USB drive encryption is so easy on Linux there’s really no reason not to use it. Plus USB drives are small and easy to lose or misplace. I consider a thumb drive that’s not encrypted to be high risk. Anything on one should be safe for the public to see. Other types of data should be encrypted and I’ll show you how.
Encryption with LUKS
1. Setup the partition
You probably don’t need to do this step. But just in case you deleted the partition off your drive you will need to put one back on there. The type does not matter because it will be overwritten in the next steps. LUKS just needs a target to work with.
For me I’m going to use Gparted and make a FAT32 partition that takes up the whole drive. In my case this is called /dev/sde1 but it might be something else for you.
Make sure you are working on the right drive. You don’t want to mess up another drive connected to your computer. You can go by size but if your not sure you can unplug the drive and refresh gparted to see what changed. Then plug the USB back in and refresh to see what new drive showed up.
Or you can use the lsblk command to do the same kind of thing.
2. Make a new encrypted partition
Now that the drive is ready we can start the USB drive encryption process. The next steps need you to be root so you will have to switch to root with the su command or use the sudo command. I think this time I’m just going to use sudo.
Open the terminal and type in this command using your path to your new partition. In my case it was /dev/sde1/.
sudo cryptsetup luksFormat /dev/sde1If for some reason your distro does not have cryptsetup installed I’m sure you can find it on your package manager.
This might take a minute to run and it will ask for a password. This will be the password used to open the drive in the future.
3. Open the new encrypted partition
Now we need to open the encrypted drive. This command takes the path to the drive but it also needs a name after the path. This name is just used to refer to the partition in this session. Most of the time I just call it USB.
sudo cryptsetup open /dev/sde1 USBIt will ask for a password. This is the password you set above.
If you use the lsblk command now you will see were it’s opened as the name you gave it.
4. Give the encrypted partition a file system.
Now that the encrypted partition is open we have to give it a file system before we can use it. This can be anything as far as I know. But since LUKS is primarily a Linux thing I tend to go with ext4 or BTRFS.
we point this command to the partition we just opened using the name we gave it. /dev/mapper/NAME. In my case I used USB so the command would look like this.
For ext4:
sudo mkfs.ext4 /dev/mapper/USBFor btrfs:
sudo mkfs.btrfs /dev/mapper/USB5. Mount the new encrypted filesystem
Now we mount the new filesystem and we can start using it.
sudo mount /dev/mapper/USB /mnt6. Fix permissions (optional)
At this point the drive works and you can use it. But to make it more friendly I like to fix the permission on it so I don’t have to be root to do everything.
sudo chmod -R 777 /mnt7. Clean up
Un-mount and close the encrypted drive.
sudo umount /mnt
sudo cryptsetup close USBWe are all done setting up USB drive encryption!
But how do we use it?
Most distros I’ve used just work when you plug the drive in.
You click to open the drive in whatever desktop environment your using and it ask for the password. Then it opens. Very easy and seamless.
Open USB encrypted drive with command line
In the event your on a distro that has no desktop or its not working automatically then you can use a few commands. You only need 2 commands to open or close a drive so its still not bad.
Just update the commands for whatever name your using and the mount point your using.
To open:
sudo cryptsetup open /dev/sde1 USB
sudo mount /dev/mapper/USB /mntTo close:
sudo umount /mnt
sudo cryptsetup close USBKeep your data safe
You now know how to encrypt USB or any external drives with Linux! Have fun and keep your data safe!
