-   Linux - Kernel (
-   -   Encrypting the usb flash drive (

vijaush 02-02-2007 05:04 AM

Encrypting the usb flash drive
Hi all,

i want to encrypt the data stored on the usb mass storage device( sector wise ), but i cannot figure out where to start digging. i have tried to search in devio.c and hcd.c in /usr/src/kernel/drivers/usb/core but with no success :(

can anyone please tell me where should i look for getting the data encrypted in the usb mass storage device.

thanks in advance

ramram29 02-02-2007 07:36 AM

I uses GPG manually to encrypt my files.

nx5000 02-02-2007 08:51 AM

If you want to encrypt the complete disk, you need
*Kernel >=2.6.4 (>=2.6.10 for better security)
*BLK_DEV_DM and DM_CRYPT options enabled in the kernel
*cryptsetup utility

/dev/sda being your usb key:

Verify disk and put random data (for security on known clear text attacks):

/sbin/badblocks -s -w -t random -v /dev/sda
dd if=/dev/urandom of=/dev/sda

Format the key with ext2 filesystem encrypted using luks, password is asked:

luksformat -t ext2 /dev/sda
Create a mount point where your decrypted disk will be mounted:

mkdir /media/cdisk1
Its more coherent with the rest of the howto if you put it in /media. Also media is the standard for removable media (its not supposed to be always mounted)

Link it with a device mapper, put this in /etc/fstab:

/dev/mapper/cdisk1 /media/cdisk1 ext2 noauto,defaults 0 0
Tell the system that /dev/sda is to be linked with /dev/mapper/cdisk1, put this in /etc/crypttab:

cdisk1 /dev/sda none luks,timeout=10
Mount it with the next command, password is asked:

cryptsetup luksOpen /dev/sda cdisk1
mount /media/cdisk1

To unmount and remove the mapping:

umount /media/cdisk1
 cryptsetup luksClose cdisk1

On next reboot, /etc/init.d/cryptdisks (in case it is installed by cryptsetup) will look in /etc/crypttab, ask you for the password and mount the disk in /media/cdisk1

Alternatively to mount it you can use pmount. The first argument is the partition or disk, the second is a label you choose (it can be different from above)

pmount /dev/sda supa_crypt
pmount will try to guess the filesystem and as it knows luks (because luks is a standard), will mount the disk in /media/supa_crypt
To use pmount on a non-removable media (eg. /dev/hda6 below), you have to allow this device to be "pmounted":

Originally Posted by pmount.allow
# /etc/pmount.allow
# pmount will allow users to additionally mount all devices that are
# listed here.

If your HAL and udev is configured correctly and your Window manager is HAL-aware, just plug in the usb key and a popup appears to ask you the password. (the media will be mounted in /media/sda in this case, the label is the partition name)

And here are other links: <- you can encrypt the swap, encrypt the full system, etc.. <-- truecrypt but it is not standard and not GPL. For it to work, you only need BLK_DEV_DM in the kernel. There are people who have made packages for several distro.

vijaush 02-05-2007 11:01 PM

thank you guys !!!

nx5000 02-06-2007 12:12 PM

I've tested and updated the post.

vijaush 02-07-2007 09:21 AM

thanks a lot :) :)

statguy 10-01-2007 02:15 PM

I came across this useful thread today. I have one question about this procedure. Will this in any way break the usage of "standard" non-encrypted USB keys?

Terrel Shumway 09-23-2011 05:36 PM

badblocks Considered Harmful

Originally Posted by nx5000 (Post 2613206)
Verify disk and put random data (for security on known clear text attacks):

/sbin/badblocks -s -w -t random -v /dev/sda

Using badblocks on most USB flash drives is counter-productive. NAND-flash is designed to have a certain level of defects, and the firmware in the controller automatically compensates for pages going bad. Writing and reading back a test pattern to every block will just wear out your flash sooner.

As far as I can tell, the need for badblocks-type scanning was only useful for floppy disks and *VERY* old hard disks. "IDE" hard drives, introduced in 1986, were well-entrenched before Linus even created the original ext file system. Certainly by 1996 when e2fsprogs 1.0 was released, modern hard drives were already doing automatic bad-block remapping. When the OS starts seeing bad blocks, it is time to replace the drive.

Note also: after following the above steps, you will not be able to boot from the encrypted flash drive. If you want it bootable, you need at least one unencrypted partition.

tkibugu 12-15-2011 04:26 AM

RE: Encrypting the usb flash drive
[I deleted post contents]

cnxsoft 12-16-2011 04:32 AM

If you have a relatively new Linux kernel, you could probably also use BTRFS with encryption.

All times are GMT -5. The time now is 10:12 AM.