And what we will use for will be luks.
It should work similarly on other’s but not guarantee.
Part ONE – Encrypting usb
- First make sure you have an access to cryptsetup, if not install it
sudo apt-get install cryptsetup
- Use gparted or any other partition manager to create your partition.
The easiest thing will be to erase the drive table and just create one ext4 partition. - Now lets see our partition table ( Find partition by typing lsblk )
- Let say our partition is sdb1, so let’s create luks encrypted partition there
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1 - Okay now our partition is created but is just partition we need to acces it and setup “format”.
I’ll call it sdb1 so this should be less confusing for everyone.sudo cryptsetup luksOpen /dev/sdb1 sdb1The first path is our partition location second is a name that we will refer to
- Now if you type fdisk -l you should see partition like /dev/mapper/sdb1
If you see it it’s okay to go to next step. - Now we need to prepare partition to do that we will format it as ext4 partition
sudo mkfs.ext4 /dev/mapper/sdb1 - We will also remove the reserved space as by default the reserved space for ext4 is 5% of total drive.
And if you’re drive is large that 5% could mean a lot. This is normal done so as normal user you will never run out of space but we do not need this here.sudo tune2fs -m 0 /dev/mapper/sdb1 - We will create an folder in mmt.
mkdir /mnt/drive - Now let’s mount the drive
mount /dev/mapper/sdb1 /mnt/drive - By default as normal user cant browse the encrypted partition so to fix that.
And let’s change the ownership of the folder to our local user.chown -R user: user /mnt/drive - Okay now all is set-up.
You can check with lsblk if the mounting point of sdb1 is our /mnt/drive.
And if it is you can throw there text file or something. - Now it’s nice to unmount and close the partition. Sometimes it does not work so force it or lazy umount.
For that use google.sudo umount /dev/mapper/sdb1 - And at the end let’s close the partition
sudo cryptsetup luksClose sdb1
Part One Extra
To make our USB auto mountable we will generate an key and we
will add a key to our partition.With this key we can unlock the partition.
We also can unlock the partition with normal passphrase.
You will have to options one is to skip this part.
And use none as a Keyfile which will prompt the user to enter a password on each startup.
However if your main drive is already encrypted and you have to enter a password anyway.
Just store the key on the encrypted partition ( system drive ), so it will be automatically
mounted after successful boot.
Adding Keyfile to existing luks partition
- Let’s assume we act as sudo. And we need to generate a key.
You can also use any other file you want image video etc.
Best easiest key will be to just generate RSA key.
We will call our file file.key and we gone create it inside /root directory.openssl genrsa -out /root/file.key 4096 - Now we need to prompt the key into our drive
cryptsetup luksAddKey /dev/sdb1 /root/file.keyYou should be prompt -ed to enter original password
- Now the disk could be unlocked with passphrase or file. Key
Part two – Auto mount encrypted partition
- Find the UUID of the drive.
cryptsetup luksUUID /dev/sdb1Get the uuid of the drive
- Now go and edit crypttab
nano /etc/crypttab - Add folowing line
-> if you are not using keyfile ( system will ask during boot for password )sdb1 UUID=324234234234234234 none luksif you are using keyfile
sdb1 UUID=324234234234234234 /root/file.key luks - Now the partition will be automatically decrypted during the boot if the passphrasse will be entered or if you enter correct key file.
- Partition is decrypted but not mounted and to fix that we need to add an fstab entry.
So open fstabnano /etc/fstabAnd lets att there this entry
/dev/mapper/sdb1 /mnt/drive ext4 defaults 0 2
