GNU Linux howto – create encrypted USB drive or stick and label name it

19.Aug.2022
backup and restore, General / Allgemein, storage / NAS / QNAP

How to create an encrypted USB stick

Creating an encrypted USB stick under GNU/Linux is fairly ease. First lets install required packages and erase everything from the stick

gives good overview of where is what: (in a tree view style)

lsblk -o 'NAME,MAJ:MIN,RM,SIZE,RO,FSTYPE,MOUNTPOINT,UUID'
export USB_STICK="/dev/sdb"
apt-get install parted cryptsetup-bin
shred -n 10 -v -z "${USB_STICK}"

This process can take some time depending on the stick’s size. After it’s finished, we can create a partition table

parted -s -a optimal "${USB_STICK}" -- mklabel msdos mkpart primary ext2 1 -1

Finally we can create an AES encrypted partition

it might be needed to 1) sync 2) disconnect 3) reconnect the stick now

export ENCRYPTED_PART="/dev/sdb1"

export ENCRYPTED_PART_NAME="cryptostick"

cryptsetup --verify-passphrase luksFormat "${ENCRYPTED_PART}" --cipher aes --key-size 256 --hash sha256

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES

Enter passphrase for /dev/sdb1:
verify:

cryptsetup luksOpen "${ENCRYPTED_PART}" "${ENCRYPTED_PART_NAME}"

Enter passphrase for /dev/sdb1: # enter the password just used for encryption

mkfs.ext4 -L "${ENCRYPTED_PART_NAME}" "/dev/mapper/${ENCRYPTED_PART_NAME}"

cryptsetup close "${ENCRYPTED_PART_NAME}"

sync

Now the encrypted stick is ready to use!
simply unplug it and re-attach it, and it should ask for password to decrypt and mount the drive

like this:

manually mounting the drive:

mkdir "/mnt/${ENCRYPTED_PART_NAME}"

cryptsetup luksOpen "${ENCRYPTED_PART}" "${ENCRYPTED_PART_NAME}"

mount "/dev/mapper/${ENCRYPTED_PART_NAME}" "/mnt/${ENCRYPTED_PART_NAME}"

echo test > "/mnt/${ENCRYPTED_PART_NAME}/file.txt"

umount "/mnt/${ENCRYPTED_PART_NAME}"

cryptsetup close "${ENCRYPTED_PART_NAME}"

how to filesystem check the device?

# find out what mapper calls the device
lsblk -o 'NAME,MAJ:MIN,RM,SIZE,RO,FSTYPE,MOUNTPOINT,UUID'
unmount /dev/mapper/luks-e2889390-8542-4a07-a59c-123123123123
fsck -y -v -f /dev/mapper/luks-e2889390-8542-4a07-a59c-123123123123

creditz: https://www.wyb.cz/2016/02/21/creating-encrypted-usb-stick/

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin