(i) Please refer to EncryptedFilesystems for further documentation.

Introduction

Encrypting removable devices (USB flash drives, external hard drives, etc) provides a method to guarantee data security in the event of loss, theft or confiscation. When backing up personal information onto external storage, encryption is a recommended preparation for the filesystem.

Recent versions of Gnome will now support encrypted filesystems on removable storage by prompting the user for the passphrase when the device is automounted.

Easy setup using disk utility

Applicable to Ubuntu 10.04 and probably to newer releases

Partitioning is dangerous! BACK UP everything and BE SURE to format the correct drive.

Creating a new encrypted partition

In brief, the steps are (please improve...):

  • Start Disk Utility
  • Make SURE you identify the proper drive in the left hand panel
  • If needed, create empty space on the disk by resizing/deleting partitions (CAREFUL!)
  • In the "Volumes" graphic overview, click the appropriate empty block
  • Click Create partition to create the partition to be encrypted

    • Check Encrypt underlying device

    • They will then prompt you for a password. Chose a decent password - your encryption will only be as strong as your password. Don't use your birthdate, or your IP, or your address. It is probably also safer NOT to store the password - choose the option "Forget password immediately".

Encrypting an existing partition

  • Make a backup of your data on the partition, then unmount it
  • In Disk Utility, select the partition to encrypt (NOTE: this process will destroy all data on the partition!)
  • Click the gear icon under the partition and choose Format...

  • Select the type Encrypted, compatible with Linux systems (LUKS + Ext4)

  • Enter a partition name and passphrase
  • For security, if you have have existing data in this partition, select the erase option Overwrite existing data with zeroes (Slow) (this could take several hours)

  • Click Format...

Using your encrypted partition

Once your partition is formatted, it will be encrypted. (In fact, you have two partitions, a container partition and the encrypted partition; Disk Utility will show them above each other when the volume is unlocked). From Disk Utility, you can lock and unlock the volume by selecting the partition with the little lock and clicking 'Lock Volume' or 'Unlock Volume'.

Make sure that you leave it closed/locked before unmounting the system, otherwise you will get an error. Also, with two partitions, you will have to unmount both before being able to safely remove the drive.

In Disk Utility, there is also a button Change passphrase. (Works much faster than the initial formatting.)

From Nautilus, you can mount and unmount the encrypted volume almost like normal external USB drives or memory sticks, except that you will be prompted for the password.

Further remarks

  • Nautilus will display the label name of the encrypted volume to identify it.
  • In order to have the volume mounted to a particular location (not /media), you may add a line to Fstab (sudo gedit /etc/fstab). Here is a sample line, that will cause the volume 'myDisk' to be mounted by any user ('user'), but not during boot ('noauto'): LABEL=myDisk1 /home/myself/myDisk1 ext4 rw,defaults,user,noauto 0 0

  • Once the drive is unlocked and mounted, the normal File Permissions apply (they also depend on the selected filesystem, i.e. ext3/ext4 / FAT / NTFS).

Expert setup using command line only

Applicable to Ubuntu 8.04 and newer (last tested with: Ubuntu 10.04)

The following steps are destructive and will erase the existing data on the removable storage. Backup existing files on the removable storage before proceeding, if necessary.

The steps are based on using an external SATA hard drive connected via USB2.

Using these steps will create a LUKS encrypted filesystem. LUKS-encrypted filesystems can be read both in Linux and in Windows (using FreeOTFE).

Install cryptsetup

The cryptsetup package needs to be installed in order to encrypt filesystems:

sudo apt-get install cryptsetup

Identifying Attached Storage

After attaching (and, if applicable, powering on) the storage, tail the output of dmesg to identify the device name:

dmesg | tail -20

[33884.688746] usb 4-1: new high speed USB device using ehci_hcd and address 9
[33884.764079] usb 4-1: configuration #1 chosen from 1 choice
[33884.764868] scsi8 : SCSI emulation for USB Mass Storage devices
[33884.765316] usb-storage: device found at 9
[33884.765321] usb-storage: waiting for device to settle before scanning
[33888.042416] usb-storage: device scan complete
[33888.043707] scsi 8:0:0:0: Direct-Access     HDS72505 0KLA360          AF0D PQ: 0 ANSI: 2 CCS
[33888.047550] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
[33888.048292] sd 8:0:0:0: [sdb] Write Protect is off
[33888.048300] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00
[33888.048305] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[33888.049648] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
[33888.050421] sd 8:0:0:0: [sdb] Write Protect is off
[33888.050428] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00
[33888.050432] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[33888.050438]  sdb: unknown partition table
[33888.066470] sd 8:0:0:0: [sdb] Attached SCSI disk
[33888.066545] sd 8:0:0:0: Attached scsi generic sg2 type 0

From the output above, it is apparent that the device has been added to the system as /dev/sdb. All future commands will refer to /dev/sdb as the device with the encrypted filesystem.

Stronger Encryption Preparation (optional)

Re-writing information to the entire device will ensure the integrity of the encryption if the disk is attempted to be "cracked" into.

Carrying out one of the following one-line commands will take a considerable time to complete - the commands are ordered shortest-to-longest running times (and security strength):

sudo dd if=/dev/zero of=/dev/sdb bs=4K
OR
sudo badblocks -c 10240 -s -w -t random -v /dev/sdb
OR
sudo dd if=/dev/urandom of=/dev/sdb bs=4K
  • Command 1: Write "zeroes" onto every block on the hard disk

  • Command 2: Performs a badblock scan on the hard disk to detect an early failure whilst overwriting the hard drive with random data at the same time

    • used this command in the example - it provides the best visibility of the progress of the data writing and also scans the device for potential errors
    • on the 500GB disk, this command took 9.5 hours to complete
  • Command 3: Most secure method - noted to take at least two continuous days to complete

Filesystem Preparation

The filesystem will need to be partitioned prior to running the cryptsetup commands. In the example setup, one partition is created that spans the entire disk:

sudo fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xcd5bdf9b.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.


The number of cylinders for this disk is set to 60801.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

sudo fdisk /dev/sdb

The number of cylinders for this disk is set to 60801.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-60801, default 1): 
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-60801, default 60801): 
Using default value 60801

Command (m for help): p

Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xcd5bdf9b

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1       60801   488384001   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

The steps above created the /dev/sdb1 partition which will be referred to in the remaining steps of this guide.

Filesystem Encryption

The "key" used for encrypting in this guide is a passphrase. Other guides specify using generated key files or smartcards. Selecting a long (over 12 characters) passphrase will ensure the strength of the encryption.

The dm-crypt, sha256 and aes kernel modules will need to be loaded prior to encrypting the partition:

sudo modprobe dm-crypt
sudo modprobe sha256
sudo modprobe aes

Try to use sha512 instead if module sha256 is not found. If the following error messages appear when loading sha256 and aes:

sudo modprobe sha256
WARNING: Error inserting padlock_sha (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-sha.ko): No such device

sudo modprobe aes
WARNING: Error inserting padlock_aes (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-aes.ko): No such device

it is an indication that the system does not have a hardware cryptographic device (source: Ubuntu Bug #206129)

The workaround is to add the following lines (using your favourite editor) to the bottom of /etc/modprobe.d/aliases and re-run the modprobe commands for the sha256 and aes kernel modules:

alias sha256 sha256_generic
alias aes aes_generic

When utilising Gnome to mount the encrypted filesystems, it is not required to manually load the kernel modules.

Run the following command to encrypt the /dev/sdb1 partition:

sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256

The LUKS-formatting command above has the following options:

  • --verify-passphrase - ensures the passphrase is entered twice to avoid an incorrect passphrase being used

  • -c aes -s 256 - uses 256-bit AES encryption

  • -h sha256 - uses the 256-bit SHA hashing algorithm

Creating a Filesystem

The encrypted partition will now need to be unlocked and mapped to /dev/mapper/securebackup using the following command:

sudo cryptsetup luksOpen /dev/sdb1 securebackup

securebackup can be changed to suit, however for this example the device /dev/mapper/securebackup will be referred to as the encrypted partition.

The encrypted partition is now available to be formatted with a filesystem - in this example, ext3 as follows:

sudo mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/securebackup

The mkfs options above are as follows:

  • -t ext3 - create an ext3 filesystem

  • -m 1 - reduce the reserved super-user space down from the default of 5% to 1% of the total size - useful for large filesystems

  • -O dir_index - speed-up lookups in large directories

  • -O filetype - store filetype info in directories

  • -O sparse_super - create fewer superblock backup copies - useful for large filesystems

Mount Encrypted Filesystem

The easiest way to mount the encrypted filesystem is to disconnect the device and reconnect it. Gnome will automount the device and recognise it as an encrypted filesystem by prompting the user for the passphrase.

The first time the encrypted filesystem is mounted, the ownership of the root folder of the device will need to be changed to the current user as follows:

sudo chown naaman:naaman /media/disk
  • where naaman is the username and the second naaman is the group name

Sources & credits


CategorySecurity

EncryptedFilesystemsOnRemovableStorage (last edited 2013-07-03 09:24:15 by wenjianhn)