## page was copied from EncryptedFilesystemsOnRemovableStorageOnHardy #title Encrypted filesystem for removable storage devices || {i} Please refer to EncryptedFilesystems for further documentation.|| ||<>|| == Introduction == Encrypting removable devices (USB flash drives, external hard drives, etc) provides a method to guarantee data security in the event of loss, theft or confiscation. When backing up personal information onto external storage, encryption is a recommended preparation for the filesystem. Recent versions of Gnome will now support encrypted filesystems on removable storage by prompting the user for the passphrase when the device is automounted. == Easy setup using disk utility == '' Applicable to Ubuntu 10.04 and probably to newer releases'' * You must install the package ''cryptsetup''. * [[apt:cryptsetup|Install the ''cryptsetup'' package]] * Disk Utility is included by default (or can easily be installed). It should be in System - Administration - Disk utility (or type 'palimpsest' in terminal). * [[apt:gnome-disk-utility|Install the ''gnome-disk-utility'' package (if missing)]] '''Partitioning is dangerous!''' BACK UP everything and BE SURE to format the correct drive. === Creating a new encrypted partition === In brief, the steps are (please improve...): * Start Disk Utility * Make SURE you identify the proper drive in the left hand panel * If needed, create empty space on the disk by resizing/deleting partitions (CAREFUL!) * In the "Volumes" graphic overview, click the appropriate empty block * Click '''Create partition''' to create the partition to be encrypted * Check '''Encrypt underlying device''' * They will then prompt you for a password. Chose a decent password - your encryption will only be as strong as your password. Don't use your birthdate, or your IP, or your address. It is probably also safer NOT to store the password - choose the option "Forget password immediately". === Encrypting an existing partition === * Make a backup of your data on the partition, then unmount it * In Disk Utility, select the partition to encrypt (NOTE: this process will destroy all data on the partition!) * Click the gear icon under the partition and choose '''Format...''' * Select the type '''Encrypted, compatible with Linux systems (LUKS + Ext4)''' * Enter a partition name and passphrase * For security, if you have have existing data in this partition, select the erase option '''Overwrite existing data with zeroes (Slow)''' (this could take several hours) * Click '''Format...''' === Using your encrypted partition === Once your partition is formatted, it will be encrypted. (In fact, you have two partitions, a container partition and the encrypted partition; Disk Utility will show them above each other when the volume is unlocked). From Disk Utility, you can lock and unlock the volume by selecting the partition with the little lock and clicking 'Lock Volume' or 'Unlock Volume'. Make sure that you leave it closed/locked before unmounting the system, otherwise you will get an error. Also, with two partitions, you will have to unmount both before being able to safely remove the drive. In Disk Utility, there is also a button '''Change passphrase'''. (Works much faster than the initial formatting.) From '''Nautilus''', you can mount and unmount the encrypted volume almost like normal external USB drives or memory sticks, except that you will be prompted for the password. '''Further remarks''' * Nautilus will display the label name of the encrypted volume to identify it. * In order to have the volume mounted to a particular location (not /media), you may add a line to [[Fstab]] (sudo gedit /etc/fstab). Here is a sample line, that will cause the volume 'myDisk' to be mounted by any user ('user'), but not during boot ('noauto'): ''LABEL=myDisk1 /home/myself/myDisk1 ext4 rw,defaults,user,noauto 0 0'' * Once the drive is unlocked and mounted, the normal [[File Permissions]] apply (they also depend on the selected filesystem, i.e. ext3/ext4 / FAT / NTFS). == Expert setup using command line only == '' Applicable to Ubuntu 8.04 and newer (last tested with: Ubuntu 10.04)'' The following steps are '''destructive''' and will erase the existing data on the removable storage. Backup existing files on the removable storage before proceeding, if necessary. The steps are based on using an external SATA hard drive connected via USB2. Using these steps will create a [[http://luks.endorphin.org/|LUKS]] encrypted filesystem. LUKS-encrypted filesystems can be read both in Linux and in Windows (using [[http://www.freeotfe.org/|FreeOTFE]]). === Install cryptsetup === The ''cryptsetup'' package needs to be installed in order to encrypt filesystems: {{{ sudo apt-get install cryptsetup }}} === Identifying Attached Storage === After attaching (and, if applicable, powering on) the storage, ''tail'' the output of ''dmesg'' to identify the device name: {{{ dmesg | tail -20 [33884.688746] usb 4-1: new high speed USB device using ehci_hcd and address 9 [33884.764079] usb 4-1: configuration #1 chosen from 1 choice [33884.764868] scsi8 : SCSI emulation for USB Mass Storage devices [33884.765316] usb-storage: device found at 9 [33884.765321] usb-storage: waiting for device to settle before scanning [33888.042416] usb-storage: device scan complete [33888.043707] scsi 8:0:0:0: Direct-Access HDS72505 0KLA360 AF0D PQ: 0 ANSI: 2 CCS [33888.047550] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB) [33888.048292] sd 8:0:0:0: [sdb] Write Protect is off [33888.048300] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.048305] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.049648] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB) [33888.050421] sd 8:0:0:0: [sdb] Write Protect is off [33888.050428] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.050432] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.050438] sdb: unknown partition table [33888.066470] sd 8:0:0:0: [sdb] Attached SCSI disk [33888.066545] sd 8:0:0:0: Attached scsi generic sg2 type 0 }}} From the output above, it is apparent that the device has been added to the system as '''/dev/sdb'''. All future commands will refer to /dev/sdb as the device with the encrypted filesystem. === Stronger Encryption Preparation (optional) === Re-writing information to the entire device will ensure the integrity of the encryption if the disk is attempted to be "cracked" into. Carrying out one of the following '''one-line''' commands will take a considerable time to complete - the commands are ordered shortest-to-longest running times (and security strength): {{{ sudo dd if=/dev/zero of=/dev/sdb bs=4K OR sudo badblocks -c 10240 -s -w -t random -v /dev/sdb OR sudo dd if=/dev/urandom of=/dev/sdb bs=4K }}} * '''Command 1:''' Write "zeroes" onto every block on the hard disk * '''Command 2:''' Performs a badblock scan on the hard disk to detect an early failure whilst overwriting the hard drive with random data at the same time * used this command in the example - it provides the best visibility of the progress of the data writing and also scans the device for potential errors * on the 500GB disk, this command took 9.5 hours to complete * '''Command 3:''' Most secure method - noted to take at least two continuous days to complete === Filesystem Preparation === The filesystem will need to be partitioned prior to running the ''cryptsetup'' commands. In the example setup, one partition is created that spans the entire disk: {{{ sudo fdisk /dev/sdb Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0xcd5bdf9b. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. The number of cylinders for this disk is set to 60801. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. sudo fdisk /dev/sdb The number of cylinders for this disk is set to 60801. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60801, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-60801, default 60801): Using default value 60801 Command (m for help): p Disk /dev/sdb: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0xcd5bdf9b Device Boot Start End Blocks Id System /dev/sdb1 1 60801 488384001 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. }}} The steps above created the '''/dev/sdb1''' partition which will be referred to in the remaining steps of this guide. === Filesystem Encryption === The "key" used for encrypting in this guide is a passphrase. Other guides specify using generated key files or smartcards. Selecting a long (over 12 characters) passphrase will ensure the strength of the encryption. The ''dm-crypt'', ''sha256'' and ''aes'' kernel modules will need to be loaded prior to encrypting the partition: {{{ sudo modprobe dm-crypt sudo modprobe sha256 sudo modprobe aes }}} Try to use sha512 instead if module sha256 is not found. If the following error messages appear when loading ''sha256'' and ''aes'': {{{ sudo modprobe sha256 WARNING: Error inserting padlock_sha (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-sha.ko): No such device sudo modprobe aes WARNING: Error inserting padlock_aes (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-aes.ko): No such device }}} it is an indication that the system does not have a hardware cryptographic device (source: [[https://bugs.launchpad.net/ubuntu/+source/linux/+bug/206129|Ubuntu Bug #206129]]) The workaround is to add the following lines (using your favourite editor) to the bottom of ''/etc/modprobe.d/aliases'' and re-run the ''modprobe'' commands for the ''sha256'' and ''aes'' kernel modules: {{{ alias sha256 sha256_generic alias aes aes_generic }}} When utilising Gnome to mount the encrypted filesystems, it is not required to manually load the kernel modules. Run the following command to encrypt the '''/dev/sdb1''' partition: {{{ sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256 }}} The LUKS-formatting command above has the following options: * ''--verify-passphrase'' - ensures the passphrase is entered twice to avoid an incorrect passphrase being used * ''-c aes -s 256'' - uses 256-bit [[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard|AES]] encryption * ''-h sha256'' - uses the 256-bit [[http://en.wikipedia.org/wiki/SHA|SHA]] hashing algorithm === Creating a Filesystem === The encrypted partition will now need to be unlocked and mapped to '''/dev/mapper/securebackup''' using the following command: {{{ sudo cryptsetup luksOpen /dev/sdb1 securebackup }}} ''securebackup'' can be changed to suit, however for this example the device '''/dev/mapper/securebackup''' will be referred to as the encrypted partition. The encrypted partition is now available to be formatted with a filesystem - in this example, ext3 as follows: {{{ sudo mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/securebackup }}} The ''mkfs'' options above are as follows: * ''-t ext3'' - create an ext3 filesystem * ''-m 1'' - reduce the reserved super-user space down from the default of 5% to 1% of the total size - useful for large filesystems * ''-O dir_index'' - speed-up lookups in large directories * ''-O filetype'' - store filetype info in directories * ''-O sparse_super'' - create fewer superblock backup copies - useful for large filesystems === Mount Encrypted Filesystem === The easiest way to mount the encrypted filesystem is to disconnect the device and reconnect it. Gnome will automount the device and recognise it as an encrypted filesystem by prompting the user for the passphrase. The first time the encrypted filesystem is mounted, the ownership of the root folder of the device will need to be changed to the current user as follows: {{{ sudo chown naaman:naaman /media/disk }}} * where ''naaman'' is the username and the second ''naaman'' is the group name == Sources & credits == * [[http://ubuntu-tutorials.com/2007/08/17/7-steps-to-an-encrypted-partition-local-or-removable-disk/|7 Steps To An Encrypted Partition (local or removable disk)]] * [[http://www.hermann-uwe.de/blog/howto-disk-encryption-with-dm-crypt-luks-and-debian|HOWTO: Disk encryption with dm-crypt / LUKS and Debian [Update]]] * [[http://www.flywheelcollective.com/blog/08-12-10/encrypt-disk-ubuntu-1010-disk-utilities-and-cryptsetup]] * [[http://www.howtogeek.com/115955/how-to-quickly-encrypt-removable-storage-devices-with-ubuntu/]] * Contributors: NaamanCampbell<
> ---- CategorySecurity