Version Française Linux : USB on-the-fly encryption After turning a USB drive into a Swiss Army Knife, we can use all the space left and turn it into a Fort Knox area. Starting from kernel 2.6 we can quickly and safely encrypt disks and any removable device with dm-crypt. It is so easy to loose a USB key (all thus all its data) that it is worth the (very small) pain to protect it. With the new kernel cryptoapi, which solved the old and unsafe cryptoloop problems, we'll use cryptsetup and the LUKS extension (Linux Unified Key Setup). Its main feature is that we can use dm-crypt (Device Mapper) with an astonishing simplicity. No software to install and, each time the key will be plugged in, gnome-mount will pop up a windows asking you for your password. However, if you need to share your encrypted data between Linux and Windows, you will have to consider another solution, in most case a third party software (truecrypt, ScramDisk) Installation In the previous article, we created a 1st partition for Damn Small Linux. Now we are going to create the second one and it will use all the free space left on the key. We'll assume that the key is /dev/sdX and the partition to create is /dev/sdX2. Insert your USB stick and run fdisk to create that new partition : # fdisk /dev/sdX - Type n to create a new partition - Type p to make it a primary partition - Type 2 to set it as the second partition - Press Enter for the default value (1st cylinder) - Press Enter for the defualt value (last cylinder) - Type w to save the modifications Install cryptsetup : # apt-get install cryptsetup Ensure that aes and sha256 modules are loaded : # cat /proc/crypto ... name : sha256 driver : sha256-generic module : sha256 ... name : aes driver : aes-generic module : aes ... If they aren't, load them : # modprobe aes # modprobe sha256 We now encrypt the partition with cryptsetup. It will first ask for a confirmation and then you will have to type the password (twice) you want to use to protect your data. WARNING : don't make any mistake here, ensure the partition you choosed is the right one otherwise you could loose all your data ! # cryptsetup luksFormat --cipher "aes-cbc-essiv:sha256" --key-size 256 /dev/sdX2 If you ever receive an error message from dm_crypt, run # modprobe dm_crypt, then type again the previous command. Open the newly created volume and give it any name you want, say, 'usbmapper'. You will be asked for your password : # cryptsetup luksOpen /dev/sdX2 usbmapper If everything is OK, you should see the volume in /dev/mapper : # ls /dev/mapper control usbmapper Format the volume : # mkfs.reiserfs /dev/mapper/usbmapper Close it : # cryptsetup luksClose usbmapper That's it ! Remove your USB drive (unmount any mounted partition if needed before doing so) and then plug it back in again. Gnome-mount should now ask you for your password and your partition will be automatically mounted and ready to use : To unmount it, just do as you would do with any USB flash drive : right click on it and select 'unmount'. Although the whole process is done by gnome-mount, here are below some usefull commands worth to know : Findind the volume name : # ls /dev/mapper control luks_crypto Getting some informations about the volume : # cryptsetup status luks_crypto Unmounting and closing the volume : # umount /mounting_point # cryptsetup luksClose luks_crypto Openning a volume and mounting it : # cryptsetup luksOpen /dev/sdXX luks_crypto # mount /dev/mapper/luks_crypto /mounting_point