LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Most secure way to encrypt a usb flash drive? (https://www.linuxquestions.org/questions/linux-software-2/most-secure-way-to-encrypt-a-usb-flash-drive-4175572277/)

remn 02-14-2016 08:43 PM

Most secure way to encrypt a usb flash drive?
 
I'm wondering what's the most secure way to encrypt a usb flash drive from the command line. The 2 options I've found from searching around are the gpg and cryptsetup commands. I'm leaning towards running "gpg -c /dev/sdb1", because it seems easier. I'm just wondering how strong the encryption will be with the gpg command. I would use a strong password but I'm just wondering how good gpg is for encrypting devices, since it's mostly known for encrypting text and files.

Any other options I should consider?

sgosnell 02-14-2016 09:35 PM

I've never used cryptsetup, so I have no recommendation about that. I use veracrypt to encrypt a USB drive connected to my desktop, and it works well. I can mount it as a regular drive via password, but unmounted it's inaccessible. Gpg is clunkier to use, and doesn't let you mount the drive for use, AFAIK.

EduPorteņo 02-15-2016 07:51 AM

I'm using an OS which runs on an USB flash drive and encrypts all the rest of the device for home.
It's called Knoppix Version 7.6.1

ZombieChicken 02-15-2016 05:00 PM

Quote:

Originally Posted by remn (Post 5500283)
I'm wondering what's the most secure way to encrypt a usb flash drive from the command line. The 2 options I've found from searching around are the gpg and cryptsetup commands. I'm leaning towards running "gpg -c /dev/sdb1", because it seems easier. I'm just wondering how strong the encryption will be with the gpg command. I would use a strong password but I'm just wondering how good gpg is for encrypting devices, since it's mostly known for encrypting text and files.

Any other options I should consider?

LUKS/cryptsetup is the more-or-less standard way of encrypting a drive. GPG is, as you said, used to encrypt files. Depending on how paranoid you wish to be, encrypt the device using LUKS and then encrypt the files you really want protected using GPG. It all depends on how paranoid you want to be and what your use case is.

jefro 02-15-2016 07:41 PM

The question involves the level or security. If you are trying to encrypt it to evade a government then you may be out of luck. They have supercomputers that could bypass almost any scheme. This also assumes there isn't some backdoor to the method or flaw to it that is not widely known. At one time GPG was under attack by governments. Suddenly the complains stopped prompting people to assume it wasn't as secure as thought.

For most users I'd think gpg or any of the standard ways would do OK.

remn 02-16-2016 12:41 PM

I encrypted a flash drive with cryptsetup, using the following command:

Code:

cryptsetup -v luksFormat /dev/sdb1
The encryption worked, but now I'm having all kinds of problems mounting the device. I've tried both command line and my graphical file browser, and it won't mount.

In the dolphin file browser I'm able to enter the password, but then I get this message: "An error occurred while accessing '15.2 GiB Encrypted Drive', the system responded: An unspecified error has occurred: No such interface 'org.freedesktop.UDisks2.Filesystem' on object at path /org/freedesktop/UDisks2/block_devices/dm_2d0"

In the command line I was getting a UUID but now for some reason that's not showing up. It just shows up as sdb1, and when I try
Code:

mount sdb1
it just says "no such file or directory."

For some reason the drive no longer shows up as /dev/sdb1 since I encrypted it, I guess because it won't mount.

rtmistler 02-16-2016 01:40 PM

Don't give it to anyone.

Seriously, if it's a flash drive then isn't it mainly for system to system large file transfer? Then you'd need to have the key and decryption mechanism either on the flash drive, or on both (or multiple) systems.

Physical security is the first level of security.

remn 02-16-2016 05:13 PM

Quote:

Originally Posted by rtmistler (Post 5501198)
Don't give it to anyone.

Seriously, if it's a flash drive then isn't it mainly for system to system large file transfer? Then you'd need to have the key and decryption mechanism either on the flash drive, or on both (or multiple) systems.

Physical security is the first level of security.

Thanks but I'm looking for a way to encrypt the flash drive. And no it's not for system to system large file transfer, there are other uses for flash drives.

jefro 02-16-2016 08:53 PM

This isn't right. "mount sdb1"

https://www.kubuntuforums.net/showth...-Kubuntu-14-04

jamison20000e 02-16-2016 09:14 PM

Hi.

I just started learning to use eCryptfs: http://ecryptfs.org/documentation.html enterprise grade... ;)

best wishes and have fun! :)

Add:
Code:

mount /dev/sdb1

sundialsvcs 02-17-2016 08:07 AM

The purpose of pen-drive encryption is simply to make the device useless to someone else if it drops out of your suitcase. :) I suggest that you should simply use a filesystem that does the encryption for you as transparently as possible, such that you don't have to enter a password or anything in order to use the drive. To you, it should be "transparently not-obvious" that the content is encrypted at all: "it just works."

If you need to encipher content, use certificate-based GPG, such that it is possible for anyone who's receiving the file to independently verify that the file did come from "you," and that it has not been tampered with. In practice, the "identity verification" capability of these crypto-systems is every bit as important ... if not more so ... than their impenetrability.

It should be "very easy and transparent" for you to encipher files (or e-mail ...) that you send, and to decipher and verify content that you receive. (Even un-protected files should be signed.)

If you make the process "obfuscatory and hard on yourself and your associates," the odds are much higher that someone just won't do it. Or, that they won't do it correctly every time.

remn 02-17-2016 02:54 PM

Quote:

Originally Posted by jefro (Post 5501399)

The problem is that after I encrypted the drive with cryptsetup it no longer shows up as /dev/sdb1. This sort of thing always seems to happen when I modify flash drives in linux. Whether changing the file system, partition table, or whatever. It no longer shows up as /dev/sdx, and gets a long UUID.

When I tried "mount /dev/sdb1" I got an error about that not being in fstab.

jamison20000e 02-17-2016 03:00 PM

Code:

sudo parted -l
Should list it?

Doug G 02-17-2016 07:13 PM

Maybe a hardware encrypted flash drive, like an Apricorn Ageis or similar.

TxLonghorn 02-21-2016 02:05 PM

Quote:

Originally Posted by Doug G (Post 5501910)
Never try to teach a pig how to sing. It will waste your time, and it annoys the pig

Doug G, was this YOU ? → https://www.youtube.com/watch?v=ev4AKmTMQWk


All times are GMT -5. The time now is 09:53 PM.