Encrypted USB Disks

On most Linux distributions, you can use the graphical “disks” application to create Luks+ext4 partitons. The defaults are sane. However, it’s still advisable to put random data on the new disk before encryption.

If you use USB disks for off-site backups, it’s a good idea to encrypt them:

  • Install the cryptography software:
sudo apt-get install cryptsetup
  • Write some random data to your disk (we will assume it’s called /dev/sdx, type “dmesg” after inserting the disk to figure out the device, or if it’s windows formatted and automounted have a look at the output of “mount”):
sudo dd if=/dev/random of=/dev/sdx bs=4K

This will taken a long time, maybe a few days (create some IO). A good -shorter- compromise (a day) is:

sudo badblocks -c 10240 -s -w -t random -v /dev/sdx
  • Create a new Linux partition table with cfdisk (create new partition table if asked, chose New and assign all the disk, use a primary partition).
sudo cfdisk /dev/sdx
  • Setup a partition using fdisk (compatible with the new 4KB block size drives):
sudo fdisk -uc /dev/sdx
Command (m for help): d
Selected partition 1
Command (m for help): n

Command action
e   extended
p   primary partition (1-4)

Partition number (1-4): 1
First sector (2048-2930277167, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-2930277167, default 2930277167):
Using default value 2930277167

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 83

Command (m for help): p

Disk /dev/sdx: 1500.3 GB, 1500301910016 bytes
81 heads, 63 sectors/track, 574226 cylinders, total 2930277168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x4fabbfc4

Device Boot      Start         End      Blocks   Id  System
/dev/sdx1         2048  2930277167  1465137560   83  Linux

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
  • Create the encrypted partition. Make the passdphase long and difficult to guess:
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1
  • Create a filesystem (I am using ext4, the chose device and label name is “disk5”, change it to your taste):
sudo cryptsetup luksOpen /dev/sdx1 disk5
sudo mkfs.ext4 /dev/mapper/disk5 -L disk5
sudo cryptsetup luksClose disk5
  • Mount and umount it:
sudo /dev/mapper/disk5 /mnt
sudo umount /mnt
sudo cryptsetup luksClose disk5

That’s it!

(Post moved from nxadm.wordpress.com.)