How to make an encrypted USB stick for data storage

[dibl]

As an exercise in self-improvement, since I had never made an encrypted filesystem or device before, I spent a couple hours yesterday working out how to do this on a plasma5 KDE Debian sid system. I used parts of several online articles found with google, and integrated what worked into this guide. Feedback and/or corrections are welcome (I tested the procedure twice on only one system, and tested the encryped USB stick on several other systems).

First, in a root terminal, verify that you know for certain the correct device designation with

Code Select Expand

# fdisk -lu

Now use (as root) gparted and choose Device > New Partition Table to make a new partition table on the USB stick, ms-dos type. Right-click on the unallocated partition and choose New.  In the new partition dialog, leave all items but "filesystem" default, and for filesystem choose "unformatted", and then click Add and then the green check mark and "Apply".  It will show an unformatted partition with a yellow warning symbol on it.  Close gparted.

Next, in a root terminal or with "sudo", (I do these things as root) fill the partition with random data:

Code Select Expand

# dd bs=4K if=/dev/urandom of=/dev/sdx1

Where "x" is of course your device ID, here and as applicable in the following commands. A 4G stick took about 15 minutes to complete.

Now load the dm_crypt kernel module:

Code Select Expand

# modprobe dm_crypt

To make this a permanent part of your system configuration, add dm-crypt to /etc/modules.

If you haven't previously installed the cryptsetup package, do it now.

Now set the partition as a LUKS encrypted partition, and set the user password (twice):

Code Select Expand

# cryptsetup luksFormat /dev/sdx1

Next, open and map the device with a name that you choose (your password will be requested):

Code Select Expand

# cryptsetup luksOpen /dev/sdx1 my_encrypted_stick

After you enter your password, the block device will be mapped to /dev/mapper/my_encrypted_stick (or whatever name you gave it).

Next, create the filesystem of your choice on the block device.

Code Select Expand

# mkfs.ext4 /dev/mapper/my_encrypted_stick


But we don't want the ext4 journalling feature to wear out the flash memory prematurely, so

Code Select Expand

# tune2fs -O ^has_journal /dev/mapper/my_encrypted_stick

Since we never at any time mounted the filesystem on the USB stick, it remains unmounted. Remove it and reboot your system, and when the desktop is up, (a) use lsmod to verify that the dm_crypt module is loaded, and (b) insert your encrypted USB stick.

On a plasma5 KDE desktop, the "device notifier" pops up and offers to open the device with the dolphin file manager. Accept the offer, and the password window opens for the password.  Upon first entering the password, the notifier may or may not respond with a "you are not authorized" error, but the device is nevertheless mounted at /media/username/uuid, where the ID is a conventional device uuid like 448459a8-3c87-41a9-a8e6-d0896be07d8c. You will note the only existing folder, "Lost&Found", has a lock symbol on it indicating the user cannot access it.

Now close the file manager and open a root terminal and cd to /media/username/uuid.  Issue

Code Select Expand

# mkdir -p DATA

Code Select Expand

# chown username:username *

Now the user is the owner of the Lost&Found and DATA folders, even though root remains the owner of the device itself.

Exit the terminal, and then use your device notifier to eject the USB stick.  Test your encrypted stick by inserting it, giving the password, and opening it with your file manager. (The notifier may or may not again claim you are not authorized -- ignore it.)  You cannot save anything in the filesystem root, but the DATA folder as well as Lost&Found are yours to use as in any other user-accessible filesystem. When the encrypted stick is inserted in a running system but the correct password is not given, it is detected (i.e. fdisk can see it in /dev) but the filesystem is not mounted.

[bluelupo]

Hi dibl,
a good and clear guidance for our wiki ;-)

[dibl]

Thanks Michael!  PM me an e-mail address if you wish, and I will send you the raw text. 

[bluelupo]

Hi dibl,
you can also create them yourself in siduction Wiki article. Have you ever in a Wiki article created? Is very simple to do, I can do that as well ;-)

[dibl]

I have not made a wiki article myself, but I am willing to learn if you can get me started.   

[bluelupo]

Help:Editing pages

[dibl]

Excellent -- I'll give it a shot.

[dibl]

The good news -- I managed to get a password, login, and make the wiki page.   


The other news -- for the life of me, I could not figure out how to place the page in the table of contents.  I believe it belongs under Hardware - "E" for "Encrypted USB Flash Drive.  But for now, it appears to be located in "Spezial:Anmelden".  Hopefully someone more skilled than I can place it correctly.   

[ayla]

Hi dibl,

You may add [[Category:Hardware]] on top of your article. Then it should appaer there in the table of contents with your already chosen headline. You may also add more categories using the same way twice ore more.

greets
ayla

[dibl]

Perfekt --  vielen Dank!


NOTE:  Edited the guide to include the command to disable ext4 journalling on the flash drive.

[bluelupo]

Hi dibl,

perfect article

[tmhind2]

@dibl, thanks for the follow through with the wiki article it is appreciated. 

[piper]

Perfekt --  vielen Dank!


NOTE:  Edited the guide to include the command to disable ext4 journalling on the flash drive.

Nice job !

[KrunchTime]

FWIW, I have also done this using Veracrypt

[devil]

so does zuluCrypt.


greetz
devil