Encrypting the usb flash drive

vijaush · 02-02-2007, 06:04 AM

Hi all,

i want to encrypt the data stored on the usb mass storage device( sector wise ), but i cannot figure out where to start digging. i have tried to search in devio.c and hcd.c in /usr/src/kernel/drivers/usb/core but with no success

can anyone please tell me where should i look for getting the data encrypted in the usb mass storage device.

thanks in advance

ramram29 · 02-02-2007, 08:36 AM

I uses GPG manually to encrypt my files.

nx5000 · 02-02-2007, 09:51 AM

If you want to encrypt the complete disk, you need
*Kernel >=2.6.4 (>=2.6.10 for better security)
*BLK_DEV_DM and DM_CRYPT options enabled in the kernel
*cryptsetup utility

/dev/sda being your usb key:

Verify disk and put random data (for security on known clear text attacks):

Code:

/sbin/badblocks -s -w -t random -v /dev/sda
dd if=/dev/urandom of=/dev/sda

Format the key with ext2 filesystem encrypted using luks, password is asked:

Code:

luksformat -t ext2 /dev/sda

Create a mount point where your decrypted disk will be mounted:

Code:

mkdir /media/cdisk1

Its more coherent with the rest of the howto if you put it in /media. Also media is the standard for removable media (its not supposed to be always mounted)

Link it with a device mapper, put this in /etc/fstab:

Quote:

/dev/mapper/cdisk1 /media/cdisk1 ext2 noauto,defaults 0 0

Tell the system that /dev/sda is to be linked with /dev/mapper/cdisk1, put this in /etc/crypttab:

Quote:

cdisk1 /dev/sda none luks,timeout=10

Mount it with the next command, password is asked:

Code:

cryptsetup luksOpen /dev/sda cdisk1
mount /media/cdisk1

To unmount and remove the mapping:

Code:

 umount /media/cdisk1
 cryptsetup luksClose cdisk1

Customization:
On next reboot, /etc/init.d/cryptdisks (in case it is installed by cryptsetup) will look in /etc/crypttab, ask you for the password and mount the disk in /media/cdisk1

Alternatively to mount it you can use pmount. The first argument is the partition or disk, the second is a label you choose (it can be different from above)

Code:

pmount /dev/sda supa_crypt

pmount will try to guess the filesystem and as it knows luks (because luks is a standard), will mount the disk in /media/supa_crypt
To use pmount on a non-removable media (eg. /dev/hda6 below), you have to allow this device to be "pmounted":

Quote:

Originally Posted by pmount.allow

# /etc/pmount.allow
# pmount will allow users to additionally mount all devices that are
# listed here.
/dev/hda6

If your HAL and udev is configured correctly and your Window manager is HAL-aware, just plug in the usb key and a popup appears to ask you the password. (the media will be mounted in /media/sda in this case, the label is the partition name)

And here are other links:
https://www.debian-administration.org/articles/428
https://www.debian-administration.org/articles/469
https://www.debian-administration.org/articles/179
http://cvs.lp.se/doc/cryptsetup/usbcrypto.hotplug.gz
http://cvs.lp.se/doc/cryptsetup/ <- you can encrypt the swap, encrypt the full system, etc..
https://www.debian-administration.org/articles/475 <-- truecrypt but it is not standard and not GPL. For it to work, you only need BLK_DEV_DM in the kernel. There are people who have made packages for several distro.

vijaush · 02-06-2007, 12:01 AM

thank you guys !!!

nx5000 · 02-06-2007, 01:12 PM

I've tested and updated the post.

vijaush · 02-07-2007, 10:21 AM

thanks a lot

statguy · 10-01-2007, 03:15 PM

I came across this useful thread today. I have one question about this procedure. Will this in any way break the usage of "standard" non-encrypted USB keys?