28 Oct 2006

Encrypted USB drive in Ubuntu

Posted by Jacob Emcken

Today I went to the Linuxforum BOF day where I attended a session about encrypting your personal files. This made me remember a post read some time ago (check out the screen cast). I guessed that this functionality would be in Ubuntu Edgy by now so I just went ahead and tried to make my USB pen drive encrypted.

This is how I did it:

  1. First install the needed software

    sudo apt-get install cryptsetup

  2. Make sure your USB disk isn’t mounted. Then partition the USB pendrive the way you want it, if it isn’t already partitioned (I made one big partition on mine /dev/sda1).
    Note: Don’t mount the disk afterwards!

  3. If you havn’t rebooted your computer since you installed the cryptsetup package, you might have to load the device mapper crypt module manually:

    sudo modprobe dm-crypt

  4. Now make the partition encrypted:

    $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

    If you get the error:

    Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda1 contains at least 133 sectors.

    Make sure that the disk isn’t mounted. And make sure you are using the right device. You can use dmesg to check which device the disk have been assigned. You might also wanna check that the the module dm-crypt is loaded (lsmod | grep dm).

  5. Now attach the encrypted partition.:

    $ sudo cryptsetup luksOpen /dev/sda1 sda1
Enter LUKS passphrase:
key slot 0 unlocked
Command successful.

  6. Now create a filesystem on the new encryptet device:

    sudo mkfs.ext3 /dev/mapper/sda1

  7. Remove the tempoary device mapped to the encrypted partition:

    sudo cryptsetup luksClose sda1

  8. Now remove the your usbdisk from the USB plug, and reinsert it and Ubuntu should find it and ask for the passphrase.

Update: I tried to insert my USB pen into a Ubuntu Dapper (which this guide also would work on I guess). I just thought it was cool that is atcually told me which package it needed to for it to work:

Category: Ubuntu

25 Comments to Encrypted USB drive in Ubuntu

Kim Tholstorf
October 28, 2006

Works like a charm :-)

A tip:

Before setting up LUKS on the drive overwrite it with random data in order to slow down an eventually attack on the encryption. The vise zealot would also perform a bad blocks scan to make sure the hard drive is not going to die too soon ;-) Do this in a single command:

  badblocks -c 10240 -s -w -t random -v /dev/sda

Paranoid beyond regular self toture? Willing to spend one or two days on the extra security? Do this:

  dd if=/dev/urandom of=/dev/sda

Warning: This wil definitely make your cpu and harddisk temprature rise and be in the high range the whole time!

Johan
November 12, 2006

I dunno.

Flash drives have a limited number of read-write cycles. Making a filesystem (for some filesystems; others may be different), performs many repeated writes to superblock pages.

in some cases you can wear out a flashcard just by making a filesystem on it.

It’s better to loopback-mount an image of the proper size, create the filesystem on that, and then just write the ready made image to the disk.

Thomas
November 29, 2006

Have you ever tried using ntfs on a LUKS encrypted usb key? Setting it up works fine. When plugging in the key I get asked for the password. It even gets mounted, unfortunately as ntfs instead of ntfs-3g (which I have installed, non-LUKS volumes work fine, the same key just formatted with mkntfs gets mounted as ntfs-3g). Any hints on where I could say “prefer ntfs-3g over ntfs”?

I have Ubuntu Edgy Eft installed with packages ntfs-3g and pmount from

deb http://flomertens.keo.in/ubuntu/ dapper main main-all

Fil
March 28, 2007

I forget the password any way to recover it??? I thought it was a certain pass but it says incorrect

Jacob Emcken
March 30, 2007

If you forgot your password I’m sorry to say that you are fucked. The password is the key to decrypt it. There is no way around it.

I hope you will remember it… good luck mate :)

smiki
January 11, 2008

How the hell does ubuntu know that there is an encrypted volume on the key. It should only look like an unformated partition with complete random data.

There is a BIG difference between having a usbdrive with random data (=nothing on it) and an usbdrive where i can tell that there IS an encrypted partition.

Can you give me a clue? My googling was unsuccesfull

thanx

Nate Bounds
January 23, 2008

Thanks, Jacob. Worked like a charm. And thanks, Kim, I used your badblocks command.

Jacob Emcken
February 27, 2008

Sorry I don’t know :(

Jon Garvin
March 21, 2008

Great post! I just got a new case in the mail that converts an internal SATA harddrive into an enormous external USB. Now, thanks to the instructions above, it’s encrypted too. Works like a charm on my Gutsy laptop.

max stirner
April 16, 2008

IMO the luks unified header is detected, the idea is to have a standard way of GUI opening encrypted partitions etc.

This does make the partition transparent to some extent I guess, thus reducing security; nonetheless this method is deemed secure as far as I know.

Kalle
July 7, 2008

I’ve ordered a new USB hard disk that I plan to encrypt and now I’m experimenting with a USB stick. Everything seems to work but there is no magical password prompting when I insert the newly formated stick.

I’m running Kubuntu 7.04. Anyone know if I need to install something more than what is mentioned above

And how do I manually mount the encrypted drive?

Jacob Emcken
August 24, 2008

Hi Kalle

I dont know how this is supposed to work in KDE but if you wanna do this manually I guess it would look something like this:

First attach the encrypted partition:

$ sudo cryptsetup luksOpen /dev/sda1 sda1
Enter LUKS passphrase:
key slot 0 unlocked
Command successful.

Now mount the encryptet filesystem:

sudo mount /dev/mapper/sda1 /mnt

When you are done unmount it again:

sudo umount /mnt

and remove the tempoary device mapped to the encrypted partition:

sudo cryptsetup luksClose sda1
Sunadrad
December 2, 2008

I just set up an external USB hard drive with this guide, and it worked great.

Only one thing – when I now connect the USB drive, i get prompted for a password, but the drive doesn’t get mounted.

A /dev/mapper entry is set up: 


ls -l /dev/mapper
total 0
crw-rw---- 1 root root  10, 63 2008-12-01 11:40 control
brw-rw---- 1 root disk 254,  0 2008-12-02 09:07 lukscrypto4e09dc8f-e411-4a34-b54c-326e7104a8ed

any suggestions on how to get it to be mounted automatically? there’s nothing useful in /var/log/messages. i suppose i can add an entry to /etc/fstab, but that still won’t make it mount automatically when it’s connected. i’m running ubuntu gutsy. thanks,

Jacob Emcken
February 5, 2009

I’m sorry I have not idea why your disk won’t mount automatically :(

I’ve tried Ubuntu choking on the disk a few times but after a reboot everything went back to normal. But these case are very rare.

Which Ubuntu release are you running?

How to create an encrypted USB drive?
April 10, 2009

[...] Encrypted USB drive in Ubuntu [...]

Aj
April 10, 2009

Can this encrypted drive you create, can it be used in windows as well or just in ubuntu?

Jacob Emcken
April 11, 2009

Perhaps… never tried. But I’m sure it won’t work out of the box.

david
April 23, 2009

Anyway of changing the default path it mounts the encrypted drive to, because now it mounts the drive to /media/disk which I need for something else.

Or maybe is there a way of disabling the auto-mount pass-phrase prompt, ’cause then I could manually mount it to a better path.

Jacob Emcken
April 24, 2009

The mount point Ubuntu chooses is based on the label of the filesystem. Which means that if the label is ie. “WD 1TB” it will be mounted in /media/WD 1TB

Since the label cannot be read before the partition is actually decrypted I’m not sure Ubuntu can figure out to mount encrypted partitions using labels.

I’m not aware of anything you can do to disable auto mounting of encrypted partitions.

Malignus
May 8, 2009

n00b-ish question:

I ran through all the steps which all cleared without compunction, but when I re-inserted the drive, and it prompted me for my passphrase (which I provided), it seemingly mounted but is inaccessible to me. It populates as a device but generates the error “Unable eto set up crypto device Error org.freedesktop.Hal.Device.Volume.Crypto.SetupError /dev/sdc is already setup?”. What have I done wrong?

Jacob Emcken
May 11, 2009

@Malignus

If you done all the steps I must admit I don’t know what you could have done wrong. Does the error persist even after a reboot?

Preben
August 27, 2009

Just a note. If you encrypt a USB stick you should use ext2 and not ext3 as the latter is very slow on sticks due to the journalling system.

Free Your Inner Penguin » Blog Archive » Drive Encryption
March 27, 2010

[...] Encrypted USB drive in Ubuntu Posted by Jacob Emcken [...]

Klass Pappa
June 11, 2010

I tryed this, everything is ok. Exept I cant copy files to the drive, Access denied!

I run Ubuntu 9.04

Leave a comment

Search