Protecting your USB sticks with encryption
Atick Security
How easy is it to lose a USB stick? Why not protect your data just in case the stick falls into unfriendly hands?
Many users carry critical information around on USB sticks. The information on the stick might include passwords, email addresses, spreadsheets, and other confidential information. If the stick is lost, the data could fall into the wrong hands. In this article, I'll show you how to encrypt information stored on USB sticks.
Encryption takes the worries out of carrying around USB treasures. Thanks to the device mapper infrastructure introduced with kernel 2.6, Linux now lets you add a protective shield to a filesystem. The dm_crypt kernel module uses this approach to encapsulate filesystems in an encryption layer. To mount the partition or hard disk, you first need to remove the protection by entering the correct password (Figure 1).
Sticks encrypted in this way only work with a kernel that includes the dm_crypt module. The stick will not work on Windows. The module also needs to know the encryption method; for example, kernel 2.6.24 optionally uses the aes-xts-plain algorithm, which the previous kernel version did not have. This means a stick encrypted with aes-xts-plain on Ubuntu 8.04 will not mount on Ubuntu 7.10, although a stick created with earlier versions will work on later releases.
Encrypting the Stick
Regardless of whether you are encrypting or decrypting a partition, you need the cryptsetup package. Both Ubuntu and openSUSE let you install cryptsetup through the package manager. Of course, you can encrypt normal hard disks as well as partitions, but be careful: If you accidentally type /dev/sda1 instead of /dev/sdb1, you will not be able to access your root partition. Also, you need to format the partition before encrypting, which would destroy all the data on it.
To start, open up a console; then type tail -f /var/log/messages. When you plug the USB stick into your computer, the console will output all kinds of information, including sdb: sbd1. This line tells you the drive name that Linux has assigned to the stick. The following examples use sdb; make sure you replace this with the drive name for your own USB stick.
Linux typically auto-mounts USB sticks. On KDE 3, you are asked whether you want to open the newly found medium in a new window. Gnome doesn't bother asking, and KDE 4 displays an information dialog in the panel pointing the way to the new drive.
The following steps are all performed at the command line. The commands that start with sudo on Ubuntu need root privileges on openSUSE; to become root, type su root and then type the root password. To launch the fdisk partitioning tool, type sudo fdisk /dev/sdb.
You can use the keyboard to control fdisk. D deletes an existing partition. N followed by P creates a new, primary partition. Type 1 to create the first primary partition, and then press Enter twice to use the stick. W writes the changes out to the USB stick.
Next, fill the partition with random data:
$ sudo dd bs=4K if=/dev/urandom of=/dev/sdb1
The random data is to avoid giving potential attackers any clues as to the scope and size of the encrypted data. To accelerate the process, the bs=4K parameter sets the block size to 4 KB.
Then you can type sudo modprobe dm_crypt to load the kernel module. To use the stick on your own system later, you should add the name of the module to the /etc/modules file. To do this on Ubuntu, type sudo su to assume root privileges and then type:
# echo dm_crypt >> /etc/modules
Then use the cryptsetup tool and the device mapper to create the protection layer (Figure 2):
$ sudo cryptsetup -yvh sha256 -caes-xts-plain -s 256 luksFormat/dev/sdb1
The -yvh sha256 option prompts you for the password twice and stores the password in a 256-bit hash. The -c option lets you specify the encryption method. This example calls for the AES XTS algorithm with a 256-bit key length (-s 256). If you intend to use the stick with systems that have a kernel prior to version 2.6.24, select -c aes-lrw-benbi as the encryption algorithm. For kernel versions prior to 2.6.20, choose -c aes-cbc-essiv:sha256.
The luksFormat command, which initiates the partition, is part of the LUKS standard (see the "LUKS" box). You need to set a password. The second step is to type luksOpen to access the encrypted partition (Listing 1, Line 1). You can choose any name (secret, in this case) when mounting the drive via the device mapper.
Listing 1
Encrypting a USB stick
After you type the command, cryptsetup prompts you to enter the password you just created. You will need to repeat this command whenever you want to mount the encrypted stick. Now you can access the unencrypted partition via the /dev/mapper/secret mount point, but you still don't have a filesystem. You can create a filesystem by typing mkfs.ext3 (Listing 1, Line 2). After doing so, mount the filesystem on the stick (Listing 1, Line 3).
The stick, which is now mounted in your /mnt directory, might need a slight modification. To change the owner of the files on the stick, use chmod user:user with your standard user account.
Then you can go on to write files to the stick using your file manager. When you are done, unmount the stick by typing sudo umount /mnt. To close down the protective shield, type luksClose (Listing 1, Line 5).
LUKS
LUKS stands for Linux Unified Key Setup. The LUKS standard cooperates with the dm_crypt kernel module to add a standardized header and specify a format for the data in encrypted partitions. LUKS can handle multiple passwords and it is immune from dictionary attacks.
Decryption
Desktops react in different ways when you plug in a crypto stick. On KDE 4, you need to click the Volume entry on the left in Dolphin to display the password prompt (Figure 1). Gnome will usually display the password prompt automatically. Also, it is important to load the dm_crypt kernel on any Linux system you will use with the USB stick.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.