3 min read

The other day my Dad mentioned that “any true geek always carries a USB drive with him”. I proved my geek-hood by producing the 2G titanium thumb drive from around my neck. I then did him one further by telling him that the drive was encrypted with AES 256 bit encryption. I don’t know whether or not he was impressed, but I sure proved that I am a true geek. It was this experience that prompted me to share my instructions on how to securely encrypt any removable drive.

Following the steps outlined in this tutorial will wipe all data from the device / partition that you present to the encryption utility. You cannot encrypt an existing system using this method and retain the data. Please ensure that you have backups of your data, or that your data is otherwise expendable.

Step 1:

The first step in this tutorial is installing the cryptsetup utility. This tool is part of the cryptsetup package, which is available in the default repositories. You can search for this using your favorite package management utility or install from the terminal using the command:

sudo aptitude install cryptsetup



Step 2:

Once you have the required utility installed, we’ll need to prepare the device for use. This step will alter the partition table on the device, potentially causing loss of data. Again, refer to the warning above.

Identify the Device

We need to know the /dev/ entry that the device is assigned in order to successfully partition and encrypt it. There are two methods outlined below which can aid you in determining the device name. In many cases the device may be listed as /dev/sdb1, /dev/sdc1, etc.

The first method of identifying the device is using the fdisk utility. Simply listing all available partitions may help you determine the device. Hint: you can use the size of the device to help determine its device entry if needed.

[[email protected] ~]$ sudo fdisk -l





Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Disk identifier: 0x000602ca





Device Boot Start End Blocks Id System

/dev/sda1 * 1 13 104422 83 Linux

/dev/sda2 14 46 265072+ 82 Linux swap / Solaris

/dev/sda3 47 1003 7687102+ 83 Linux

/dev/sda4 1004 9729 70091595 83 Linux





Disk /dev/sdb: 1021 MB, 1021313024 bytes

10 heads, 45 sectors/track, 4432 cylinders

Units = cylinders of 450 * 512 = 230400 bytes

Disk identifier: 0x00000000





Device Boot Start End Blocks Id System

/dev/sdb1 1 4432 997177+ 83 Linux



In this example I have determined that my 1G USB drive is detected as /dev/sdb1. This will be the device entry that I will use moving forward.

A second method that you can use to determine the device is the dmesg utility. The dmesg utility outputs kernel-level messages to the console. One little “trick” is to unplug and replug your removable disk, and then run dmesg. You should see output similar to:

dmesg



...



usb-storage: device found at 7

usb-storage: waiting for device to settle before scanning

scsi 8:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2

sd 8:0:0:0: Attached scsi generic sg1 type 0

usb-storage: device scan complete

sd 8:0:0:0: [sdb] 1994752 512-byte logical blocks: (1.02 GB/974 MiB)

sd 8:0:0:0: [sdb] Write Protect is off

sd 8:0:0:0: [sdb] Mode Sense: 23 00 00 00

sd 8:0:0:0: [sdb] Assuming drive cache: write through

sd 8:0:0:0: [sdb] Assuming drive cache: write through

sdb: sdb1

sd 8:0:0:0: [sdb] Assuming drive cache: write through

sd 8:0:0:0: [sdb] Attached SCSI removable disk

EXT4-fs (dm-0): mounted filesystem with ordered data mode



Again, we can see from this information that the USB device was detected and assigned at sdb1.