How to Encrypt a USB Flash Device with Cryptsetup

This tutorial provides a basic description on how to encrypt your usb flash device with crytsetup.  Cryptsetup is a simple unix command for setting up dm-crypt managed device-mapper mappings (as stated on its man page).  I used this command on Fedora 12 today to encrypt my 2GB KINGSTON flash drive, and its fairly simple.  First insert your usb flash device into a usb slot and then unmount it.   Afterwards, bring up a root terminal to begin the encryption process.  At this point it may help to read through the man page for cryptsetup so you know how the command works.  If you’re new to Linux get used to reading man pages because they are very useful.

Step 1: Format Device

The first step is to setup the luks partition on the USB flash device.  By default the encryption algorithm used is aes-cbc-essiv:sha256.  The –cipher option can be used to change this and options are listed in the man page.  For pre-2.6.10 kernels use aes-plain because they do not understand new cipher specification strings.

[root@localhost: ~]$  /sbin/cryptsetup luksFormat device

The device is the device to be formatted, which in our case is the flash drive.  For me this was /dev/sdb1. So therefore I ran as root:

[root@localhost ~]$  /sbin/cryptsetup luksFormat /dev/sdb1

Step 2: Create Device Mapper

The action luksOpen opens the luks partition and creates a device mapper for it.  To do this run:

[root@localhost ~]$ /sbin/cryptsetup luksOpen /dev/sdb1 name

The name is the name of the device mapper and is arbitrary.  I chose to name it cryptmp.

[root@localhost ~]$ /sbin/cryptsetup luksOpen /dev/sdb1 cryptmp

Step 3: Format the Device File System

The last step now is to format the usb flash drive’s file system.  This is important because right now the usb device has no file system.  I’m going to create an ext3 file system on my flashdrive, but its important to know most windows machines won’t recognize this file system unless you’ve given it some help.  Also know that regardless of what OS you chose, windows can’t decrypt your USB device anyway so you might as well as just use the ext3 fs.

[root@localhost ~]$ /sbin/mkfs.ext3 /dev/mapper/cryptmp

This is the last step and now you should be able to mount the usb flash device.  Unmount the flash device before continuing with the rest of the tutorial.

Using your USB Flash Device

To gain access the files on the device first insert the usb flash device into a usb slot.  Some desktop environments, such as gnome, will automatically detect that the device is encrypted and will prompt you for the password.  Alternatively, the device’s contents can be accessed manually using the terminal.  To do so run the following commands as root:

[root@localhost ~]$ cryptsetup luksOpen /dev/sdb1 cryptmap

[root@localhost ~]$ mount /dev/mapper/cryptmap /mnt/encusb

After running the first command a prompt will appear requesting the decryption password.  The name of the device mapper is once again arbitrary.  When using the mount command the directory /mnt/encusb must be created beforehand.  It does not actually matter where the device is mounted to, and you can name the directory whatever you wish.

Unmounting the usb follows a similar set of steps.

[root@localhost ~]$ umount /dev/mapper/cryptmap

[root@localhost ~]$ cryptsetup luksClose cryptmap

The first command unmounts the device mapper so that the contents of the usb are no longer accessible.  However, the usb device is still decrypted at this point and the device can be remounted without the necessity of the password.  The second command closes the device mapper so that before the usb’s contents can be viewed again the encryption password will be required.

Naming the USB Flash Device

Whenever you reformat your flashdrive it will lose its name.  My computer decided to name my device by default as ‘2.1GB Flash Device.’  You can change this with the e2label command.  Here is an example:

[root@localhost ~]$ cryptsetup luksOpen /dev/sdb1 cryptmap

[root@localhost ~]$ /sbin/e2label /dev/mapper/cryptmap “Brad’s Files”

Unplug your USB device for this to take effect.


7 Responses to “How to Encrypt a USB Flash Device with Cryptsetup”

  1. 1 AlexM August 12, 2008 at 6:51 PM

    I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!

  2. 2 Harry September 8, 2008 at 2:08 AM

    Hi Brad, found your piece *very* useful, thanks!

    It will be great if you could also mention (or, include some relevant links to info) where this /dev/dm-3 comes from. It is not clear, to a relative UNIX-newbie like myself, as to what device will need to be used if you already have an encrypted usb device into your system, plugged in and mounted! I already see /dev/dm-[0-3] sitting on my system, so not sure what is going on…

    Comment: Your font colors are great but sizes imho are way too small.

  3. 3 leon December 20, 2008 at 9:47 PM

    when I create containter with cryptsetup – do I need to put into command line, which encryption algorythm to use (aes)? – or cryptsetup will take care itself to encrypt with aes as a default encryption?

  4. 4 How to Get Six Pack Fast April 15, 2009 at 10:26 AM

    If you want to see a reader’s feedback 🙂 , I rate this article for four from five. Decent info, but I just have to go to that damn google to find the missed bits. Thank you, anyway!

  5. 5 Ted Burrett April 24, 2009 at 7:20 AM

    After reading this article, I feel that I really need more info. Can you suggest some resources ?

  6. 6 Brad March 24, 2010 at 4:41 PM

    I have made some significant revisions to this post, and I believe I have answered everyone’s questions. I have also changed the appearance of the entire blog to make reading much easier.

  1. 1 Encrypt a USB drive in linux and automatically mount it on startup using a keyfile and dm_crypt | James Rossiter Trackback on November 15, 2012 at 12:40 PM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: