Create an encrypted partition/usb disk 2009-12-02
Posted by claudio in Uncategorized.Tags: encryption, Hardware, security
2 comments
Update 2016/09/08: on recent Ubuntus (e.g. 16.04) you can use the graphical “disks” application to create a Luks+ext4 partiton. The defaults are sane. However, it’s still advisable to put random data on the new disk before encryption. This howto is still useful for non-X setups.
Update 2012/03/18: up to date with Ubuntu 11.10.
Update 2010/04/30: Addition for the new 4KB block size drives.
If you are like me and use a laptop as your main computer, you will run out of space very soon. USB disks are a great alternative to store your photography or music collection or, simply, files you don’t use everyday. I always keep backups off-site (a USB disk) and I want to have those encrypted. This is what I did (open a shell):
- Install the cryptography software:
$ sudo apt-get install cryptsetup
- Write some random data to your disk (we will assume it’s called /dev/sdx, type “dmesg” after inserting the disk to figure out the device, or if it’s windows formatted and automounted have a look at the output of “mount”):
$ sudo dd if=/dev/random of=/dev/sdx bs=4K
This will taken a long time, at least a few days (create some IO). A good -shorter- compromise (a day) will be:
$ sudo badblocks -c 10240 -s -w -t random -v /dev/sdx
- Create a new Linux partition table with cfdisk (create new partition table if asked, chose New and assign all the disk, use a primary partition).
$ sudo cfdisk /dev/sdx
- Setup a partition using fdisk (compatible with the new 4KB block size drives):
$ sudo fdisk -uc /dev/sdx
Command (m for help): d
Selected partition 1
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First sector (2048-2930277167, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-2930277167, default 2930277167):
Using default value 2930277167
Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 83
Command (m for help): p
Disk /dev/sdx: 1500.3 GB, 1500301910016 bytes
81 heads, 63 sectors/track, 574226 cylinders, total 2930277168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x4fabbfc4
Device Boot Start End Blocks Id System
/dev/sdx1 2048 2930277167 1465137560 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks. - Create the encrypted partition. Make the paraphase long and difficult to guess:
$ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1 -c aes-cbc-essiv:sha256
- Create a filesystem (I am using ext4, the chose device and label name is “disk5”, change it to your taste):
$ sudo cryptsetup luksOpen /dev/sdx1 disk5
$ sudo mkfs.ext4 /dev/mapper/disk5 -L disk5
$ sudo cryptsetup luksClose disk5
- Mount it going to “Computer” in Nautilus, double clicking the disk and inserting your paraphrase. I chose not let Gnome store the encrypting paraphrase for automounting as it would make encryption as weak as your system password (and we know how to retrieve/change those)…
That’s it!