Protecting your USB sticks with encryption

Atick Security

© Marcio Eugenio,

© Marcio Eugenio,


How easy is it to lose a USB stick? Why not protect your data just in case the stick falls into unfriendly hands?

Many users carry critical information around on USB sticks. The information on the stick might include passwords, email addresses, spreadsheets, and other confidential information. If the stick is lost, the data could fall into the wrong hands. In this article, I'll show you how to encrypt information stored on USB sticks.

Encryption takes the worries out of carrying around USB treasures. Thanks to the device mapper infrastructure introduced with kernel 2.6, Linux now lets you add a protective shield to a filesystem. The dm_crypt kernel module uses this approach to encapsulate filesystems in an encryption layer. To mount the partition or hard disk, you first need to remove the protection by entering the correct password (Figure 1).

Figure 1: KDE 4 prompts the user for the password protecting the LUKS-encrypted USB stick.

Sticks encrypted in this way only work with a kernel that includes the dm_crypt module. The stick will not work on Windows. The module also needs to know the encryption method; for example, kernel 2.6.24 optionally uses the aes-xts-plain algorithm, which the previous kernel version did not have. This means a stick encrypted with aes-xts-plain on Ubuntu 8.04 will not mount on Ubuntu 7.10, although a stick created with earlier versions will work on later releases.

Encrypting the Stick

Regardless of whether you are encrypting or decrypting a partition, you need the cryptsetup package. Both Ubuntu and openSUSE let you install cryptsetup through the package manager. Of course, you can encrypt normal hard disks as well as partitions, but be careful: If you accidentally type /dev/sda1 instead of /dev/sdb1, you will not be able to access your root partition. Also, you need to format the partition before encrypting, which would destroy all the data on it.

To start, open up a console; then type tail -f /var/log/messages. When you plug the USB stick into your computer, the console will output all kinds of information, including sdb: sbd1. This line tells you the drive name that Linux has assigned to the stick. The following examples use sdb; make sure you replace this with the drive name for your own USB stick.

Linux typically auto-mounts USB sticks. On KDE 3, you are asked whether you want to open the newly found medium in a new window. Gnome doesn't bother asking, and KDE 4 displays an information dialog in the panel pointing the way to the new drive.

The following steps are all performed at the command line. The commands that start with sudo on Ubuntu need root privileges on openSUSE; to become root, type su root and then type the root password. To launch the fdisk partitioning tool, type sudo fdisk /dev/sdb.

You can use the keyboard to control fdisk. D deletes an existing partition. N followed by P creates a new, primary partition. Type 1 to create the first primary partition, and then press Enter twice to use the stick. W writes the changes out to the USB stick.

Next, fill the partition with random data:

$ sudo dd bs=4K if=/dev/urandom of=/dev/sdb1

The random data is to avoid giving potential attackers any clues as to the scope and size of the encrypted data. To accelerate the process, the bs=4K parameter sets the block size to 4 KB.

Then you can type sudo modprobe dm_crypt to load the kernel module. To use the stick on your own system later, you should add the name of the module to the /etc/modules file. To do this on Ubuntu, type sudo su to assume root privileges and then type:

# echo dm_crypt >> /etc/modules

Then use the cryptsetup tool and the device mapper to create the protection layer (Figure 2):

$ sudo cryptsetup -yvh sha256 -caes-xts-plain -s 256 luksFormat/dev/sdb1

The -yvh sha256 option prompts you for the password twice and stores the password in a 256-bit hash. The -c option lets you specify the encryption method. This example calls for the AES XTS algorithm with a 256-bit key length (-s 256). If you intend to use the stick with systems that have a kernel prior to version 2.6.24, select -c aes-lrw-benbi as the encryption algorithm. For kernel versions prior to 2.6.20, choose -c aes-cbc-essiv:sha256.

Figure 2: Bullet-proof vest: Cryptsetup lets you encapsulate the /dev/sdb1 partition in a protective layer.

The luksFormat command, which initiates the partition, is part of the LUKS standard (see the "LUKS" box). You need to set a password. The second step is to type luksOpen to access the encrypted partition (Listing 1, Line 1). You can choose any name (secret, in this case) when mounting the drive via the device mapper.

Listing 1

Encrypting a USB stick

01 $ sudo cryptsetup luksOpen /dev/sdb1 secret
02 $ sudo mkfs.ext3 /dev/mapper/secret
03 $ sudo mount /dev/mapper/secret /mnt
04 $ sudo chmod -R user:user /mnt
05 $ sudo cryptsetup luksClose /dev/mapper/secret

After you type the command, cryptsetup prompts you to enter the password you just created. You will need to repeat this command whenever you want to mount the encrypted stick. Now you can access the unencrypted partition via the /dev/mapper/secret mount point, but you still don't have a filesystem. You can create a filesystem by typing mkfs.ext3 (Listing 1, Line 2). After doing so, mount the filesystem on the stick (Listing 1, Line 3).

The stick, which is now mounted in your /mnt directory, might need a slight modification. To change the owner of the files on the stick, use chmod user:user with your standard user account.

Then you can go on to write files to the stick using your file manager. When you are done, unmount the stick by typing sudo umount /mnt. To close down the protective shield, type luksClose (Listing 1, Line 5).


LUKS stands for Linux Unified Key Setup. The LUKS standard cooperates with the dm_crypt kernel module to add a standardized header and specify a format for the data in encrypted partitions. LUKS can handle multiple passwords and it is immune from dictionary attacks.


Desktops react in different ways when you plug in a crypto stick. On KDE 4, you need to click the Volume entry on the left in Dolphin to display the password prompt (Figure 1). Gnome will usually display the password prompt automatically. Also, it is important to load the dm_crypt kernel on any Linux system you will use with the USB stick.

Read full article as PDF:

Related content

  • DM-Crypt/ LUKS

    Encrypting a home directory is easy. Encrypting your whole hard disk – including the root filesystem – takes a little more effort.

  • Encrypted Filesystems

    If you’re not a security expert and you're looking for a crypto filesystem, you may be wondering about the alternatives. We took at a look at some popular crypto options for Linux.

  • DM-Crypt

    If you’re serious about keeping secrets, try hard disk encryption with DM-Crypt and LUKS.

  • Encrypting Block Devices

    The recent revelations about NSA spying have sparked renewed interest in data encryption. Encrypting at the file level is quick and easy, but if you're looking for an extra dose of protection, try encrypting the whole block device.

  • CD Encryption

    An encrypted hard disk on your server is no help if valuable data on CDs or DVDs falls into the hands of spies. We’ll show you some convenient solutions for encrypting data on removable media.

comments powered by Disqus

Direct Download

Read full article as PDF:


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia