Hi all,

i want to encrypt the data stored on the usb mass storage device( sector wise ), but i cannot figure out where to start digging. i have tried to search in devio.c and hcd.c in /usr/src/kernel/drivers/usb/core but with no success

can anyone please tell me where should i look for getting the data encrypted in the usb mass storage device.

thanks in advance

I uses GPG manually to encrypt my files.

If you want to encrypt the complete disk, you need
*Kernel >=2.6.4 (>=2.6.10 for better security)
*BLK_DEV_DM and DM_CRYPT options enabled in the kernel
*cryptsetup utility

/dev/sda being your usb key:

Verify disk and put random data (for security on known clear text attacks):
Format the key with ext2 filesystem encrypted using luks, password is asked:
Create a mount point where your decrypted disk will be mounted:
Its more coherent with the rest of the howto if you put it in /media. Also media is the standard for removable media (its not supposed to be always mounted)


Link it with a device mapper, put this in /etc/fstab:
Tell the system that /dev/sda is to be linked with /dev/mapper/cdisk1, put this in /etc/crypttab:
Mount it with the next command, password is asked:
To unmount and remove the mapping:
Customization:
On next reboot, /etc/init.d/cryptdisks (in case it is installed by cryptsetup) will look in /etc/crypttab, ask you for the password and mount the disk in /media/cdisk1

Alternatively to mount it you can use pmount. The first argument is the partition or disk, the second is a label you choose (it can be different from above)
pmount will try to guess the filesystem and as it knows luks (because luks is a standard), will mount the disk in /media/supa_crypt
To use pmount on a non-removable media (eg. /dev/hda6 below), you have to allow this device to be "pmounted":

If your HAL and udev is configured correctly and your Window manager is HAL-aware, just plug in the usb key and a popup appears to ask you the password. (the media will be mounted in /media/sda in this case, the label is the partition name)

And here are other links:
https://www.debian-administration.org/articles/428
https://www.debian-administration.org/articles/469
https://www.debian-administration.org/articles/179
http://cvs.lp.se/doc/cryptsetup/usbcrypto.hotplug.gz
http://cvs.lp.se/doc/cryptsetup/ <- you can encrypt the swap, encrypt the full system, etc..
https://www.debian-administration.org/articles/475 <-- truecrypt but it is not standard and not GPL. For it to work, you only need BLK_DEV_DM in the kernel. There are people who have made packages for several distro.

1 members found this post helpful.

thank you guys !!!

I've tested and updated the post.

thanks a lot

I came across this useful thread today. I have one question about this procedure. Will this in any way break the usage of "standard" non-encrypted USB keys?

Using badblocks on most USB flash drives is counter-productive. NAND-flash is designed to have a certain level of defects, and the firmware in the controller automatically compensates for pages going bad. Writing and reading back a test pattern to every block will just wear out your flash sooner.

As far as I can tell, the need for badblocks-type scanning was only useful for floppy disks and *VERY* old hard disks. "IDE" hard drives, introduced in 1986, were well-entrenched before Linus even created the original ext file system. Certainly by 1996 when e2fsprogs 1.0 was released, modern hard drives were already doing automatic bad-block remapping. When the OS starts seeing bad blocks, it is time to replace the drive.

Note also: after following the above steps, you will not be able to boot from the encrypted flash drive. If you want it bootable, you need at least one unencrypted partition.

[I deleted post contents]

If you have a relatively new Linux kernel, you could probably also use BTRFS with encryption.