Encrypt pendrive with LUKS

Have you ever wanted to own an encrypted pendrive which will be unreadable and uncrackable (with strong enough password) to third parties without your password?

Your files on laptop may be encrypted and safe but what about the files on pendrives you use? Removing a file from unencrypted pendrive does not make it impossible to retrieve it. Encrypt a pendrive and you can be always safe.

Password for encrypted pendrive can easily be changed without modifying or erasing the pendrive contents.

In this episode we will encrypt pendrive with LUKS and format it with ext4or ntfs filesystem. Your pendrive data will be removed in the process so back it up.


Switch to root.

su -

Put the pendrive in and list all disks in order to find your pendrive.

lsblk
/dev/sdb1 is our pendrive partition and it’s mounted

Locate your pendrive. My pendrive called 64GB is device/dev/sdb with one partition /dev/sdb1 mounted under /run/media/andrzej.rehmann/64GB .

Move all your data to a save place as we will remove all pendrive content.

Unmount pendrive and check the result.

umount /dev/<pendrive_partition>
lsblk
/dev/sdb1 should have no mountpoint

We will now encrypt the pendrive. This will remove all pendrive contents.

cryptsetup luksFormat /dev/<pendrive_device>
Confirm overwriting pendrive content and type your new password.

That’s it. Pendrive is now encrypted but is not usable yet.


We will now create filesystem on our pendrive.

First let’s decrypt/open it.

cryptsetup luksOpen /dev/<pendrive_device> <luks_name>
lsblk

Where <luks_name> is some random string of your choosing (this is not a persistent name, don’t worry).

Decrypted (opened) pendrive.

You can overwrite pendrive with shredto wipe it’s previous content but it can take a while. I’m not going to do this.

shred -n 1 mapper/<luks_name>

Create file system. I’m using ext4, but you can choose other filesystem like NTFSor FAT.

For ext4 which will work on Linux no problem but will require additional software on Windows use:

mkfs -t ext4 -L "<label>" /dev/mapper/<luks_name>   # Ext4
Ext4 is a journalling filesystem which means that if the device is unplugged prematurely it stands more of a chance of recovering the damaged filesystem. It can support volumes up to 1 ExbiByte (a lot).

For NTFS which should work on Windows no problem but may require additional software on some Linux distributions use:

mkfs -t ntfs -L "<label>" /dev/mapper/<luks_name>   # NTFS

Where <label> is your new pendrive name.

I’m formatting my pendrive with ext4 as I only use Linux.

After mkfs is finished pull out the pendrive and plug it back in. You should see a modal window asking for you pendrive password.

If you don’t see this window open file browser and click on the pendrive as if you wanted to browse its content. You should be asked for a password then.


It’s done. You can check that indeed your pendrive is now encrypted.

lsblk

If you see the luks-UUID as the partition name it means that that partition is encrypted. My /dev/sdc (it switched from /dev/sdb ) pendrive is now encrypted.


The last step is necessary only if you used ext4 file system. Your pendrive is owned by root user at the moment so you won’t be able to write to it, we need to fix this.

chown -R <user>:<user> <pendrive_mount_point>

No my pendrive is owned by my user and ready to use.


If you are interested with installing a Fedora 26 with ZFS and encryption then check out my series here: https://medium.com/@AndrzejRehmann/preparing-fedora-laptop-with-zfs-and-encryption-part-1-f5788dda79ab