Encrypting pendrive with cryptsetup

Encrypting pendrive with cryptsetup

Hi folks, in this simple howto, I assume you are using a Linux distro, and I will show basic steps to encrypt your pendrive. In fact you will format it from scratch and start with a new partition which uses encryption!

[ Step 0 - How to refer to your pendrive ]

In this first step, you should plug your pendrive on your computer, now its should be recognized and mapped as an special file at /dev/<somethinghere>, you can look for this in logs using the command dmesg as follows:

sh-5.1# dmesg
...
[521711.097295] sd 2:0:0:0: Attached scsi generic sg1 type 0
[521711.098189] sd 2:0:0:0: [sdb] 30218842 512-byte logical blocks: (15.5 GB/14.4 GiB)
[521711.098422] sd 2:0:0:0: [sdb] Write Protect is off
[521711.098441] sd 2:0:0:0: [sdb] Mode Sense: 4f 00 00 00
[521711.098700] sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[521711.110888] sd 2:0:0:0: [sdb] Attached SCSI removable disk


From the previous command output I know that my pendrive is mapped as /dev/sdb, but there is other ways to do this, for examploe by using lsblk as follows:

sh-5.1# lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
...
sdb             8:16   1  14,4G  0 disk



I always used those two ways and it never failed for me, but I thinked that it should be possible to have other way, just find another way with a quick search, also credits from Koen from superuser.com, he give a solution for this using diff, where you save the output of file listing of /dev/, insert the pendrive and compare with a new file listing. I loved this one.

sh-5.1# ls -1 /dev/ > /tmp/before.txt
... I inserted the pendrive during this time ...
sh-5.1# ls -1 /dev/ > /tmp/after.txt
sh-5.1# diff /tmp/before.txt /tmp/after.txt
80a81
> sdb
81a83
> sg1



We got sdb again, we alread know our device is at /dev/sdb, but I wanted to try this one because its cool, I noticed the sg1 on output, some probably noticed I also highlighted it in the output of dmesg, sg stands for SCSI Generic, feel free to read more about this interface, we are not going to use this.

[ Step 1 - Overwrite Everything(optional) ]

We are going to overwrite the contents of our pendrive with random bytes, this step is optional but it dont hurts and will also prevent someone to restore old files or previous metadata from your pendrive, for this we will be using /dev/urandom as the source of random bytes and dd command to write the bytes to our device as follows

sh-5.1# dd if=/dev/urandom of=/dev/sdb bs=4096 status=progress
15469187072 bytes (15 GB, 14 GiB) copied, 1787 s, 8.7 MB/s
dd: error writing '/dev/sdb': No space left on device
3777356+0 records in
3777355+0 records out
15472047104 bytes (15 GB, 14 GiB) copied, 2424.77 s, 6.4 MB/s


From this point on, your pendrive should have a bunch of random(useless) data, now we can proceed to the next step.

[ Step 2 - LUKS Formating ]

Now you will use the cryptseupt the first time on this task, issue the following commands which are marked in bold, you will be prompted for the password, I recommend to use at least 20 characters: 

sh-5.1# cryptsetup luksFormat /dev/sdb --type luks2

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb:
Verify passphrase:
sh-5.1# file -s /dev/sdb
/dev/sdb: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0xbde461c80b84b0b9..., UUID: 75340512-c028-4a0c-a7be-1dc6e1b3f927, crc 0x20103637c14f8f30..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse


If all went fine you will see an about like mine when using "file -s ..", remember to use the path to your device, /dev/sdb in my case. If all ok, just proceed to the following step.

[ Step 3 - Opening your device ]

This is the way you will make your pendrive ready to be used, you need to "open" it, which will acctually map it to another file where you will can use it and will have encryption going on in a tranparent manner:

sh-5.1# cryptsetup open /dev/sdb pendrive
Enter passphrase for /dev/sdb:


After you input your password, if the correct password is used, then a symbolic link will be created at '/dev/mapper/pendrive', from here on you can use this file exactly as you would use the pendrive itself, usually you will want to make a partion, mount it etc, I will combine those parts in the next step.

[ Step 4 - Making partition (only once) ]

sh-5.1# mkfs.ext4 /dev/mapper/pendrive
mke2fs 1.46.4 (18-Aug-2021)
Creating filesystem with 3773259 4k blocks and 944704 inodes
Filesystem UUID: 494cad93-f635-4a51-b1f0-1e390d704bcc
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks):
done
Writing superblocks and filesystem accounting information:
done

[ Step 5 - Usage ]

sh-5.1# mount /dev/mapper/pendrive /mnt
... store whatever you want in /mnt/ ...
sh-5.1# umount /mnt
sh-5.1# cryptsetup close pendrive


Now you can the way to use your pendrive and keep a few files protect, remember that you dont need all steps all the time, if you finished this steps, you only use step 3 and 5 in next times, so you can open, mount, do whatever and umount and close. This is the most simple way I can think to do this task, you probably should look more about LUKS and how to protect your files, but starting with a pendrive is a cool way :)