Encrypted USB Drives in Linux

In this short article I describe how to partition, format, and encrypt a USB stick or hard drive or other external storage device on Linux. I use Fedora 29 Linux and LUKS (Linux Unified Key Setup).

Step one: find your USB device.

Connect your USB device and run

dmesg

in a terminal. You should see an output similar to this:

[40648.666305] usb 4-1: new SuperSpeed Gen 1 USB device number 5 using xhci_hcd
[40648.679036] usb 4-1: New USB device found, idVendor=0480, idProduct=a007, bcdDevice= 1.00
[40648.679042] usb 4-1: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[40648.679046] usb 4-1: Product: External USB 3.0
[40648.679050] usb 4-1: Manufacturer: Toshiba
[40648.679054] usb 4-1: SerialNumber: xxxxxxxxxxxxxxx
[40648.681551] usb-storage 4-1:1.0: USB Mass Storage device detected
[40648.683064] scsi host5: usb-storage 4-1:1.0
[40649.736949] scsi 5:0:0:0: Direct-Access     Toshiba  External USB 3.0 0    PQ: 0 ANSI: 6
[40649.737919] sd 5:0:0:0: Attached scsi generic sg1 type 0
[40650.622818] sd 5:0:0:0: [sdc] 976773168 512-byte logical blocks: (500 GB/466 GiB)
[40650.623124] sd 5:0:0:0: [sdc] Write Protect is off
[40650.623129] sd 5:0:0:0: [sdc] Mode Sense: 43 00 00 00
[40650.623588] sd 5:0:0:0: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[40650.718175]  sdc: sdc1
[40650.719782] sd 5:0:0:0: [sdc] Attached SCSI disk

Look for the device name in brackets [] – here its [sdc]. That means, the device can be accessed under the name /dev/sdc .

Step 2: Repartition the device

Before starting fdisk to repartition the device you might want to check whether it is mounted at the moment. Run this command to list all mountpoints of the device:

mount | grep sdc

If the device is mounted you can unmount it by using it’s device name:

sudo umount /dev/sdc1

After this is done, run this command to open the drive in fdisk:

sudo fdisk /dev/sdc

type “p” <return> to list all partitions. Delete them, one by one using the “d” <return> command.

Change the partitioning scheme by typing “g” <return>. Then create one new partition with the command “n” <return>. Accept all options pressing the <return> key three times.

Finally type in “w” <return> to write all changes to the device.

Step 3: Encrypt the volume

To format the newly created partition as a LUKS encrypted volume, type:

sudo cryptsetup luksFormat /dev/sdc1

You will be asked to confirm by typing “YES” <return>. Then you are asked to type in the password for this device twice.

Now mount the new encrypted volume, type:

sudo cryptsetup luksOpen /dev/sdc1 SomeTemporaryMapperNameHere

Step 4: Format the encrypted volume

It is now time that you decide what file system you want to use and what name you want to give to your encrypted volume. The file system determines how you can use the device later. The name will be visible later in your file system when the volume is mounted. In this example, I use the ext4 filesystem because I only use the disk on Linux machines anyway.

sudo mkfs.ext4 /dev/mapper/SomeTemporaryMapperNameHere -L MyHDDName

After this is done, you can disconnect the device and reconnect it again. If your desktop environment is mounting newly plugged in devices automatically, you will be asked to type in your password to mount the volume.

What you can do now

Change owner of volume

After you mounted your encrypted volume, you can find the mount point by running the mount command in a shell. The last line should show something similar to this:

/dev/mapper/luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx on /run/media/<username>/MyHDDName type ext4 (rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2)

You can change the owner to your own username if you like. This way, you can write data to the volume. Otherwise its readonly. Here is how you change the ownership to your username:

sudo chown <username>:<username> /run/media/<username>/MyHDDName

Automatically decrypt and mount using your TPM

OK, this is for specialists only. Imagine you have the following scenario: You are using your USB hard drive to back up your linux server. You want to disk to be encrypted but you cannot type in the password each time the disk is mounted.

Please read the Red Hat Documentation on clevis! Your tpm2 might not be available or ready for use. Please read my article “TPM Encryption in Fedora Linux” before you continue!

In this scenario you can use clevis-udisks2 to unlock a luks encrypted volume using the TPM chipset of the server. Before this works you have to bind the disk to the TPM:

sudo clevis luks bind -d /dev/sdc1 tpm2 '{"pcr_ids":"7"}'

To unlock the volume use:

sudo clevis luks unlock -d /dev/sdc1

Image credits: Encryption illustration by Santeri Viinamäki [CC BY-SA 4.0]

Leave a Reply

Your email address will not be published. Required fields are marked *