Crypt your USB drives using LUKS

IMPORTANT: Below process can destroy your valuable data. I am not responsible for any kind of data loss. This manual is provided on as-is basis, without any reliability and responsibility. Use at your own risk.

One ( general ) rule you need to have in mind before every manipulation with disks, the rule is very simple – make a backup before any action

It is really important to have have encrypted your usb drives memory sticks, because of possibility to lose them easily and thus some very important ( ever worse private ) data on them.

Encrypting HDD(s) of your desktop/laptop, I consider as must, and please take it seriously and perform drive encrypting during system installation. Almost all ( modern ) Linux distributions offer possibility to encrypt hard drivers at early stage of system installation, so please use that benefit.

[Open|Free|New]BDSs also offer option to crypt hard drivers, but for more detailed information, please visit their respective web locations.

In below text I will write short howto about how to crypt your USB, memory cards using LUKS.

LUKS stands for Linux Unified Key Setup and is good solution when it comes to Linux encryption. So lets start 🙂

First find out how is your disk you want to crypt recognized by your Linux system. Easiest is to check
/var/log/messages after you connect device to system. On my system it is recognized as /dev/sdc

As OS I am at moment using Fedora 14, and to use LUKS you will need to install cryptsetup-luks package.

If you do now have package cryptsetup-luks installed on your system, then run

# yum install cryptsetup-luks

Once cryptsetup-luks is installed, we can proceed and set up our encrypted device

If you are paranoid when it comes to security, then before proceeding you can overwrite you USBs with random data

# dd if=/dev/random of=/dev/sdc

Important: above command can last very long, depending on size of device.

So cryptsetup is installed and we are ready

Create partition on your device

# fdisk /dev/sdc

Run crypsetup on new partition

# cryptsetup luksFormat /dev/sdc1

[root@e-makina elvir]# cryptsetup luksFormat /dev/sdc1

This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
[root@e-makina elvir]#

When it comes to pick up password, please do not use something as name of your wife, hometown, high school name, or similar stuff. You do not want to have simple passwords for LUKS setup, do not you?

Next step is to open new LUKS encrypted device.

From man cryptsetup


opens the LUKS partition and sets up a mapping after successful verification
of the supplied key material (either via key file by –key-file, or via prompting).

you can see here we will bind our LUKS device ( /dev/sdc1 ) to some friendly name, let say fedoraCrypt. Choosing name I am leaving to your imagination.

# cryptsetup luksOpen /dev/sdc1 fedoraCrypt

After above action under /dev/mapper you will find your device as

ls -l /dev/mapper | grep fedora
lrwxrwxrwx. 1 root root 8 Jul 3 20:47 fedoraCrypt -> ../dm-11

Make file system on your new device /dev/mapper/fedoraCrypt

# mkfs.ext4 /dev/mapper/fedoraCrypt

Mount new device

# mount /dev/mapper/fedoraCrypt /mnt/cryptdevice

And that is.

All what you write to /mnt/cryptdevice will be encrypted. Unmounting encrypted device is simple as

# umount /dev/cryptdevice [ please pay attention it is not busy ]

Next time you connect your usb/memory card to your laptop, you will be prompted to enter password you provided during LUKS device setup

I suppose it is needles to say that above procedure can be applied on internal HDDs of your machine.

In above process I used Fedora 14, same process applies for Debian as cryptsetup-luks package is present in Debian repositories under same name as it is in Fedora

# aptitude search luks
cryptsetup-luks –

Comments are welcome

Thank you