Select Page

Partition Encryption on a USB Drive

by | Jan 10, 2012 | Blog | 0 comments

Creating an Encrypted Partition….

This tutorial is meant to show how to either fully encrypt a USB Drive or partially encrypt it depending on how the partitions are set up. My intent with this is to create an encrypted partition of ~1 MB, with this I will be able to add in an ID file. To ensure integrity of that file a MD5 and SHA2 checksums will also be created but not stored on the disk.

 

One of the nice things about using cryptsetup (an implementation of LUKS – Linux Unified Key Setup) is that the standard is compatible on all Linux devices, meaning that if required the encrypted partition could be accessed using another computer. Another possible option is if you are encrypting for example an entire drive it is possible to create a keyfile which is required to unencrypt the drive which could be stored on your mobile device’s flash memory or a usb drive.

 

This was done using Ubuntu 10.04 (Lucid Lynx), the latest LTS version as of this writing. Remember whenever you are altering the file system on your disk the potential for things to go badly is high so backup your data!

 

Step 1: Install all the required Packages

 

First thing to do is to make sure all the packages needed are installed. In a terminal:

apt-get install cryptsetup md5 sha256sum

modprobe dm-crypt

 

Depending on your user permissions you may need to add ‘sudo’ to the beginning of these lines

 

 

Step 2: Set up the Disk Partition(s)

 

This can be with your favourite partition manager.

 

fdisk

fdisk -l

gparted

Content goes here
 
Alternative: dmesg 

 

Step 3: Zero out the disk

Given that the data being written is sensitive it’s a good idea to zero out the partition.

An easy way to accomplish this is by using dd.

 

sudo dd if=/dev/zero of=/dev/{partition id} bs= 8K

 

For a higher security wipe it is advisable to write random data multiple times over the partition that is going to be encrypted to render the pre-existing data as unrecoverable as possible.

 

dd if=/dev/urandom of=dev/{partition id} bs=1M 

NOTE: This can take many hours or even days depending on drive size

 

 

Step 4: Check file system integrity

 

This is important to do before we start encrypting the partition to ensure that the drive’s file system integrity is not compromised.

 

fsck  -V  /dev/….

 

 

Step 5: Encrypting the partition

 

The list of supported hashes is based off the gcrypt library. A list of the current supposed hashes can be found on the GNU PG Website within the gcrypt library manual.

cryptsetup luksFormat /dev/{partition id} -c aes -s 256 -h sha256 -y -v

-c = cipher specification string (the actual encryption algorithm used; default is sha256)

-s = key size in bits (must be multiple of 8; default is 256)

-h = choose hash format (currently default is sha1 which is known to be vulnerable to attack)

-y = verify passphrase (passphrase must be entered twice)

-v = verbose mode (I prefer to have it telling me what it’s doing as it goes along)

 

 

Step 6: Open the Encrypted Partition

 

cryptsetup luksOpen /dev/{partition id} {label}

 

Enter in the passphrase selected during the luksFormat Command, and if you entered it in correctly the encrypted partition will open allowing for files to be transferred into the newly encrypted partition.

 

I reformatted the encrypted partition to ext4 due to personal preference  however any file system should work.

mke2fs -t ext4 -j /dev/mapper/{partition id} -L {label}

 

Step 7: Generating Checksums

 

MD5

md5sum {filename} > {filename}.md5

Verify: md5sum -c {filename}.md5

 

SHA2

Create: sha256sum{filename} > {filename}.sha256sum

Verify: sha256sum -c {filename}.sha256sum

 

 

Step 8: Copying Files into Encrypted Partition

cp /..{directory where the files are..}/{filename} /dev/{Label}

 

 

 

Credit goes to the tutorials from the Ubuntu Community Documentation which helped guide me during my initial attempts.