Encrypt your usb key under Linux with LUKS
This morning, I format my usb key and create 2 partitions, a FAT one to share files with most hosts, and a crypted ext2 one for my personal data. The first part is very simple (fdisk,mkfs.vfat), so was the crypted part: It’s much more simpler than in the past, when you had to patch kernel a lot of times, losetuping the device, try the passkey, etc.
To do that, I followed the “Howto disk encryption with dm crypt luks and debian” tutorial.
The procedure to me was the following one. Firstly, we create the partitions with fdisk:
$ fdisk /dev/sdb
Command (m for help): p
Disk /dev/sdb: 8053 MB, 8053063680 bytes
248 heads, 62 sectors/track, 1022 cylinders
Units = cylinders of 15376 * 512 = 7872512 bytes
Disk identifier: 0x000cb690
Device Boot Start End Blocks Id System
/dev/sdb1 1 819 6296441 c W95 FAT32 (LBA)
/dev/sdb2 820 1022 1560664 83 Linux
$ mkfs.vfat -n "voyager" /dev/sdb1
[...]
$ dd if=/dev/urandom of=/dev/sdb2
Disk initialization: We create the encrypted layer of the device:
$ cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb2
WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
$ cryptsetup luksOpen /dev/sdb2 cryptedDevice
Enter passphrase for /dev/sdb2:
Key slot 0 unlocked.
$ ls -l /dev/mapper/
total 0
crw-rw---- 1 root root 10, 62 2010-03-29 11:56 control
brw-rw---- 1 root disk 253, 3 2010-05-14 13:14 cryptedDevice
You’ll have a /dev/mapper/cryptedDevice which is a virtual device, and you’ll be able to format it:
$ mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptedDevice
mke2fs 1.41.9 (22-Aug-2009)
(...)
$ mkdir /mnt/cryptedUsbKey ; mount /dev/mapper/cryptedDevice /mnt/cryptedUsbKey
At this moment, the device is mounted and fully usable! To demount and disconnect it:
$ umount /mnt/cryptedUsbKey
$ cryptsetup luksClose /dev/mapper/cryptedDevice
With Ubuntu/Fedora, when a key is encrypted partition is created like this, you just have to unplug/plug the usb key to automaticaly recognize the encrypted partition and mount it (a GUI will popup to have you insert the passkey). For others, you may have to recreate the virtual device (with cryptsetup luksOpen). You’ll also be able to add/remove passkeys with luksAddKey and luksDelKey.
See also Encrypted Device Using LUKS.