Aug 8, 2014

How To Encrypt an USB Stick or Ext. Drives With GNU+Linux

So, I showed you, in short, how to encrypt your home directory and your swap. That's fine and helps a lot to secure your system. But now and then you want to put data on external drives. No matter if you use an USB stick or an external HDD, the procedures are the same.

First of all you need to determine what drive you want to encrypt. This is very important and choosing the wrong drive can get you in big trouble and losing your data on that drive. That is right. All data will be erased on the drive you chose.
So let's assume our USB Stick is sdb1 which is quite common if you have only 1 internal harddrive and no other drives attached. But double check!

Open a shell and enter sudo cryptsetup luksFormat /dev/sdb1 - again, you need to replace /dev/sdb1 with your device (could be sdc1, sdd1 etc. but certainly NOT sda1).
You will be asked for a passphrase. Use a good one. You need to remember it everytime you plug in the drive. Without you lose access to all data stored on it. Use special chars, uppercase letters, numbers. Don't use a weak passphrase.
Then go ahead to create a device mapper with sudo cryptsetup luksOpen /dev/sdb1 nameofdrive where nameofdrive can be replaced with the name you want to give that secure device. You need to enter the passphrase that you chose in the previous step.
Now you need to choose a filesystem. I recommend ext4 for normal distributions. But you can use ext3 or even fat. Since Windows can't decrypt this drive at the moment anyway, you won't get any good if you use fat, but some problems. Use mkfs.ext4 /dev/mapper/nameofdrive to do so. It can take a while.


Now it is a good time to switch to your GUI and find the drive. Unmount (eject safely) the drive and remove it from your computer. Put it back in. Now if you open the device, a requester will pop up asking you for the password. If you enter the right passphrase, the device will be mounted just like any other drive ready to use as usual.
Here it is, your own secure drive ready to go.