First of all start with installing package cryptsetup:
# apt-get install cryptsetup
If you are as paranoid as me, make sure to fill drive with random data before we setup LUKS (Linux Unified Key Setup): ( /dev/sde was my usb pen drive detected as, make sure to pick correct device or you risk wiping out your whole harddrive with your precious data on it.. )
# time dd if=/dev/urandom of=/dev/sde bs=1M
dd: writing `/dev/sde’: No space left on device
490+0 records in
489+0 records out
512753664 bytes (513 MB) copied, 136.369 s, 3.8 MB/s
Command exited with non-zero status 1
0.00user 93.35system 2:16.37elapsed 68%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+1001472outputs (0major+524minor)pagefaults 0swaps
Make sure we have loaded the required modules to use LUKS:
# modprobe dm_crypt
Make sure aes-encryption is available by checking /proc/crypto :
# cat /proc/crypto | grep name
name : cbc(aes)
name : cbc(aes)
name : aes
name : aes
name : md5
Make sure we support encrypted devices:
# dmsetup targets
crypt v1.6.0
striped v1.1.0
linear v1.0.3
error v1.0.1
We could setup a LUKS volume directly at the device, but I don’t suggest it due to a bug in either gnome-mount or hal which causes auto mounting not to work after unlocking your luks volume in nautilus. See bug #117011 and #217749 at Launchpad.
If you want to use your whole usb pen drive as an encrypted volume, just create a large fat32 (or your preferred file system, but I suggest using fat32 if you want to access it quite easily in Windows.):
Access your favorite partition editor and setup your USB pen drive as required. (ex. cfdisk , fdisk , gparted ).
After this we’re ready to setup encryption on partitions we would like to have encrypted.
NB: You would like to replace “norrs-usb1″ with your preferred nickname on the device:
# cryptsetup -c aes -s 256 luksFormat /dev/sde1
Type YES
Pick a good password phrase for your device!
Let’s make sure it is encrypted:
# cryptsetup luksDump /dev/sde1
LUKS header information for /dev/sde1Version: 1
Cipher name: aes
Cipher mode: cbc-plain
Hash spec: sha1
Payload offset: 2056
MK bits: 256
………
Let’s open the device and format it with your preferred file system:
# cryptsetup luksOpen /dev/sde norrs-usb1
Enter LUKS passphrase: <your password phrase here>
key slot 0 unlocked.
Command successful.
FAT is my choice as I can access it quite easily in Windows.
# mkfs.vfat /dev/mapper/norrs-usb1 -n “norrs-usb1″
mkfs.vfat 2.11 (12 Mar 2005)
# cryptsetup luksClose norrs-usb1
We’re done!
Unplug your USB pen drive and re-attach it , Ubuntu (probably other distros as well) will then pop up with an dialog box as shown below, which asks you for entering your luks password and auto mount your encrypted volume.
Useful commands:
dmsetup, shows mapped devices. If your luks volume is open – it will show here! Always make sure you close your encrypted storage after unmounting it!
# dmsetup ls
No devices found# dmsetup ls
luks_crypto_2d34d72f-d172-4f10-b78c-d5ff73fd7853 (254, 0)
open device:
# cryptsetup luksOpen /dev/sde norrs-usb1
# mount /dev/mapper/norrs-usb1 /mnt/point (or use pmount, which will mount it inside /media and device will appear in nautilius. But if your using command line – your probably not interessted in that? :p )
close device: (always make sure it is closed after use , or there is no point in encrypting it at all):
# umount /mnt/point
# cryptsetup luksClose norrs-usb1
add a new password phrase to encrypted volume:
# cryptsetup luksAddKey /dev/sde1
<your current luks password phrase>
key slot x unlocked.
Enter new passphrase for key slot: <new password phrase here>
delete a password phrase which is saved in key slot x:
when unlocking a LUKS volume on commandline, it will always represent which key slot it used to unlock it. Incase you don’t know which key slot to delete.
Replace x with your key slot number. (and of course device with your device , doh)
# cryptsetup luksDelKey /dev/sde1 x
dump out information about LUKS volume:
# cryptsetup luksDump /dev/sde1
Nice sources I’ve used:
- Linuxguiden.no , http://www.linuxguiden.no/index.php/Kryptert_filsystem_luks (all in norwegian..)
Well, what about using the encrypted pendrive under windows (98, xp, vista, 7 …)? Have you got any experience ?
Sorry for slow reply, I just tested FreeOFTE[1] under Windows 7 x64 and it was working without “any” issues. Only problem with Vista x64 and W7 x64 is that it requires digital signed drivers from Microsoft, which FreeOFTE doesn’t have yet, but their looking into it.[2]
I’ll see if I have the time and write a short guide on how I mounted my encrypted USB pen. But I’ll admit I didn’t get the FreeOTFE Explorer working, I only received some memory error. I might dig more into this and update my post to include instructions for how to use freeOTFE under Windows XP, W7.
[1] http://www.freeotfe.org/ (includes good documentation too)
[2] http://www.freeotfe.org/docs/Main/impact_of_kernel_driver_signing.htm#Method_7