Securely Encrypt Removable Media with Ubuntu

January 2010

The other day my Dad mentioned that "any true geek always carries a USB drive with him". I proved my geek-hood by producing the 2G titanium thumb drive from around my neck. I then did him one further by telling him that the drive was encrypted with AES 256 bit encryption. I don't know whether or not he was impressed, but I sure proved that I am a true geek. It was this experience that prompted me to share my instructions on how to securely encrypt any removable drive.

Following the steps outlined in this tutorial will wipe all data from the device / partition that you present to the encryption utility. You cannot encrypt an existing system using this method and retain the data. Please ensure that you have backups of your data, or that your data is otherwise expendable.

Step 1:

The first step in this tutorial is installing the cryptsetup utility. This tool is part of the cryptsetup package, which is available in the default repositories. You can search for this using your favorite package management utility or install from the terminal using the command:

sudo aptitude install cryptsetup

Step 2:

Once you have the required utility installed, we'll need to prepare the device for use. This step will alter the partition table on the device, potentially causing loss of data. Again, refer to the warning above.

Identify the Device

We need to know the /dev/ entry that the device is assigned in order to successfully partition and encrypt it. There are two methods outlined below which can aid you in determining the device name. In many cases the device may be listed as /dev/sdb1, /dev/sdc1, etc.

The first method of identifying the device is using the fdisk utility. Simply listing all available partitions may help you determine the device. Hint: you can use the size of the device to help determine its device entry if needed.

[cedwards@daphne ~]$ sudo fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000602ca

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104422 83 Linux
/dev/sda2 14 46 265072+ 82 Linux swap / Solaris
/dev/sda3 47 1003 7687102+ 83 Linux
/dev/sda4 1004 9729 70091595 83 Linux

Disk /dev/sdb: 1021 MB, 1021313024 bytes
10 heads, 45 sectors/track, 4432 cylinders
Units = cylinders of 450 * 512 = 230400 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 1 4432 997177+ 83 Linux

In this example I have determined that my 1G USB drive is detected as /dev/sdb1. This will be the device entry that I will use moving forward.

A second method that you can use to determine the device is the dmesg utility. The dmesg utility outputs kernel-level messages to the console. One little "trick" is to unplug and replug your removable disk, and then run dmesg. You should see output similar to:



usb-storage: device found at 7
usb-storage: waiting for device to settle before scanning
scsi 8:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2
sd 8:0:0:0: Attached scsi generic sg1 type 0
usb-storage: device scan complete
sd 8:0:0:0: [sdb] 1994752 512-byte logical blocks: (1.02 GB/974 MiB)
sd 8:0:0:0: [sdb] Write Protect is off
sd 8:0:0:0: [sdb] Mode Sense: 23 00 00 00
sd 8:0:0:0: [sdb] Assuming drive cache: write through
sd 8:0:0:0: [sdb] Assuming drive cache: write through
sdb: sdb1
sd 8:0:0:0: [sdb] Assuming drive cache: write through
sd 8:0:0:0: [sdb] Attached SCSI removable disk
EXT4-fs (dm-0): mounted filesystem with ordered data mode

Again, we can see from this information that the USB device was detected and assigned at sdb1.

Partition the Device

Now that we've determined the name of the device that we want to encrypt we can partition it. We'll use the fdisk utility to wipe and re-create a single partition on the device.

sudo fdisk /dev/sdbX

Remember to replace your device with the example above.

I would suggest wiping the existing partition table and re-creating a single partition on the device. See the below example:

[cedwards@daphne ~]$ sudo fdisk /dev/sdb

The number of cylinders for this disk is set to 4432.

There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs

Command (m for help): p

Disk /dev/sdb: 1021 MB, 1021313024 bytes
10 heads, 45 sectors/track, 4432 cylinders
Units = cylinders of 450 * 512 = 230400 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 1 4432 997177+ 83 Linux

Command (m for help): d

Selected partition 1

Command (m for help): p

Disk /dev/sdb: 1021 MB, 1021313024 bytes
10 heads, 45 sectors/track, 4432 cylinders
Units = cylinders of 450 * 512 = 230400 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System

Command (m for help): n

Command action
e extended
p primary partition (1-4)


Partition number (1-4): 1

First cylinder (1-4432, default 1):

Using default value 1

Last cylinder, +cylinders or +size{K,M,G} (1-4432, default 4432):

Using default value 4432

Command (m for help): p

Disk /dev/sdb: 1021 MB, 1021313024 bytes
10 heads, 45 sectors/track, 4432 cylinders
Units = cylinders of 450 * 512 = 230400 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 1 4432 997177+ 83 Linux

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks.

Step 3:

To make sure that your kernel is up to date concerning the newly created / altered partition table you may need to run the command:

sudo partprobe

Chances are on modern systems that the kernel is already updated with the new information, but it doesn't hurt to make sure. This also helps avoid potential problems later due to a mismatch between the partition table and the kernel.

Step 4:

We've identified the drive we want to encrypt and prepared it with a single partition. We're now ready to apply the encryption.

There are a number of options available to us at this point. I will outline a few and let the reader decide which method they prefer. I will mention that, of these options, none of them are considered "the best". Different options however are better for different situations. It depends on your level of security needs and the amount of time you want to spend on the encryption. If you want things done quickly and have a basic level of fairly-hard-to-break encryption, you can use Option 1. If you are super paranoid and don't mind letting the encryption procedure take some time (hours or even days on larger disks!), I would suggest Option 3. Somewhere in the middle, Option 2 is likely fine.

To help avoid pattern-based encryption attacks, we'll write data to the partition prior to encryption. As per the note above, select one of the below options:

Option 1

sudo dd if=/dev/zero of=/dev/sdbX bs=4K

This method is the fastest, and gives adequate protection in most situations.


sudo badblocks -vfw /dev/sdbX [block-size-of-your-device]

This option will write 5 data patterns across your drive and overwrite and verify the data. This is used to check for bad blocks, but can also be used to wipe out any existing data. This method is also reasonably fast.

Option 2

sudo dd if=/dev/urandom of=/dev/[your device] bs=4K

This method should be considered very secure. It is based on the truly random option given below but is a pseudo-random data. This should be considered a very secure option, however it will increase the time significantly.

Option 3

sudo dd if=/dev/random of=/dev/[your device] bs=4K

This is considered the most secure but will take the most time. It is important to generate a lot of random data on your machine to help this process along. Launching applications, generating high disc I/O, mouse movements, etc. Again, this method is the most secure but increases the time the most. This method may take days.

Step 5:

We are now ready to encrypt the partition. In this section I will outline using Linux Unified Key Setup (LUKS) encryption with my preferred string length, hash and cipher. You may change these if you prefer. See the man page for information on other options.

Running this command will remind you that all data will be lost (remember, we've already wiped our data in the previous step.) This is also where we will define the passphrase to unlock the encryption.

To begin the encryption process, use one of the commands below. The first uses my preferred cipher. The second uses the default settings.

My suggested options:

sudo cryptsetup luksFormat /dev/sdbX -c aes -s 256 -h sha256

Default options:

sudo cryptsetup luksFormat /dev/sdbX

Securely Encrypt Removable Media with Ubuntu

If you see an error at this point similar to "Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-plain cipher specand verify that /dev/sdbX contains at least 258 sectors." you’ll need to ensure the kernel module is loaded:

sudo modprobe dm-crypt

You may also want to have this module automagically added at boot time by appending this line to your /etc/modules file:


Step 6:

Now that we’ve created the encryption basic layout, we need to open the encrypted partition for use and define it a name. This is the name that will appear when the device is mounted in the future.

sudo cryptsetup luksOpen /dev/sdbX name

The name can be whatever you like. I use things like 'secure' or 'vault' or 'encrypt'.

Step 7:

Now that we have the device open and added to the dev mapper system we can actually create a file system on it and use it. One last command and we’ve got ourselves an encrypted, usable filesystem.

sudo mkfs.ext4 /dev/mapper/name -L label

Replace 'name' with the name that was applied above, and label is the filesystem label. I generally match the two. This also assumes an ext4 file system. If you know you want a different filesystem type I’m assuming you also know the right command.

Securely Encrypt Removable Media with Ubuntu

If you’ve come this far your device is ready to use! To have your system automatically mount the device and prompt you for the passphrase, simply unplug and re-plug the device into your machine. You should find that upon connecting the device, that your desktop prompts you for the encryption passphrase before it can load. If you (or someone else!) is unable to provide the encryption passphrase, the device can not be mounted and the data never read. This setup should also be global to any other Ubuntu machine, with the one dependency that cryptsetup may be required.


With the prevalence of USB thumb drives and other removable media it is important to protect our data. It is all to easy to lose such a small device, and they too often have personal data on them. Protect yourself and protect your data!


If you have read this article you may be interested to view :

You've been reading an excerpt of:

Cacti 0.8 Network Monitoring

Explore Title