. As it was already mentioned before, in this article we will use /dev/sdc. Once we have a file name of our USB stick we can create partitions to be used for encryption and for storage of non-private data. In my case I will split the USB stick into two partitions, first with size of 2GB and the rest of the space will be used to create second partition and this will produce /dev/sdc1 and /dev/sdc2 respectively. Use any partition tool you see fit for this purpose, in this article I will use parted as it seems to be becoming a standard these days:
# parted /dev/sdX
Following commands are executed within a parted interactive mode:
(parted) mkpart primary 0.0 2GB (parted) mkpartfs primary fat32 2GB -1s (parted) quit
First parted command had created a primary partition with size of 2GB and this partition ( /dev/sdX1 ) will be used to store encrypted data. Second command created a second partition with fat32 file system ( /dev/sdX2 ) starting from 2GB up to last sector ( -1s ). The second partition will serve as a general storage. The final look of your USB stick partition table may look similar to the one below:
Disk /dev/sdc: 16.2 GB, 16236150784 bytes 255 heads, 63 sectors/track, 1973 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x000cd7ef Device Boot Start End Blocks Id System /dev/sdc1 1 243 1951866 83 Linux /dev/sdc2 244 1974 13903718+ c W95 FAT32 (LBA)
Write random data
To avoid pattern based encryption attacks it is advisable to write some random data to a partition before proceeding with an encryption. The following dd command can be used to write such data to your partition. It may take some time. Time depends on the entropy data generated by your system:
# dd bs=4K if=/dev/urandom of=/dev/sdX1
Now it is time to encrypt a newly created partition. For this purpose we will use cryptsetup tool. If cryptsetup command is not available on your system make sure that cryptsetup package installed. The following linux command will encrypt /dev/sdc1 partiton with 256-bit AES XTS algorithm. This algorithm is available on any kernel with version higher than 2.6.24.
cryptsetup -h sha256 -c aes-xts-plain -s 256 luksFormat /dev/sdX1
WARNING! ======== This will overwrite data on /dev/sdX1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Mounting USB partition and decryption
In the next step we will set name of our encrypted partition to be recognized by the system's device mapper. You can choose any name. For example we can use name "private":
# cryptsetup luksOpen /dev/sdX1 private Enter LUKS passphrase: key slot 0 unlocked. Command successful.
After executing this command your encrypted partition will be available to your system as /dev/mapper/private. Now we can create file system and mount the partition to /mnt/private and make it accessible to your self:
NOTE: Do not create a file system if you only need to mount your existing encrypted USB partition !
# mkfs.ext2 /dev/mapper/private
Create a mount point and mount a partition:
# mkdir /mnt/private # mount /dev/mapper/private /mnt/private # chown -R myusername.myusername /mnt/private
Now your encrypted partition is available in /mnt/private directory. If you do not wish to have an access to your USB stick's encrypted partition anymore you need to first unmount it from the system and then use cryptsetup command to close the connected protection.
# umount /mnt/private # cryptsetup luksClose /dev/mapper/private
Desktop mount of an encrypted USB partition
Your desktop may react to an encrypted partition by pop-up dialog to prompt you to enter a password for your encrypted partition as is it in case of Ubuntu Lucid Lynx 10.04 for example.
However, some Linux systems may not provide any facility to mount encrypted partitions and you would have to do it manually ( see section "Mounting USB encrypted partition" for details ). In any case make sure that you have cryptsetup package installed and thus md_crypt module loaded in to the running kernel in order to use your encrypted USB stick.