*n*x

Create an encrypted partition/usb disk December 2, 2009

Update 2010/04/30: Addition for the new KB drives.
Update 2012/03/18: up to date with Ubuntu 11.10.

If you are like me and use a laptop as your main computer, you will run out of space very soon. USB disks are a great alternative to store your photography or music collection or, simply, files you don’t use everyday. I always keep backups off-site (a USB disk) and I want to have those encrypted. This is what I did (open a shell):

1. Install the cryptography software:
   sudo apt-get install cryptsetup
2. Write some random data to your disk (we will assume it’s called /dev/sdx, type “dmesg” after inserting the disk to figure out the device, or if it’s windows formatted and automounted have a look at the output of “mount”):
   sudo dd if=/dev/random of=/dev/sdx bs=4K
   This will taken a long time, at least a few days (create some IO). A good -shorter- compromise (a day) will be:
   sudo badblocks -c 10240 -s -w -t random -v /dev/sdx
3. Create a new Linux partition table with cfdisk (create new partition table if asked, chose New and assign all the disk, use a primary partition).
sudo cfdisk /dev/sdx
4. Setup a partition using fdsik (compatible with the new 4KB block size drives):
   sudo fdisk -uc /dev/sdxCommand (m for help): d
   Selected partition 1Command (m for help): n
   Command action
   e   extended
   p   primary partition (1-4)
   p
   Partition number (1-4): 1
   First sector (2048-2930277167, default 2048):
   Using default value 2048
   Last sector, +sectors or +size{K,M,G} (2048-2930277167, default 2930277167):
   Using default value 2930277167

   Command (m for help): t
   Selected partition 1
   Hex code (type L to list codes): 83

   Command (m for help): p

   Disk /dev/sdx: 1500.3 GB, 1500301910016 bytes
   81 heads, 63 sectors/track, 574226 cylinders, total 2930277168 sectors
   Units = sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   Disk identifier: 0x4fabbfc4

   Device Boot      Start         End      Blocks   Id  System
   /dev/sdx1            2048  2930277167  1465137560   83  Linux

   Command (m for help): w
   The partition table has been altered!

   Calling ioctl() to re-read partition table.
   Syncing disks.

5. Create the encrypted partition. Make the paraphase long and difficult to guess:
   sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1 -c aes-cbc-essiv:sha256
6. Create a filesystem (I am using ext4, the chose device and label name is “disk5″, change it to your taste):
   sudo cryptsetup luksOpen /dev/sdx1 disk5
sudo mkfs.ext4 /dev/mapper/disk5 -L disk5
sudo cryptsetup luksClose disk5
7. Mount it going to “Computer” in Nautilus, double clicking the disk and inserting your paraphrase. I chose not let Gnome store the encrypting paraphrase for automounting as it would make encryption as weak as your system password (and we know how to retrieve/change those)…

That’s it!