Cryptsetup is a utility used to setup disk encryption and is based on the DMCrypt kernel module. It implements LUKS which is the standard for Linux hard disk encryption.
LUKS provides a standard on-disk-format and facilitates compatibility among distributions while also providing secure management of multiple user passwords. In contrast to existing solutions, LUKS stores all setup necessary setup information in the partition header, enabling the user to easily transport the data.
Today we will examine how to setup encryption on a 32GB SanDisk USB thumb-drive using Ubuntu Linux.
**Warning: This process will destroy any existing data on your device. Proceed with caution and make sure you understand the purpose of each command otherwise you will most likely lose all your data.**
fdisk is an older disk partitioning and formatting tool. It doesn’t support GPT so for this exercise we will install parted which is the terminal version of gparted. Before we get started install the necessary packages.
sudo apt install cryptsetup parted
Work with partitions and setup a file system
Identify the device name you wish to work with.
sudo parted -l Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdf: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 1049kB 31.3GB 31.3GB primary fat32 boot, lba
In this example we will be working with /dev/sdf
parted /dev/sdf
Use the print command to view any existing partitions.
(parted) print Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdf: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 1049kB 31.3GB 31.3GB primary fat32 boot, lba
Parted shows the partition table type is msdos and there is 1 partition on my 32GB SanDisk USB thumb-drive. Below I will remove remove the partition and later switch to GPT instead.
(parted) rm 1 Warning: Partition /dev/sdf1 is being used. Are you sure you want to continue? Yes/No? yes Error: Partition(s) 1 on /dev/sdf have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use. As a result, the old partition(s) will remain in use. You should reboot now before making further changes. Ignore/Cancel? Ignore
After rebooting, list the devices and verify the device name once again.
sudo parted -l
Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdf: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size File system Name Flags
Here I am creating a GPT partition table.
sudo parted /dev/sdf mklabel gpt
Warning: The existing disk label on /dev/sdf will be destroyed and all data on this disk will be lost. Do you want to continue? Yes/No? yes Information: You may need to update /etc/fstab.
Next I am going to create a new partition.
sudo parted -a opt /dev/sdf mkpart primary ext4 0% 100%
Let’s take look at the new partition.
sudo parted -l
Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdf: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 31.3GB 31.3GB fat32 primary
You can also use lsblk to show the partition name.
lsblk
sdf 8:80 1 29.1G 0 disk └─sdf1 8:81 1 29.1G 0 part
Create a file system on the new partition.
sudo mkfs.ext4 -L data /dev/sdf1
mke2fs 1.44.1 (24-Mar-2018) /dev/sdf1 contains a vfat file system Proceed anyway? (y,N) y Creating filesystem with 7631616 4k blocks and 1908736 inodes Filesystem UUID: ed32db56-cc53-49dc-8587-d620ce441121 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
Use parted again to show the file system type.
sudo parted -l
Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdf: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 31.3GB 31.3GB ext4 primary
Setup encryption
Next encrypt the partition and setup a passphrase
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdf1
WARNING! ======== This will overwrite data on /dev/sdf1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdf1: Verify passphrase: Command successful.
Open your encrypted partition
sudo cryptsetup luksOpen /dev/sdf1 sdf1
sudo parted -l
Error: /dev/mapper/sdf1: unrecognised disk label Model: Linux device-mapper (crypt) (dm) Disk /dev/mapper/sdf1: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: unknown Disk Flags:
Create a file system on your newly encrypted partition
sudo mkfs.ext4 /dev/mapper/sdf1
mke2fs 1.44.1 (24-Mar-2018) Creating filesystem with 7631104 4k blocks and 1908736 inodes Filesystem UUID: f1443343-e6b4-4c61-a809-dc6eee889bde Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
Remove any reserved space
sudo tune2fs -m 0 /dev/mapper/sdf1
tune2fs 1.44.1 (24-Mar-2018) Setting reserved blocks percentage to 0% (0 blocks)
Manually mount the encrypted thumb-drive
Make a directory to mount the encrypted partition
sudo mkdir /mnt/encrypted
Take ownership of the mount point
sudo chown user1:user1 encrypted
Mount it
sudo mount /dev/mapper/sdf1 /mnt/encrypted
What does it look like?
sudo parted -l
Model: Linux device-mapper (crypt) (dm) Disk /dev/mapper/sdf1: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: loop Disk Flags: Number Start End Size File system Flags 1 0.00B 31.3GB 31.3GB ext4
lsblk
sdf 8:80 1 29.1G 0 disk └─sdf1 8:81 1 29.1G 0 part └─sdf1 253:0 0 29.1G 0 crypt /mnt/encrypted
Manually un-mount the encrypted thumb-drive
To un-mount the encrypted partition
sudo umount /dev/mapper/sdf1 sudo cryptsetup luksClose sdf1
Now it is safe to disconnect the hard drive to the system
When reconnecting the USB thumb-drive
sudo cryptsetup luksOpen /dev/sdf1 sdf1 sudo mount /dev/mapper/sdf1 /mnt/encrypted
Ubuntu can automatically mount it for you
If your Ubuntu installation is running a GUI then the operating system will take care of presenting a password prompt and also automatically mounting it for you.
We can see the unique ID that Ubuntu automatically assigned to the SanDisk USB thumb-drive.
sudo parted -l
Model: Linux device-mapper (crypt) (dm) Disk /dev/mapper/luks-8dbbede4-16e4-45af-acb5-7a4da2cb902a: 31.3GB Sector size (logical/physical): 512B/512B Partition Table: loop Disk Flags: Number Start End Size File system Flags 1 0.00B 31.3GB 31.3GB ext4
Recent Comments