LUKS Encrypt Your USB

Created at 2020-06-10 Updated at 2020-06-10 Tag privacy / security


Here are the commands to encrypt a USB-connected storage device. Be sure to note the "dev path" (partition) of your USB device.

$ sudo blkid

In my examples below my USB device is sda.

$ sudo apt install cryptsetup

$ sudo cryptsetup -y -v luksFormat /dev/sda

$ sudo cryptsetup luksOpen /dev/sda storage

$ sudo dd if=/dev/zero of=/dev/mapper/storage status=progress

$ sudo mkfs.ext4 /dev/mapper/storage

$ sudo mkdir /storage

$ sudo mount /dev/mapper/storage /storage


The Rest of the Story

I have been doing quite a bit with Raspberry Pi devices lately; mainly setting them up as Docker hosts (perhaps a post for another time).

Raspberry Pi devices use a micro SD card as a harddrive, but I have been utilizing external USB drive for more "mass" storage connected to Raspberry Pi. I have not figure out how to encrypt the harddive of the Raspberry Pi, but I can encrypt the USB drive, so it can be used to store more sensitive data.

I have been using either Raspberry Pi OS Lite or Ubuntu Server 20.04, and so my only option available is the Terminal. Here are the commands you'll need to encrypt an external USB-connected hardrive (or thumb drive even).

Thanks to this post for providing the orginal information

Note: All of the follow steps assume that you have your Terminal window open.

Install Cryptsetup Package

$ sudo apt install cryptsetup

Configure the LUKS partition

Firstly, you'll want to figure out the "dev path" (partition) of your USB device. In my examples below my USB device is sda.

Very Important: Find out the correct partition for your USB device before you implementing these steps. You can do that by running the following command:

$ sudo blkid

And then look for the LABEL of your USB device, and you're looking for /dev/sd.... So, again my USB storage is /dev/sda, and I'll be referencing that going forward. The output will look similar to this:

/dev/sda: LABEL="storage" UUID="31363d3b-c552-4555-a514-ep35ent87d74" TYPE="ext4"

Now proceed to configure LUKS on the USB device.

$ sudo cryptsetup -y -v luksFormat /dev/sda

You'll receive a warning, and an "Are you sure?" prompt. Type "YES" (all uppercase), then press the enter key. And finally after that, you'll be asked for a passphrase (make it a good one).

WARNING: Device /dev/sda already contains a 'gpt' partition signature.

This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda:
Verify passphrase:
Existing 'gpt' partition signature (offset: 512 bytes) on device /dev/sda will be wiped.
Existing 'gpt' partition signature (offset: 31001148928 bytes) on device /dev/sda will be wiped.
Existing 'PMBR' partition signature (offset: 510 bytes) on device /dev/sda will be wiped.
Key slot 0 created.
Command successful.

Map the LUKS partition

We need to map the encrypted partition in order to access it later. So let's open the LUKS partition, and enter the passphrase created from the previous step.

$ sudo cryptsetup luksOpen /dev/sda storage

The output of the above command will present the passphrase prompt, so enter you passphrase.

Enter passphrase for /dev/sda:

Now we want to verify the mapping.

$ ls -1 /dev/mapper/storage

The output of the above command should look similar to this:


We also want to check the status of the partition.

$ sudo cryptsetup -v status storage

And the output will be similar to this:

/dev/mapper/storage is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/sda
sector size: 512
offset: 32768 sectors
size: 60516352 sectors
mode: read/write
Command successful.

Format the LUKS partition

This part can take a really long time depending on the size of the partition to be encrypted.

Run the following command to "zero out" the harddrive. This will help to secure the data stored on the USB drive (i.e. it will protect against disclosure of usage patterns).

$ sudo dd if=/dev/zero of=/dev/mapper/storage status=progress

Because we used status=progress, we'll see the live progress of the formatting:

30982951424 bytes (31 GB, 29 GiB) copied, 16133 s, 1.9 MB/s
dd: writing to '/dev/mapper/storage': No space left on device
60516353+0 records in
60516352+0 records out
30984372224 bytes (31 GB, 29 GiB) copied, 16146.8 s, 1.9 MB/s

Create a File System on the LUKS partition

Now it's time to create an ext4 file system on the LUKS partition.

$ sudo mkfs.ext4 /dev/mapper/storage

The output from that will look similar to this:

mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 7564544 4k blocks and 1892352 inodes
Filesystem UUID: a3eup5b9-887c-e441-e45f-7c8g7f6y5yb1
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks):
Writing superblocks and filesystem accounting information: done

Mount The New File System

Ok, we have our encrypted partition. We have our file system. Now let's create a mount point by creating an empty folder or you computer's harddrive:

$ sudo mkdir /storage

And then mount our encrypted partition there:

$ sudo mount /dev/mapper/storage /storage

Now verify everything was mounted.

$ /storage$ ls -l

You should see a lost+found folder.

total 10
drwx------ 2 root root 16384 Jun 10 02:54 lost+found

Re-mount LUKS Partition

I choose to manually re-mount the LUKS partition on a reboot, and here are the commands to run. When you run the luksOpen command, you will be prompted for your passphrase.

$ sudo cryptsetup luksOpen /dev/sda storage
$ sudo mount /dev/mapper/storage /storage

Finally, I'll just check to make sure the LUKS partition is mounted.

$ df -h

And you should see an entry for /storage.

/dev/mapper/storage  32GB  2G  30GB  8% /storage


There you have it! That's how you can keep your external storage data a bit safer!

End of Line.

Site by Aaron von Awesome using Hexo & Random