jump to navigation

Create an encrypted partition/usb disk 2009-12-02

Posted by claudio in Uncategorized.
Tags: , ,
2 comments

Update 2016/09/08: on recent Ubuntus (e.g. 16.04) you can use the graphical “disks” application to create a Luks+ext4 partiton. The defaults are sane. However, it’s still advisable to put random data on the new disk before encryption. This howto is still useful for non-X setups.
Update 2012/03/18: up to date with Ubuntu 11.10.
Update 2010/04/30: Addition for the new 4KB block size drives.

If you are like me and use a laptop as your main computer, you will run out of space very soon. USB disks are a great alternative to store your photography or music collection or, simply, files you don’t use everyday. I always keep backups off-site (a USB disk) and I want to have those encrypted. This is what I did (open a shell):

  1. Install the cryptography software:
    $ sudo apt-get install cryptsetup
  2. Write some random data to your disk (we will assume it’s called /dev/sdx, type “dmesg” after inserting the disk to figure out the device, or if it’s windows formatted and automounted have a look at the output of “mount”):
    $ sudo dd if=/dev/random of=/dev/sdx bs=4K
    This will taken a long time, at least a few days (create some IO). A good -shorter- compromise (a day) will be:
    $ sudo badblocks -c 10240 -s -w -t random -v /dev/sdx
  3. Create a new Linux partition table with cfdisk (create new partition table if asked, chose New and assign all the disk, use a primary partition).
    $ sudo cfdisk /dev/sdx
  4. Setup a partition using fdisk (compatible with the new 4KB block size drives):
    $ sudo fdisk -uc /dev/sdx

    Command (m for help): d
    Selected partition 1
    Command (m for help): n
    Command action
    e   extended
    p   primary partition (1-4)
    p
    Partition number (1-4): 1
    First sector (2048-2930277167, default 2048):
    Using default value 2048
    Last sector, +sectors or +size{K,M,G} (2048-2930277167, default 2930277167):
    Using default value 2930277167
    Command (m for help): t
    Selected partition 1
    Hex code (type L to list codes): 83
    Command (m for help): p
    Disk /dev/sdx: 1500.3 GB, 1500301910016 bytes
    81 heads, 63 sectors/track, 574226 cylinders, total 2930277168 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x4fabbfc4
    Device Boot      Start         End      Blocks   Id  System
    /dev/sdx1         2048  2930277167  1465137560   83  Linux
    Command (m for help): w
    The partition table has been altered!
    Calling ioctl() to re-read partition table.
    Syncing disks.
  5. Create the encrypted partition. Make the paraphase long and difficult to guess:
    $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1 -c aes-cbc-essiv:sha256
  6. Create a filesystem (I am using ext4, the chose device and label name is “disk5”, change it to your taste):
    $ sudo cryptsetup luksOpen /dev/sdx1 disk5
    $ sudo mkfs.ext4 /dev/mapper/disk5 -L disk5
    $ sudo cryptsetup luksClose disk5
  7. Mount it going to “Computer” in Nautilus, double clicking the disk and inserting your paraphrase. I chose not let Gnome store the encrypting paraphrase for automounting as it would make encryption as weak as your system password (and we know how to retrieve/change those)…

 

That’s it!