2 min read

On Creating an Encrypted USB Drive

September 7, 2023

This is the unspiritual successor to the article On Creating a Signing Subkey, which is just magnificent.

Note that this article is only half-baked. Its purpose is to serve as a HOWTO. If it’s not enough information for you, dear reader, there is a whole Internet out there, go explore.

Formatting

The following is what we want. The device listed at /dev/sdb has two partions, /dev/sdb1 and /dev/sdb2.

sdb
├─sdb1
└─sdb2

sdb1 will be the first partition on the disk. It will be the larger of the two partitions, and it will be encrypted with the LUKS format using the cryptsetup tool.

The second partition is not encrypted, will hold README with crypt instructions.

If needed, first install the cryptsetup utility:

$ sudo apt-get install cryptsetup

Here are the commands I used in fdisk to create the partitions:

$ sudo fdisk /dev/sdb
n -> primary -> 1 -> ENTER (2048) -> +10G
n -> primary -> 2 -> ENTER (some block number) -> ENTER (some block number)
p
Disk /dev/sdb: 14.9 GiB, 16000221184 bytes, 31250432 sectors
Disk model: USB 2.0 FD
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sdb1           2048 20973567 20971520   10G 83 Linux
/dev/sdb2       20973568 31250431 10276864  4.9G 83 Linux
w

Creating

$ sudo cryptsetup luksFormat --type=luks2 /dev/sdb1
$ sudo cryptsetup open /dev/sdb1 encrypted
$ sudo mkfs.ext4 /dev/mapper/encrypted

The old way of formatting the drive was much more verbose:

$ sudo cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --time 5000 --use-urandom /dev/sdb1

Do this for the unencrypted partition:

$ sudo mkfs.ext4 /dev/sdb2

Mounting

$ sudo mkdir /media/btoll
$ sudo chown -R btoll: /media/btoll
$ sudo cryptsetup --type luks open /dev/sdb1 encrypted
$ sudo mount -t ext4 /dev/mapper/encrypted /media/btoll

Using the Primary Private Key

$ gpg --homedir /media/btoll/.gnupg/ -k

Unmounting

$ sudo umount /media/btoll
$ sudo cryptsetup close encrypted

References