Protecting Data with Encrypted Linux Partitions Part 2 - page 6

Adding Your Own Back Door

If you want to carry secret stuff around on a USB key you can encrypt it too. Follow the steps for partitioning, creating a filesystem, and creating the encrypted device just like we did for our hard drive partition. You can do it all with GParted.

Hot-plugging USB devices is still not foolproof. If GParted does not see your USB key, dmesg will reveal the USB device name:

$ dmesg
[  658.589523] scsi 2:0:0:0: Direct-Access     LEXAR   ... 
[...]
[  658.595866] sdb: assuming drive cache: write through
[  658.595869]  sdb: sdb1
[  658.732154] sd 2:0:0:0: Attached scsi removable disk sdb

fdisk will save the day if something goes hayware and GParted won't work. Run this command to open the command menu for your USB key:

# fdisk /dev/sdb1

Using your own device name, of course. Use fdisk only to re-partition your storage devices. If you use it on an encrypted device it won't recognize the LUKS headers and will emit this scary warning:

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel. Changes will remain in memory only,
until you decide to write them. After that, of course, the previous
content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Obviously, don't enter the w (write) command unless you wish to lose your data.

GNOME users can plug in their encrypted removable drives, and they will be prompted for their LUKS password. It may or may not be automatically mounted; this depends on how udev is configured. You can either tweak udev, or add a line to /etc/fstab to enable automounting.

Resources

• TrueCrypt is a cross-platform encryption application with a nicer interface
• dm-crypt Wiki
• Manage Linux Hardware with udev (Part 2)

This article originally appeared on Enterprise Networking Planet, a JupiterWeb site.