Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: [EN] How to make an encrypted USB stick for data storage  (Read 5156 times)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
[EN] How to make an encrypted USB stick for data storage
« on: 2016/07/16, 16:50:17 »

As an exercise in self-improvement, since I had never made an encrypted filesystem or device before, I spent a couple hours yesterday working out how to do this on a plasma5 KDE Debian sid system. I used parts of several online articles found with google, and integrated what worked into this guide. Feedback and/or corrections are welcome (I tested the procedure twice on only one system, and tested the encryped USB stick on several other systems).

First, in a root terminal, verify that you know for certain the correct device designation with

Code: [Select]
# fdisk -lu
Now use (as root) gparted and choose Device > New Partition Table to make a new partition table on the USB stick, ms-dos type. Right-click on the unallocated partition and choose New.  In the new partition dialog, leave all items but "filesystem" default, and for filesystem choose "unformatted", and then click Add and then the green check mark and "Apply".  It will show an unformatted partition with a yellow warning symbol on it.  Close gparted.

Next, in a root terminal or with "sudo", (I do these things as root) fill the partition with random data:

Code: [Select]
# dd bs=4K if=/dev/urandom of=/dev/sdx1
Where "x" is of course your device ID, here and as applicable in the following commands. A 4G stick took about 15 minutes to complete.

Now load the dm_crypt kernel module:

Code: [Select]
# modprobe dm_crypt
To make this a permanent part of your system configuration, add dm-crypt to /etc/modules.

If you haven't previously installed the cryptsetup package, do it now.

Now set the partition as a LUKS encrypted partition, and set the user password (twice):

Code: [Select]
# cryptsetup luksFormat /dev/sdx1
Next, open and map the device with a name that you choose (your password will be requested):

Code: [Select]
# cryptsetup luksOpen /dev/sdx1 my_encrypted_stick
After you enter your password, the block device will be mapped to /dev/mapper/my_encrypted_stick (or whatever name you gave it).

Next, create the filesystem of your choice on the block device.

Code: [Select]
# mkfs.ext4 /dev/mapper/my_encrypted_stick

But we don't want the ext4 journalling feature to wear out the flash memory prematurely, so

Code: [Select]
# tune2fs -O ^has_journal /dev/mapper/my_encrypted_stick
Since we never at any time mounted the filesystem on the USB stick, it remains unmounted. Remove it and reboot your system, and when the desktop is up, (a) use lsmod to verify that the dm_crypt module is loaded, and (b) insert your encrypted USB stick.

On a plasma5 KDE desktop, the "device notifier" pops up and offers to open the device with the dolphin file manager. Accept the offer, and the password window opens for the password.  Upon first entering the password, the notifier may or may not respond with a "you are not authorized" error, but the device is nevertheless mounted at /media/username/uuid, where the ID is a conventional device uuid like 448459a8-3c87-41a9-a8e6-d0896be07d8c. You will note the only existing folder, "Lost&Found", has a lock symbol on it indicating the user cannot access it.

Now close the file manager and open a root terminal and cd to /media/username/uuid.  Issue

Code: [Select]
# mkdir -p DATA
Code: [Select]
# chown username:username *
Now the user is the owner of the Lost&Found and DATA folders, even though root remains the owner of the device itself.

Exit the terminal, and then use your device notifier to eject the USB stick.  Test your encrypted stick by inserting it, giving the password, and opening it with your file manager. (The notifier may or may not again claim you are not authorized -- ignore it.)  You cannot save anything in the filesystem root, but the DATA folder as well as Lost&Found are yours to use as in any other user-accessible filesystem. When the encrypted stick is inserted in a running system but the correct password is not given, it is detected (i.e. fdisk can see it in /dev) but the filesystem is not mounted.
« Last Edit: 2016/07/17, 15:31:01 by dibl »
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline bluelupo

  • User
  • Posts: 2.068
    • BluelupoMe
Re: How to make an encrypted USB stick for data storage
« Reply #1 on: 2016/07/16, 17:12:24 »
Hi dibl,
a good and clear guidance for our wiki ;-)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: How to make an encrypted USB stick for data storage
« Reply #2 on: 2016/07/16, 17:16:12 »
Thanks Michael!  PM me an e-mail address if you wish, and I will send you the raw text. 
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline bluelupo

  • User
  • Posts: 2.068
    • BluelupoMe
Re: How to make an encrypted USB stick for data storage
« Reply #3 on: 2016/07/16, 18:27:34 »
Hi dibl,
you can also create them yourself in siduction Wiki article. Have you ever in a Wiki article created? Is very simple to do, I can do that as well ;-)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: How to make an encrypted USB stick for data storage
« Reply #4 on: 2016/07/16, 18:40:04 »
I have not made a wiki article myself, but I am willing to learn if you can get me started.   :)
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO


Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: How to make an encrypted USB stick for data storage
« Reply #6 on: 2016/07/16, 19:04:50 »
Excellent -- I'll give it a shot.

System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: How to make an encrypted USB stick for data storage
« Reply #7 on: 2016/07/16, 21:37:18 »
The good news -- I managed to get a password, login, and make the wiki page.   :)


The other news -- for the life of me, I could not figure out how to place the page in the table of contents.  I believe it belongs under Hardware - "E" for "Encrypted USB Flash Drive.  But for now, it appears to be located in "Spezial:Anmelden".  Hopefully someone more skilled than I can place it correctly.   :P
« Last Edit: 2016/07/16, 21:56:59 by dibl »
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline ayla

  • User
  • Posts: 1.744
Re: How to make an encrypted USB stick for data storage
« Reply #8 on: 2016/07/17, 13:14:54 »
Hi dibl,

You may add [[Category:Hardware]] on top of your article. Then it should appaer there in the table of contents with your already chosen headline. You may also add more categories using the same way twice ore more.

greets
ayla

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: How to make an encrypted USB stick for data storage
« Reply #9 on: 2016/07/17, 14:59:51 »
Perfekt --  vielen Dank!


NOTE:  Edited the guide to include the command to disable ext4 journalling on the flash drive.
« Last Edit: 2016/07/17, 15:30:25 by dibl »
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline bluelupo

  • User
  • Posts: 2.068
    • BluelupoMe
Re: How to make an encrypted USB stick for data storage
« Reply #10 on: 2016/07/17, 19:14:48 »
Hi dibl,

perfect article :D

tmhind2

  • Guest
Re: How to make an encrypted USB stick for data storage
« Reply #11 on: 2016/07/18, 14:37:32 »
@dibl, thanks for the follow through with the wiki article it is appreciated.  ;D

Offline piper

  • User
  • Posts: 1.785
  • we are the priests ... of the temples of syrinx
Re: How to make an encrypted USB stick for data storage
« Reply #12 on: 2016/07/18, 20:08:56 »
Quote from: dibl
Perfekt --  vielen Dank!


NOTE:  Edited the guide to include the command to disable ext4 journalling on the flash drive.
Nice job !
Free speech isn't just fucking saying what you want to say, it's also hearing what you don't want to fucking hear

I either give too many fucks or no fucks at all, it's like I cannot find a middle ground for a moderate fuck distribution, it's like what the fuck

KrunchTime

  • Guest
Re: How to make an encrypted USB stick for data storage
« Reply #13 on: 2016/08/18, 05:34:18 »
FWIW, I have also done this using Veracrypt

Offline devil

  • Administrator
  • User
  • *****
  • Posts: 4.838
Re: How to make an encrypted USB stick for data storage
« Reply #14 on: 2016/08/20, 15:19:34 »
so does zuluCrypt.


greetz
devil