King of Glory Lutheran Church
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
On this page... (hide)
by Ralph Green, Jr, VP of ntlug.org
A lot of us carry USB drives and they are very convenient. But, they are so convenient that you might be tempted to put information on the drives that you would really not like someone else to find. This might be passwords or PINs to your bank accounts. It might just be personal notes that you intend to keep private.
The best advice I have seen is to carry two drives. I’ll call those drives secure and open. Put the important data on the secure one and encrypt that drive. Put everything else on the open drive.
I’d suggest that the secure drive be a lot smaller than the open drive. That way, you can make a backup of it in encrypted form on the open drive and give yourself some insurance. I’ll show you one way to do that backup at the end of the article.
Remember that these drives are not reliable, long-term data stores. Even good drives advertise a five year lifetime, and that is probably more optimistic than is warranted. Most drives you buy today use multi-level cell flash chips, so they are actually not good in the long-term. So, be sure that you backup any important information. This article will guide you through the steps needed to create an encrypted USB flash drive that is quite secure yet still easy to use.
There are multiple ways to accomplish what this guide wants to accomplish. The instructions here will work on most modern Linux distributions. Linux, unlike the major OS vendors, actually has people who care about security making the decisions about what to include, and has devel- oped a capable encryption infrastructure. There are programs that will stop casual attacks on the market leading operating systems, but I don’t know anything I would trust with my own data.
This guide will use a terminal prompt and give you commands to type. That is the most univer- sal way to do it and fairly easy to understand. The instructions were tested on two Linux-based operating systems - Ubuntu Natty Narwhal (aka 11.04) and openSuSE 11.4. The best simple write-up I found online was an article on the Ubuntu wiki. I based my instructions on that guide and picked Ubuntu to test on because of this article. Similar to that article, this guide is licensed under the Creative Commons Attribution-ShareAlike 3.0 License.
In this article, I will encrypt the entire flash drive, and I tend to choose the more secure options when choices are available. You can certainly alter my procedure to suit your own needs. I think the way I did it will be fine for most people. This procedure will also work for USB hard drives.
Hard drives can take a long time to initialize with random data, so I usually don’t do them in the manner described below. Instead, I usually mount them inside the computer as SATA, PATA, or SCSI drives to get better speed.
The security used here is based on the LUKS(Linux Unified Key Setup) system that is widely supported in Linux.
No system like this is 100 percent secure, but if you pick a good pass phrase, it will be almost impossible for anyone to decrypt your drive in the next several years. However, once you unlock it on your computer, any program on that computer could conceivably access the information. So as Henri Ducard warned, “Always mind your surroundings.”
There are not many prerequisites. I will install a little software, but this is only needed on the com- puter where you are going to set up the encrypted USB flash drive. Most major Linux distributions include the pieces you need to mount the encrypted drive and read and write it.
For steps after this one, the commands are usually the same for Ubuntu and openSuSE. The only real difference would be how they are run. On Ubuntu, you normally run these commands with sudo and that is what I will show. On openSuSE, you normally run them as root. On Gentoo, you may need to set certain kernel options, and that is left as an exercise for the reader. Since the different distributions use different tools to install software and package the software with different names, this first step differs between distributions. The software installed by these packages s the same, so the commands will be the same. Only the packaging is different. That is not to say some Linux distribution might not change a program name, since they can.
sudo apt-get install cryptsetup
For openSuSE (as root)
zypper in cryptconfig
For Gentoo (as root)
emerge cryptsetup device-mapper
Here are the steps to encrypt the drive:
First, we need to identify the device name for the secure drive. Insert the USB flash drive into a USB port, if it is not inserted already. Then read this section a couple of times before you try the procedure, because if you pick the wrong device, you might blank out your hard drive. It is usually pretty obvious, so just pay attention.
At the terminal prompt, type the command:
dmesg | tail -20
If the USB drive has been inserted for awhile, 20 lines may not be enough, so increase that number. Look for a line that has something like:
[sdb] 129440 512-byte logical blocks: (66.2 MB/63.2 MiB)
That shows me that my device is sdb, so I would use /dev/sdb throughout this procedure. Implicit in the last statement is the fact that I would use sdb1 where you see sdX1, which indicates the first partition on the device sdb. In order to make it less likely that people would just cut and paste these instructions and destroy a real drive, I will refer to the drive in all these instructions as sdX.
As an extra check that you have the right drive, you can run the following command and see if the results seem reasonable. Your built-in hard drives should be much larger than your USB flash drive. Look and see that the size is about what you would expect for the USB flash drive.
sudo fdisk -l /dev/sdX
I am more careful about this than most people. I usually repeat this step every time I insert the drive during this procedure. I only remember a device name changing once when doing this and I had been doing a lot of drive swapping on that computer. If the drives moved, it is fairly unlikely that they would move in such a way as to cause you a real problem. Since we are writing to the device at a pretty low level and as root, safety seems prudent. So, I do it to be safe, or as some might say, to allay my concern.
Next, we will blank out the drive with random data. This step is not absolutely required, but it is good security practice. If you do as I suggested and use a small flash drive for your secure data, this step won’t take long. My 64 MB secure drive took about 30 seconds -- larger drives take longer.
sudo dd if=/dev/urandom of=/dev/sdX bs=4K
Next, we prepare the partition table.
sudo fdisk /dev/sdX
Because we blanked the drive to random data, there will be no valid partition table to start. You will have the option to write an empty partition table here. Type w at the prompt and press enter. You may see a message about the ioctl() failing and that the partition table will be available after a reboot. If you see that message, reboot and then continue. If not, just continue.
Continue setting up the partition table.
sudo fdisk /dev/sdX
Type n and press enter. That will create a new partition. Type p and enter to make it a primary partition. Type 1 and enter for partition 1. Take the default choices until you get back to the Command prompt in fdisk. Then, type w and enter to write the new partition table. As before, if you get a mes- sage saying the table will be read after the next boot, then you need to reboot before going on.
Create the encrypted partition.
sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
Here, you will be asked for 3 things. First, you will have to type YES to go on. They really mean YES, as it must be upper case. Then press enter. If you typed YES, then you will be prompted twice for the pass-phrase. Pick a strong one, but one you will remember. If you forget it, you will never get the data back off of this drive. If you make it too easy, people may be able to guess it or brute force attack it.
Unlock the partition and map it for use. The name secureusb is my choice, but you can name it whatever you prefer.
sudo cryptsetup luksOpen /dev/sdX1 secureusb
Now, we will make a filesystem in this encrypted partition. I prefer ext2 for this sort of thing. I don’t need journaling on a flash drive, and using ext2 means fewer writes to the device and a longer life. Use the same name here as in the last step. In my case, it is secureusb.
sudo mkfs -t ext2 -m 2 -O dir_index,filetype,sparse_super /dev/mapper/secureusb
Most recent Linux distributions will automatically mount USB drives. So, pull the USB flash drive out of the USB port, wait a few seconds and reinsert it. You should be prompted for your pass phrase, so enter it as requested. Look to see what directory the drive is mounted into. There are several ways to find this. I usually type ls -l /media/ to see the directory where the USB drive mounted. It will probably look something like “/media/001B-9511”.
For convenience, we now can set the ownership of the directory on the flash drive.
sudo chown user:group /media/disk
For user and group, you should substitute the user and group you want the secure drive to mount as. Ubuntu creates a group for each user, so I would put something like ralph:ralph here. OpenSuSE puts users into a users group and so I would put ralph:users here. For disk, you put the directory name the device mounted into.
Enjoy. You’ve now created your encrypted flash drive.
This may all seem a bit complicated. But, you only have to go through all this when you create the encrypted drive. It still took me less than 10 minutes to setup my secure, encrypted drive. Plug this drive into a new system and you will be prompted for the pass phrase, and the drive will be then available for use.
When you enter the pass phrase, you often have an option to tell the system how long to remember the password. The most secure option is to “Forget password immediately”. That way, your system knows how to access the encrypted data until you unmount the drive, and the pass phrase is not stored anywhere in memory or your hard drive. That is especially true, if you are using encrypted swap, but that is another article. So, it is a little complicated to set up, and simple to use on a daily basis. And, if you lose the drive, your secrets will stay your secrets.
You may want to make a backup of the secure drive, and I recommend that you do. Here is how I do it. I insert the USB flash drive into a USB port, and unlock it with my pass phrase. Then, I unmount the drive. On Gnome, I right click on the drive icon and choose eject. Then, I go to a terminal prompt and run the following command:
sudo dd if=/dev/sdb of=./secureflash.drv
That gives me an image copy of the drive into a file named secureflash.drv. I then copy that file to my open USB drive. I like the secure drive to be smaller, so I can fit this backup onto the open drive and still have plenty of room.
Questions? Feel free to come to the Linux SIG and talk about them. I am frequently in the #ntlug irc channel on freenode logged in as Severian.