Latest LQ Deal: Latest LQ Deals
Go Back > Blogs > gegechris99
User Name


Rate this Entry

How-To: Encrypt a USB key with cryptsetup

Posted 05-26-2013 at 03:26 AM by gegechris99
Updated 10-01-2015 at 02:22 PM by gegechris99 (Typo error)

Recently the laptop of one of my friends was stolen. She was worried not by the loss of the laptop but by the fact that it contained scanned copies of identification documents (driver's license, identity card, passport).

This rang a bell in my head. I promised myself to encrypt my laptop on the next release of Slacwkare 14.1 which I hope will come soon which means when it's ready

In the meantime, I'm using a USB key as a target destination for my backup script using rsync. Encrypting the USB key looked to me like a good exercice to get familiar with encryption tools.

Naturally to get started, I turned to Slackware document README_CRYPT.TXT where I found most of what I needed to encrypt the USB key.

Another valuable source of information are the FAQ pages of tool cryptsetup.

Cryptsetup implements the LUKS concept. LUKS, the Linux Unified Key Setup, is a standard for disk hard disk encryption. For further information about what LUKS is about, please visit the cryptsetup site.

Important warning: the procedure will completely wipe out any data stored in the USB Key. So make sure that you back up your data before starting.

Here's a step-by-step tutorial to create an encrypted USB key. Run the commands as root user.

I'm using Slackware 14.0 with XFCE and the mount point used in this tutorial is /run/media/<user id>/. Please adjust the appropriate steps according to the mount point of your desktop.

1) Create the LUKS container
cryptsetup -s 256 -y luksFormat /dev/sdb1
Here's an explanation of the options:
-s : Sets key size in bits (compiled by default in Slackware 14.0 is 256 bits)
-y : When interactively asking for a passphrase, ask for it twice and complain if both inputs do not match
2) Map the LUKS container

Here, I map the container to /dev/mapper/cryptusb:
cryptsetup luksOpen /dev/sdb1 cryptusb
3) Create a file system in the mapped LUKS container

I create a linux filesystem (here it's ext4) because I want to use rsync in my backup script:
mkfs -t ext4 /dev/mapper/cryptusb
4) Give a label to the USB key

By giving a label, the USB key will be mounted on "/run/media/chris/<USB key label>" (using XFCE) which is easier to remember and to use in a bash script than "/run/media/chris/<USB key uuid>" (mount point if no label is found). My label is USB2GB:
e2label /dev/mapper/cryptusb USB2GB
Later, if you want to change the label, just plug in the USB key and map the container as described in step 2), then run the above command.

5) Remove the existing mapping to cryptusb

The creation of your encrypted USB key (with no data in it) is now completed. Before removing the key, remove the LUKS mapping:
cryptsetup luksClose cryptusb
I unplug the USB key so that, in the next step, I can test the mount operation via the desktop.

6) Change the ownership of the USB key root directory

Plug the USB key again. An icon will appear on your desktop. Double-click on the icon and you will be requested to enter the passphrase. Once it's done, the USB key becomes available in the file manager.

You'll have to change the ownership of the root directory of the USB Key if you want to be able to copy data in it with your user id.

In the following command, change chris with your user id and /run/media/chris/USB2GB with your actual mount point:
chown chris:users /run/media/chris/USB2GB
I'm now done and I can start using the USB Key to securely store data. However before you start using actively the device, I strongly suggest that you perform these two additional steps.

7) Create a backup of the LUKS header

From cryptsetup FAQ:
For LUKS, if anything damages the LUKS header or the key-stripe area then decrypting the LUKS device can become impossible.
After reading that, it does make sense to create a backup of these important parts (i.e LUKS header and key-stripe area).

Plug in the USB key and run:
cryptsetup luksHeaderBackup --header-backup-file luksHeaderBkp-USB2GB /dev/sdb1
Of course, put the header backup file in a safe location.

8) Restore the LUKS header

After playing a little bit with the USB key (I copied some files in it), I want to check that the backup file created in the previous step is not corrupted.

To make sure that the restore operation will actually work, I change the passphrase (the backup file contains the initial passphrase).

Plug in the USB key and run:
cryptsetup luksChangeKey /dev/sdb1
You're prompted to enter the initial passphrase and the new one.

After changing the passphrase, run the restore command:
cryptsetup luksHeaderRestore --header-backup-file luksHeaderBkp-USB2GB /dev/sdb1
After that, I decrypt the USB key using the initial passphrase which is how it was supposed to work

Some final words...

So far, I haven't noticed any loss of performance during my backup operations.

To finish, I checked that I could access the USB Key using another linux OS (namely Knoppix 7.0.3 live CD) and it worked just fine
Posted in Uncategorized
Views 3758 Comments 2
« Prev     Main     Next »
Total Comments 2


  1. Old Comment
    Excellent tutorial, still works as of Slackware 14.2, thanks a bunch!!
    Posted 02-20-2017 at 04:15 PM by gibal gibal is offline
  2. Old Comment
    Is it possible to convert these instructions using a keyfile?
    Posted 10-19-2020 at 03:07 AM by PROBLEMCHYLD PROBLEMCHYLD is offline


All times are GMT -5. The time now is 10:36 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration