Skip to main content

USB Flash Drive Encryption

Securing data on a USB pendrive can allow you to carry around useful, yet sensitive data with very few concerns. This post outlines a way of cryptographically securing a USB pendrive using crypsetup and LUKS in such a way that a drive may be unlocked on most Linux system without the addition of extra software (e.g. TruCrypt). As an added bonus it's possible to mount the drive in a Windows environment as well. Hurrah!

The first thing to decide is how you are going to partition your drive. I find it useful to have an unencrypted partition as well as the encrypted as this affords the convenience and functionality as well as offering security. The primary consideration here is that natively Widows will only recognise the first partition on the pendrive, so if you wish to have an open data partition let it be the first.

Below shows how an 8GB pendrive (in this case the device is /dev/sdh) is split roughly is half with an ~4GB FAT32 partition at the front. Use you favorite partitioning program to achieve your desired affect.
Disk /dev/sdh: 8086 MB, 8086618112 bytes
249 heads, 62 sectors/track, 1023 cylinders
Units = cylinders of 15438 * 512 = 7904256 bytes
Disk identifier: 0x6f20736b

   Device Boot   Start    End     Blocks   Id  System
/dev/sdh1   *        1    518    3998411    c  W95 FAT32 (LBA)
/dev/sdh2          519   1023    3898095    c  W95 FAT32 (LBA)

So from now on we're working with /dev/sdh2 for our encrypted partition. using cryptsetup we can now setup the encryptedness:

# cryptsetup luksFormat /dev/sdh2

Now you'll be prompted for a passphrase. Be sure to choose something nice and long here as this will be all that's protecting your data (try running 'pwgen 20' if you are having trouble thinking of one).
This will overwrite data on /dev/sdh2 irrevocably. 
Are you sure? 
(Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Now we can open the encrypted drive and map as a device:

# cryptsetup luksOpen /dev/sdh2 usb_crypt

The 'usb_crypt' in the above command will become the name of your device in /dev/mapper and can be anything you like it to be. Here you'll be prompted for the password we set above.

Next the drive will need a file system on it, here I've opted for a FAT32, but this could be whatever you prefer.

# mkfs.vfat /dev/mapper/usb_crypt

And all that's left to do is mount it!

# mount -t vfat /dev/mapper/usb-crypt /mnt

If you are using a friendly distribution like Ubuntu you should now be able to eject your drive the same way you would any other USB pendrive. The OS should also detect the encrypted partition on insertion, prompting you for the password. If however you are in a position where you need/prefer to do things the manual way you will need to close the encrypted volume manually before ejecting the drive, unsurprisingly this is done as follows:

# cryptsetup luksClose /dev/sdh2 usb_crypt

You may now open and mount your partition as above whenever it's required in future using the methods above.

If you wish to be able to mount your encrypted partition under a windows OS you will need to take a look at FreeOTFE. At this time I have not tried it yet; updates to come.

Inspiration for this post was drawn from


Popular posts from this blog

Moodle on Centos or Red Hat 7 (with SELinux!)

Why the need for another 'Installing Moodle' guide? Two reasons, Systemd and SELinux. The steps are presented as a Bash script, which may be run on a virgin system, installing a complete working Moodle stack in one go, including enforcing SELinux. In addition to the absolute basics it also includes adding ClamAV virus for file uploads and Memcached for sessions and 'MUC'. It does not cover any extras you will need to get your site up to production, e.g. securing your database  or updating your virus definitions automatically. Neither does it do any extra PHP configuration (upload limits, execution time etc.) or any extra complexities that might be desirable. For all of this you should goto .

Spawning many VirtualBox machines from a single VDI

What I'm taking about here is a way to have many VirtualBox machines based upon a single hard drive image. There are many reasons why you might like to do this, but the most compelling is probably saving time by not having to install an OS over and over again, especially useful if you do anything like software testing. Our goal is a single vdi (virtual disk) file which contains a vanilla installation of our favourite OS which we can then use to conjure up a fresh new machine in a jiffy. Assuming you already have VirtualBox installed our first step is (maybe for the last time ever!) to install our OS into a new virtual machine. Now I shan't go through this as it's pretty straight forward and if you're reading this it's the sort of thing you have probably done a hundred times before. One thing of note during the initial setup is the 'Virtual Hard Disk' configuration. Be sure to allocate enough space to allow for all potential applications of the image. It wou

Row a Concept2 on Zwift with a $10 Raspberry Pi!

Short story, I made a program. Instructions and download here: Despite there being an appetite for rowing in Zwift the fact is a rowing machine is not a bicycle and a Concept2 rower won't connect directly to Zwift. The Zwift gods tease a rowing release every now and again, but it's been coming 'soon' for years now. Don't hold your breath. But people do row in Zwift, so how do they do it? To get the data from the rowers computer, the PM5, into something Zwift recognises as a bicycle you need a device that translates between the rower and the device running Zwift. There are solutions already available to do this. Some are expensive like the  NPE CABLE (about £90 in the UK) and some are 'free' like the  RowedBiker  app. The downside with RowedBiker is that it needs to run on a extra device separate from the one running Zwift. If you have a compatible device lying around, great, otherwise you'll need to buy one. Meanwh