Create encrypted USB stick

Step-by-Step descriptions of how to do things.
Post Reply
User avatar
^rooker
Site Admin
Posts: 1482
Joined: Fri Aug 29, 2003 8:39 pm

Create encrypted USB stick

Post by ^rooker »

We've already written a HowTo for creating a LUKS encrypted disk image file, but here's the "regular use case": An encrypted USB stick.
NOTE: This HowTo looks way longer and more difficult than it actually is.
If you're in a hurry, or don't need the additional information just jump to the blocks that contain the commands. That's it 8)

System: Xubuntu Xenial (16.04.6 LTS)
We'll assume "/dev/sdc" as device for the USB thumbdrive device and "/dev/sdc1" for its first partition.
The stick used here is a 32GB SanDisk drive.

1) Open the USB drive in "fdisk":

Code: Select all

$ sudo fdisk /dev/sdc
NOTE: The stick most likely is smaller than 2TB (for the time being) it probably has a MBR (Master Boot Record), so "fdisk" is fine. MBR is/was the default way until disks larger than 2TB appeared :D
Unless the stick has a GPT (GUID Partition Table), then use "gdisk".

From "fdisk", you'll get a greeting like this:
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Now show the current partition table, by entering the command "p":

Code: Select all

Command (m for help): p
Disk /dev/sdi: 28.7 GiB, 30752000000 bytes, 60062500 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xabcdef01234
2) Create a primary partition from beginning to end:

Code: Select all

Command (m for help): n
You can usually do this by confirming fdisk's suggestions by hitting the Enter/Return key.
Output looks somewhat like this:
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-60062499, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-60062499, default 60062499):

Created a new partition 1 of type 'Linux' and of size 28.7 GiB.
3) Save created partition and exit the partition manager:

Code: Select all

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
4) Initialize the partition for LUKS:
Execute the following command to initialize LUKS on the USB partition we've just created:

Code: Select all

$ cryptsetup luksFormat /dev/sdc1
It will ask you to confirm with "YES" and enter your passphrase.

Don't be scared by the "WARNING!" message:
You are about to delete all data on that partition. So it's nice that luksFormat gives you the time to double-check if you're working on the right device/partition.

The output looks like this:
WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
INFO: It says "luksFormat", but this only formats the encryption layer of the partition.
The decrypted partition itself must still be formatted to the filesystem of your choice (See below).

5) Open the LUKS partition (unformatted):

Code: Select all

$ cryptsetup luksOpen /dev/sdc1 "LUKS_01"
This is like "connecting" the USB stick's partition to the operating system. The parameter after the device is a given label/name for your encrypted partition. "LUKS_01" is just an example. You can choose whatever you like (but please avoid spaces!)

It will ask you for your passphrase. After you've entered it and everything worked fine, there'll be no output. That's okay!
You should now get the unencrypted partition mapped in /dev/mapper under the label you've chosen.

Our device file looks like this:
lrwxrwxrwx 1 root root 7 Dec 29 22:28 /dev/mapper/LUKS_01 -> ../dm-0

6) Format the partition:
I choose ext4 (but you can use a different filesystem).

Code: Select all

$ mkfs.ext4 -m 0 -L "MY_STUFF" /dev/mapper/LUKS_01
This formats the partition with EXT4 filesystem, reserves no space for root and gives it the label "MY_STUFF".
I don't find it necessary on USB sticks(=non-system disks). Please choose a label that suits you :)
(But please also avoid spaces, as this label will become a foldername once the stick is mounted...)

7) Done!
That's it :D
You should now see this USB stick show up in the file manager of your choice (Thunar on XFCE4) and behave like a regular USB stick - except it asks you for your passphrase before you can mount/use it.

Have fun!
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Post Reply