LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices



Reply
 
Search this Thread
Old 02-02-2007, 06:04 AM   #1
vijaush
LQ Newbie
 
Registered: Feb 2007
Posts: 8

Rep: Reputation: 0
Unhappy Encrypting the usb flash drive


Hi all,

i want to encrypt the data stored on the usb mass storage device( sector wise ), but i cannot figure out where to start digging. i have tried to search in devio.c and hcd.c in /usr/src/kernel/drivers/usb/core but with no success

can anyone please tell me where should i look for getting the data encrypted in the usb mass storage device.

thanks in advance
 
Old 02-02-2007, 08:36 AM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I uses GPG manually to encrypt my files.
 
Old 02-02-2007, 09:51 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
If you want to encrypt the complete disk, you need
*Kernel >=2.6.4 (>=2.6.10 for better security)
*BLK_DEV_DM and DM_CRYPT options enabled in the kernel
*cryptsetup utility

/dev/sda being your usb key:

Verify disk and put random data (for security on known clear text attacks):
Code:
/sbin/badblocks -s -w -t random -v /dev/sda
dd if=/dev/urandom of=/dev/sda
Format the key with ext2 filesystem encrypted using luks, password is asked:
Code:
luksformat -t ext2 /dev/sda
Create a mount point where your decrypted disk will be mounted:
Code:
mkdir /media/cdisk1
Its more coherent with the rest of the howto if you put it in /media. Also media is the standard for removable media (its not supposed to be always mounted)


Link it with a device mapper, put this in /etc/fstab:
Quote:
/dev/mapper/cdisk1 /media/cdisk1 ext2 noauto,defaults 0 0
Tell the system that /dev/sda is to be linked with /dev/mapper/cdisk1, put this in /etc/crypttab:
Quote:
cdisk1 /dev/sda none luks,timeout=10
Mount it with the next command, password is asked:
Code:
cryptsetup luksOpen /dev/sda cdisk1
mount /media/cdisk1
To unmount and remove the mapping:
Code:
 umount /media/cdisk1
 cryptsetup luksClose cdisk1
Customization:
On next reboot, /etc/init.d/cryptdisks (in case it is installed by cryptsetup) will look in /etc/crypttab, ask you for the password and mount the disk in /media/cdisk1

Alternatively to mount it you can use pmount. The first argument is the partition or disk, the second is a label you choose (it can be different from above)
Code:
pmount /dev/sda supa_crypt
pmount will try to guess the filesystem and as it knows luks (because luks is a standard), will mount the disk in /media/supa_crypt
To use pmount on a non-removable media (eg. /dev/hda6 below), you have to allow this device to be "pmounted":
Quote:
Originally Posted by pmount.allow
# /etc/pmount.allow
# pmount will allow users to additionally mount all devices that are
# listed here.
/dev/hda6

If your HAL and udev is configured correctly and your Window manager is HAL-aware, just plug in the usb key and a popup appears to ask you the password. (the media will be mounted in /media/sda in this case, the label is the partition name)

And here are other links:
https://www.debian-administration.org/articles/428
https://www.debian-administration.org/articles/469
https://www.debian-administration.org/articles/179
http://cvs.lp.se/doc/cryptsetup/usbcrypto.hotplug.gz
http://cvs.lp.se/doc/cryptsetup/ <- you can encrypt the swap, encrypt the full system, etc..
https://www.debian-administration.org/articles/475 <-- truecrypt but it is not standard and not GPL. For it to work, you only need BLK_DEV_DM in the kernel. There are people who have made packages for several distro.

Last edited by nx5000; 02-07-2007 at 01:08 PM.
 
1 members found this post helpful.
Old 02-06-2007, 12:01 AM   #4
vijaush
LQ Newbie
 
Registered: Feb 2007
Posts: 8

Original Poster
Rep: Reputation: 0
thank you guys !!!
 
Old 02-06-2007, 01:12 PM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
I've tested and updated the post.
 
Old 02-07-2007, 10:21 AM   #6
vijaush
LQ Newbie
 
Registered: Feb 2007
Posts: 8

Original Poster
Rep: Reputation: 0
thanks a lot
 
Old 10-01-2007, 03:15 PM   #7
statguy
Member
 
Registered: Sep 2004
Location: Ontario, Canada
Distribution: Slackware 14.1, 13.37
Posts: 332

Rep: Reputation: 31
I came across this useful thread today. I have one question about this procedure. Will this in any way break the usage of "standard" non-encrypted USB keys?
 
Old 09-23-2011, 06:36 PM   #8
Terrel Shumway
LQ Newbie
 
Registered: Sep 2011
Posts: 1

Rep: Reputation: Disabled
badblocks Considered Harmful

Quote:
Originally Posted by nx5000 View Post
Verify disk and put random data (for security on known clear text attacks):
Code:
/sbin/badblocks -s -w -t random -v /dev/sda
Using badblocks on most USB flash drives is counter-productive. NAND-flash is designed to have a certain level of defects, and the firmware in the controller automatically compensates for pages going bad. Writing and reading back a test pattern to every block will just wear out your flash sooner.

As far as I can tell, the need for badblocks-type scanning was only useful for floppy disks and *VERY* old hard disks. "IDE" hard drives, introduced in 1986, were well-entrenched before Linus even created the original ext file system. Certainly by 1996 when e2fsprogs 1.0 was released, modern hard drives were already doing automatic bad-block remapping. When the OS starts seeing bad blocks, it is time to replace the drive.

Note also: after following the above steps, you will not be able to boot from the encrypted flash drive. If you want it bootable, you need at least one unencrypted partition.

Last edited by Terrel Shumway; 09-23-2011 at 06:48 PM. Reason: added note about bootability
 
Old 12-15-2011, 05:26 AM   #9
tkibugu
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
RE: Encrypting the usb flash drive

[I deleted post contents]

Last edited by tkibugu; 12-17-2011 at 08:50 AM.
 
Old 12-16-2011, 05:32 AM   #10
cnxsoft
Member
 
Registered: Nov 2010
Location: Thailand
Distribution: Fedora 12, Ubuntu 10.10
Posts: 166

Rep: Reputation: 29
If you have a relatively new Linux kernel, you could probably also use BTRFS with encryption.
 
  


Reply

Tags
kernel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using a usb thumb drive or flash drive as a swap partition. stevenjoseph Linux - Hardware 8 01-16-2012 01:09 PM
USB Pen Drive / Flash Drive Unmounted but the power is there teluguswan Linux - Hardware 11 10-04-2008 04:36 PM
USB flash drive (Pen drive) mounts read only prabhatsoni Linux - Hardware 24 07-02-2007 02:28 PM
cannot delete drive from root desktop - cannot mount usb flash drive - openSuSE 10.2 bluecog6 Linux - General 6 01-29-2007 04:18 PM
USB Flash drive ddu_ Linux - Newbie 3 03-11-2006 08:13 PM


All times are GMT -5. The time now is 07:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration