Protecting your USB sticks with encryption
Atick Security
How easy is it to lose a USB stick? Why not protect your data just in case the stick falls into unfriendly hands?
Many users carry critical information around on USB sticks. The information on the stick might include passwords, email addresses, spreadsheets, and other confidential information. If the stick is lost, the data could fall into the wrong hands. In this article, I'll show you how to encrypt information stored on USB sticks.
Encryption takes the worries out of carrying around USB treasures. Thanks to the device mapper infrastructure introduced with kernel 2.6, Linux now lets you add a protective shield to a filesystem. The dm_crypt kernel module uses this approach to encapsulate filesystems in an encryption layer. To mount the partition or hard disk, you first need to remove the protection by entering the correct password (Figure 1).
Sticks encrypted in this way only work with a kernel that includes the dm_crypt module. The stick will not work on Windows. The module also needs to know the encryption method; for example, kernel 2.6.24 optionally uses the aes-xts-plain algorithm, which the previous kernel version did not have. This means a stick encrypted with aes-xts-plain on Ubuntu 8.04 will not mount on Ubuntu 7.10, although a stick created with earlier versions will work on later releases.
Encrypting the Stick
Regardless of whether you are encrypting or decrypting a partition, you need the cryptsetup package. Both Ubuntu and openSUSE let you install cryptsetup through the package manager. Of course, you can encrypt normal hard disks as well as partitions, but be careful: If you accidentally type /dev/sda1 instead of /dev/sdb1, you will not be able to access your root partition. Also, you need to format the partition before encrypting, which would destroy all the data on it.
To start, open up a console; then type tail -f /var/log/messages. When you plug the USB stick into your computer, the console will output all kinds of information, including sdb: sbd1. This line tells you the drive name that Linux has assigned to the stick. The following examples use sdb; make sure you replace this with the drive name for your own USB stick.
Linux typically auto-mounts USB sticks. On KDE 3, you are asked whether you want to open the newly found medium in a new window. Gnome doesn't bother asking, and KDE 4 displays an information dialog in the panel pointing the way to the new drive.
The following steps are all performed at the command line. The commands that start with sudo on Ubuntu need root privileges on openSUSE; to become root, type su root and then type the root password. To launch the fdisk partitioning tool, type sudo fdisk /dev/sdb.
You can use the keyboard to control fdisk. D deletes an existing partition. N followed by P creates a new, primary partition. Type 1 to create the first primary partition, and then press Enter twice to use the stick. W writes the changes out to the USB stick.
Next, fill the partition with random data:
$ sudo dd bs=4K if=/dev/urandom of=/dev/sdb1
The random data is to avoid giving potential attackers any clues as to the scope and size of the encrypted data. To accelerate the process, the bs=4K parameter sets the block size to 4 KB.
Then you can type sudo modprobe dm_crypt to load the kernel module. To use the stick on your own system later, you should add the name of the module to the /etc/modules file. To do this on Ubuntu, type sudo su to assume root privileges and then type:
# echo dm_crypt >> /etc/modules
Then use the cryptsetup tool and the device mapper to create the protection layer (Figure 2):
$ sudo cryptsetup -yvh sha256 -caes-xts-plain -s 256 luksFormat/dev/sdb1
The -yvh sha256 option prompts you for the password twice and stores the password in a 256-bit hash. The -c option lets you specify the encryption method. This example calls for the AES XTS algorithm with a 256-bit key length (-s 256). If you intend to use the stick with systems that have a kernel prior to version 2.6.24, select -c aes-lrw-benbi as the encryption algorithm. For kernel versions prior to 2.6.20, choose -c aes-cbc-essiv:sha256.
The luksFormat command, which initiates the partition, is part of the LUKS standard (see the "LUKS" box). You need to set a password. The second step is to type luksOpen to access the encrypted partition (Listing 1, Line 1). You can choose any name (secret, in this case) when mounting the drive via the device mapper.
Listing 1
Encrypting a USB stick
After you type the command, cryptsetup prompts you to enter the password you just created. You will need to repeat this command whenever you want to mount the encrypted stick. Now you can access the unencrypted partition via the /dev/mapper/secret mount point, but you still don't have a filesystem. You can create a filesystem by typing mkfs.ext3 (Listing 1, Line 2). After doing so, mount the filesystem on the stick (Listing 1, Line 3).
The stick, which is now mounted in your /mnt directory, might need a slight modification. To change the owner of the files on the stick, use chmod user:user with your standard user account.
Then you can go on to write files to the stick using your file manager. When you are done, unmount the stick by typing sudo umount /mnt. To close down the protective shield, type luksClose (Listing 1, Line 5).
LUKS
LUKS stands for Linux Unified Key Setup. The LUKS standard cooperates with the dm_crypt kernel module to add a standardized header and specify a format for the data in encrypted partitions. LUKS can handle multiple passwords and it is immune from dictionary attacks.
Decryption
Desktops react in different ways when you plug in a crypto stick. On KDE 4, you need to click the Volume entry on the left in Dolphin to display the password prompt (Figure 1). Gnome will usually display the password prompt automatically. Also, it is important to load the dm_crypt kernel on any Linux system you will use with the USB stick.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.