Encrypting a USB Flash Drive

Given how easy it is to lose flash drives, I always make sure to encrypt them if I intend to store any important information on them. In this post, I’m going to go over the steps for creating an encrypted flash drive under Ubuntu. Note that there are a lot of other tutorials out there that pretty much take you through the same thing with some additional information on security and advanced options (for example, this one, or this one). I’m always forgetting the steps, so I wanted to document it for myself!

Finding the Right Device

The first step is to make sure you have the right device selected. This amounts to plugging in the device and checking out how the kernel registers it. Under Ubuntu, a simple command will print out kernel messages for you:

dmesg

That should print out all of the kernel activity that is being logged. You should see near the bottom a lot of output relating to the USB devices:

[5161642.499490] usb 1-1.2: new high-speed USB device number 8 using ehci-pci
[5161642.593412] usb 1-1.2: New USB device found, idVendor=0781, idProduct=5581
[5161642.593423] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[5161642.593429] usb 1-1.2: Product: Ultra
[5161642.593434] usb 1-1.2: Manufacturer: SanDisk
[5161642.593439] usb 1-1.2: SerialNumber: *********************************
[5161642.838071] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[5161642.838160] scsi7 : usb-storage 1-1.2:1.0
[5161642.838357] usbcore: registered new interface driver usb-storage
[5161643.835928] scsi 7:0:0:0: Direct-Access     SanDisk  Ultra            1.00 PQ: 0 ANSI: 6
[5161643.837080] sd 7:0:0:0: Attached scsi generic sg2 type 0
[5161643.837920] sd 7:0:0:0: [sdc] 31266816 512-byte logical blocks: (16.0 GB/14.9 GiB)
[5161643.838987] sd 7:0:0:0: [sdc] Write Protect is off
[5161643.839003] sd 7:0:0:0: [sdc] Mode Sense: 43 00 00 00
[5161643.840239] sd 7:0:0:0: [sdc] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[5161643.862424]  sdc: sdc1
[5161643.866058] sd 7:0:0:0: [sdc] Attached SCSI removable disk

In this case, you can see that I plugged in a SanDisk USB flash drive, with 16 GB of storage on it. More importantly, the kernel has told us what device name it has assigned to the drive:

[5161643.862424]  sdc: sdc1

As always, it’s a good idea to double check the drive information. The following command prints out the partitions on /dev/sdc:

sudo fdisk /dev/sdc -l

This will print out information relating to the device:

Disk /dev/sdc: 16.0 GB, 16008609792 bytes
255 heads, 63 sectors/track, 1946 cylinders, total 31266816 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1             192    31266815    15633312    c  W95 FAT32 (LBA)

This matches what we expected to see: /dev/sdc is a 16 GB drive, formatted with FAT 32. This is good.

Delete the Existing Partition

The next step is to delete the existing partition, and create a new Linux partition.

WARNING: this will destroy everything on the drive, so be careful! Make sure that the contents of the drive are backed up, and that you check to make sure you are typing the right commands and the right drive letters. As always, make sure you educate yourself if you don’t know what the command is going to do. I am not responsible for any damages that may occur – run any of the following commands at your own risk!

sudo fdisk /dev/sdc

You will now be in the fdisk program. It’s a good idea just to print out the contents of the drive again to confirm this is the correct device:

p

This should give us the same information we saw above:

Disk /dev/sdc: 16.0 GB, 16008609792 bytes
255 heads, 63 sectors/track, 1946 cylinders, total 31266816 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1             192    31266815    15633312    c  W95 FAT32 (LBA)

Since this is the only partition, the delete operation will be applied to it:

d

You should see:

Selected partition 1

Create the New Parition

You can now create a new partition that will hold the encrypted container:

n

And, you will be asked for the type of partition:

Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p):

If this is the only partition that you will be creating on the stick, then you will want to make a primary partition. If you want to make many partitions on the stick, then things get a little trickier. For historical reasons, you can only have 4 partitions on any given disk. However, you can create an extended partition that can hold additional logical drives. But, that discussion is beyond this simple tutorial. In this case, I made a primary partition:

p

Next, you will be asked to choose the partition number:

Partition number (1-4, default 1):

In this case, I want to use the default of 1:

1

As a side note, the partition number is associated with the device that you will then mount when it is created. In this case, by making it 1, when I plug it into any computer, it will become /dev/sdX1 where X will depend on what other devices are already mounted. If I made it 2, then it would be /dev/sdX2.

Next, the we are asked for the first sector, and the last sector. I just used the defaults in order to make the partition span the disk. To accept the default values, you just press enter:

First sector (2048-31266815, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-31266815, default 31266815):
Using default value 31266815

With the partition creation complete, I printed out the new partition information with p to see what the new partition looked like:

Command (m for help): p
 
Disk /dev/sdc: 16.0 GB, 16008609792 bytes
64 heads, 32 sectors/track, 15267 cylinders, total 31266816 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x805a51a5
 
Device    Boot Start End      Blocks   Id System
/dev/sdc1      2048  31266815 15632384 83 Linux

With the new partition created, I wrote the partition information to the disk with w, which also quits fdisk.

Create the LUKS Container

Usually at this stage of readying a new drive you would format the partition with a filesystem. With encrypted drives however, you need to first create an encrypted container. For this, I used cryptsetup with the luksFormat option. I usually use the default options when it comes to the choice of encryption. For those that are more concerned with choice of encryption and hash options, you can check out the manpages with man cryptsetup.

sudo cryptsetup luksFormat /dev/sdc1

Issuing the command will prompt you with a warning:

WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

Make sure you remember the passphrase you type – if you forget it, there is no way to retrieve it. For those interested, the passphrase is stored in a keyslot. Additional passphrases for the same disk can be added to different keyslots. This is useful if more than one person needs to access the disk and you want to have a different passphrase.

Open the Device

Once the container is created, you need to open it. Opening an encrypted container is akin to unlocking it. This is performed with the luksOpen sub-command in cryptsetup:

sudo cryptsetup luksOpen /dev/sdc1 sdc1_crypt

What this does is open the container on /dev/sdc1 and maps it to /dev/mapper/sdc1_crypt. Essentially you write your data as you would normally to the remapped device, which will automatically encrypt and decrypt the data for you as you read and write to the device.

Create the New Filesystem

With the new encrypted container open, you need to create the ext4 filesystem on it:

sudo mke2fs -t ext4 /dev/mapper/sdc1_crypt

This runs through the mke2fs routine:

mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
977280 inodes, 3907584 blocks
195379 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4001366016
120 block groups
32768 blocks per group, 32768 fragments per group
8144 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208
 
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

With the format complete, the new encrypted stick is ready to use!

Note: some tutorials suggest writing zeros or other random numbers to the device prior to creating the filesystem. Why? Well most drives are zeroed out initially, so even though your data is encrypted on the drive, an attacker would be able to see where you have written data, as well as how much data has been written to disk. The security issue at play is that the attacker could use that information when trying to crack your encryption. But since flash media has a limited number of write cycles, doing this is somewhat costly. It’s up to you to determine how far you want to take your security.

Check that Everything Works

Once everything is complete, I always run a quick test to make sure there are no problems. First, close the container:

sudo cryptsetup luksClose sdc1_crypt

And then open it again to make sure your password works, and that the contents can be decrypted correctly:

sudo cryptsetup luksOpen /dev/sdc1 sdc1_crypt

Then, mount the device to make sure that you can actually read the contents:

sudo mount /dev/mapper/sdc1_crypt /mnt/Backup

Wrapping Up

Encrypting a drive is really easy these days. Simply partition your drive, create the encrypted container in the new partition, and then format the container with the filesystem of your choice. Just remember when you mount the device that you first must use cryptsetup luksOpen to open the container prior to mounting the filesystem!