1. Introduction

In case you will loose your USB stick, all data stored on it will be lost and what is more important they will be most likely in hands of some other person which will then have an access to your private information and use this information in any way s/he sees fit. This is one of many fears of USB stick users. One solution which can be easily applied is to not to store any private information on USB stick, however this will diminish a prime usage of your USB stick to a bare minimum as all non-private data usually do not have to be stored on USB since they can be almost always downloaded anytime and anywhere from the Internet. Another solution is to encrypt your USB stick so it will be accessible only to those users who posses a correct password which will fit to decrypt an used encryption method. This article will deal with the second solution and that is encryption of an USB stick device.

Although encrypting an USB stick seems to be the best and easiest solution it must be said that it also comes with number of disadvantages. The first disadvantage is that decryption of the USB key must be done using a Linux system with kernel version 2.6 and higher which has a "dm_crypt" module loaded in the running kernel. In other words, you cannot use your encrypted USB stick on any Windows machine and UNIX-like system with kernel version below 2.6. Therefore, to encrypt only a part of USB stick which holds only a private information seems to be a good solution. In this article we will use USB stick of capacity 16GB known to the system as a block device /dev/sdc. We first partition the disk to hold two partitions, one for encrypted data and the other for non-private data and then encrypt only single partition intended to hold private data.

NOTE:

All data on your USB stick will be destroyed so Back up your USB stick before continuing. Replace /dev/sdX with file name of your USB block device.

2. Partitioning an USB stick

Let's start with partitioning of our USB stick. Insert your USB stick into PC's USB slot and as a root user execute:

# parted -l

Search the output of parted command and retrieve a Disk's file name of your USB stick. As it was already mentioned before, in this article we will use /dev/sdc. Once we have a file name of our USB stick we can create partitions to be used for encryption and for storage of non-private data. In my case I will split the USB stick into two partitions, first with size of 2GB and the rest of the space will be used to create second partition and this will produce /dev/sdc1 and /dev/sdc2 respectively. Use any partition tool you see fit for this purpose, in this article I will use parted as it seems to be becoming a standard these days:

# parted /dev/sdX

Following commands are executed within a parted interactive mode:

(parted) mkpart primary 0.0 2GB
(parted) mkpartfs primary fat32 2GB -1s
(parted) quit

First parted command had created a primary partition with size of 2GB and this partition ( /dev/sdX1 ) will be used to store encrypted data. Second command created a second partition with fat32 file system ( /dev/sdX2 ) starting from 2GB up to last sector ( -1s ). The second partition will serve as a general storage. The final look of your USB stick partition table may look similar to the one below:

Disk /dev/sdc: 16.2 GB, 16236150784 bytes
255 heads, 63 sectors/track, 1973 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000cd7ef

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1         243     1951866   83  Linux
/dev/sdc2             244        1974    13903718+   c  W95 FAT32 (LBA)

3.  Write random data

To avoid pattern based encryption attacks it is advisable to write some random data to a partition before proceeding with an encryption. The following dd command can be used to write such data to your partition. It may take some time. Time depends on the entropy data generated by your system:

# dd bs=4K if=/dev/urandom of=/dev/sdX1

4. Partition encryption

Now it is time to encrypt a newly created partition. For this purpose we will use cryptsetup tool. If cryptsetup command is not available on your system make sure that cryptsetup package installed. The following command will encrypt /dev/sdc1 partiton with 256-bit AES XTS algorithm. This algorithm is available on any kernel with version higher than 2.6.24.

cryptsetup -h sha256 -c aes-xts-plain -s 256 luksFormat /dev/sdX1

OUTPUT:

WARNING!
========
This will overwrite data on /dev/sdX1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

5. Mounting USB partition and decryption

In the next step we will set name of our encrypted partition to be recognized by the system's device mapper. You can choose any name. For example we can use name "private":

# cryptsetup luksOpen /dev/sdX1 private
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

After executing this command your encrypted partition will be available to your system as /dev/mapper/private. Now we can create file system and mount the partition to /mnt/private and make it accessible to your self:

NOTE: Do not create a file system if you only need to mount your existing encrypted USB partition !

# mkfs.ext2 /dev/mapper/private

Create a mount point and mount a partition:

# mkdir /mnt/private
# mount /dev/mapper/private /mnt/private
# chown -R myusername.myusername /mnt/private

Now your encrypted partition is available in /mnt/private directory. If you do not wish to have an access to your USB stick's encrypted partition anymore you need to first unmount it from the system and then use cryptsetup command to close the connected protection.

# umount /mnt/private 
# cryptsetup luksClose /dev/mapper/private

6. Desktop mount of an encrypted USB partition

Your desktop may react to an encrypted partition by pop-up dialog to prompt you to enter a password for your encrypted partition as is it in case of Ubuntu Lucid Lynx 10.04 for example.

However, some Linux systems may not provide any facility to mount encrypted partitions and you would have to do it manually ( see section "Mounting USB encrypted partition" for details ). In any case make sure that you have cryptsetup package installed and thus md_crypt module loaded in to the running kernel in order to use your encrypted USB stick.

---

Linux eBooks FREE Download
	The GNU/Linux Advanced Administration The GNU/Linux systems have reached an important level of maturity, allowing to integrate them in almost any kind of work environment, from a desktop PC to the sever facilities of a big company. In this ebook "The GNU/Linux Operating System", the main contents are related with system administration. You will learn how to install and configure several computer services, and how to optimize and synchronize the resources using GNU/Linux. The topics covered in this 500+ page eBook include Linux network, server and data administration, Linux kernel, security, clustering, configuration, tuning, optimization, migration and coexistence with non-Linux systems. A must read for any serious Linux system admin.
	A Newbie's Getting Started Guide to Linux Learn the basics of the Linux operating systems. Get to know what it is all about, and familiarize yourself with the practical side. Basically, if you're a complete Linux newbie and looking for a quick and easy guide to get you started this is it. You've probably heard about Linux, the free, open-source operating system that's been pushing up against Microsoft. It's way cheaper, faster, safer, and has a far bigger active community than Windows, so why aren't you on it? Don't worry, Makeuseof.com understands. Like many things, venturing off into a completely unknown world can seem rather scary, and also be pretty difficult in the beginning. It's while adapting to the unknown, that one needs a guiding, and caring hand. This guide will tell you all you need to know in 20 illustrated pages, helping you to take your first steps. Let your curiosity take you hostage and start discovering Linux today, with this manual as your guide! Don't let Makeuseof.com keep you any longer, and download the Newbie's Initiation to Linux. With this free guide you will also receive daily updates on new cool websites and programs in your email for free courtesy of MakeUseOf.
	Linux from Scratch Linux from Scratch describes the process of creating your own Linux system from scratch from an already installed Linux distribution, using nothing but the source code of software that you need. This 318 page eBook provides readers with the background and instruction to design and build custom Linux systems. This eBook highlights the Linux from Scratch project and the benefits of using this system. Users can dictate all aspects of their system, including directory layout, script setup, and security. The resulting system will be compiled completely from the source code, and the user will be able to specify where, why, and how programs are installed. This eBook allows readers to fully customize Linux systems to their own needs and allows users more control over their system.
	A Complete Beginner's Manual for Ubuntu 10.04 (Lucid Lynx) Getting Started with Ubuntu 10.04 (Lucid Lynx) is a comprehensive beginners guide for the Ubuntu operating system; it features comprehensive guides, How Tos and information on anything you need to know after first installing Ubuntu. Designed to be as user-friendly and easy to follow as possible, it should provide the first point of reference to any Ubuntu newcomer with lots of information. The manual has step by step instructions and includes lots of screenshots to show you how to do tasks. It also includes a Troubleshooting section to help you solve common Ubuntu problems quickly. Download this 160+ page manual today.
	Securing & Optimizing Linux: The Hacking Solution (v.3.0) A comprehensive collection of Linux security products and explanations in the most simple and structured manner on how to safely and easily configure and run many popular Linux-based applications and services. This book is intended for a technical audience and system administrators who manage Linux servers, but it also includes material for home users and others. It discusses how to install and setup a Linux server with all the necessary security and optimization for a high performance Linux specific machine. It can also be applied with some minor changes to other Linux variants without difficulty.

• Add New
• Search

Comments (8)

• 2010-06-28 18:22:05 |Your IP address:87.114.100.xxx| Guy

  truecrypt seems a lot less hassle to use in order to secure dataVx

  ReplyQuote

• 2010-06-28 09:43:29 |Your IP address:210.5.37.xxx| DaveQB  - Thanks

  Good work. Thanks!

  ReplyQuote

• 2010-06-27 22:53:49 |Your IP address:186.136.113.xxx| emariz

  Read Debian's, Fedora's, Ubuntu's or Gentoo's documentation and you'll see that "/dev/sdX" is used instead of the actual partition ("/dev/sdc"). If someone doesn't understand it, she has bigger problems to solve.
  The line "NOTE: Do not create a file system if your are only need to mount your existing enctypted USB partition !" makes no sense in English.

  ReplyQuote

• 2010-06-27 19:17:14 |Your IP address:115.64.70.xxx| lubos

  Thanks for the enlightenment. The only thing is that this article is not debian, fedora, ubuntu or gentoo documentation. If the debian, fedora, ubuntu or gentoo documentation are so great what for we have thousands other linux websites? The reason is that they are either to detailed or to abstract for a new linux user.

  I'm just trying to reduce the abstraction in all articles so that any person with a very little linux knowledge can read a use it instantly. I have some teaching experience and know how students react to something which is not obvious at first sight. So I'm convinced that I will teach someone more with /dev/sdc than /dev/sdX. If the /dev/sdc is the only problem it this article I'm happy :-)

  >The line "NOTE: Do not create a file system if your are only need to mount your existing enctypted USB partition !" makes no sense in English.

  thanks for that I have corrected it.

  ReplyQuote

• 2010-06-28 22:06:27 |Your IP address:71.128.193.xxx| jackd

  I doubt my opinion will matter either since you seem defensive about this, but using /dev/sdX is quite a good idea. Much clearer than using a name that might correspond to an actual disk on the user's system.

  Anyways, this is a small suggestion to maybe improve an already nice, well-written article. But even good articles can sometimes be improved.

  ReplyQuote

• 2010-06-29 08:00:05 |Your IP address:115.64.70.xxx| Lubos  - using /dev/sdX is quite a good idea.

  Well any polite opinion matters. Three suggestions ! I would go against the wall if I would not change it.

  thanks

  ReplyQuote

• 2010-06-27 21:28:08 |Your IP address:77.253.55.xxx| macias

  For the love of God, instead of adding useless warning change your article and use the /dev/sdX instead /dev/sdc. It is better for reader figuring out how to make it work than figuring out how to restore all the data lost.

  ReplyQuote

• 2010-06-27 16:57:51 |Your IP address:115.64.70.xxx| lubos

  well great idea. However, I do not think that its much better for a reader. It has advantages but I prefer /dec/sdc. /dev/sdX is understandable for you but not for everyone. /dev/sdc will match all commands in the article and reader can make its own picture. What is more in case that reader has it's USB /dec/sdc it can just copy and paste !

  PS: believe my god has nothing to with /dev/sdc :-)

  ReplyQuote

Write comment

NOTE: To unsubscribe enter your email, select "do not dotify" with title: UNSUBSCRIBE and Send.
Your Contact Details:

Name:

Email: do not notifynotify

Comment:

Title:

UBBCode:         -color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge

Message:

Security

Please input the anti-spam code that you can read in the image.