How to create an Encrypted USB Stick in Linux
Phase 1: Create a clean, encrypted partition:
1. Identify the device with lsblk.
Plug the usb stick (either a pendrive or a portable HDD) then run lsblk:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 57.3G 0 disk
zram0 252:0 0 3.8G 0 disk [SWAP]
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
└─nvme0n1p2 259:2 0 237.5G 0 part
└─root 253:0 0 237.5G 0 crypt /var/log
/var/cache/pacman/pkg
/home
/
sdb is the device I plugged in. If there’s another one already plugged in,
this might be sdc or sdd etc. The name might be different. Be careful you
identify the correct device. Otherwise, you’ll be formatting/erasing/partitioning
the wrong device!
2. Unmount the device with umount /dev/sdb, and erase it with dd:
sudo dd if=/dev/zero of=/dev/sdb bs=4M status=progress
This overwrites entire usb drive with ‘zero bytes’. Note: This step might take hours. Make sure you plug your laptop in. The output might be like this:
$ dd if=/dev/zero of=/dev/sdb bs=10M status=progress
33418117120 bytes (33 GB, 31 GiB) copied, 1900 s, 17.6 MB/s
61530439680 bytes (62 GB, 57 GiB) copied, 3569 s, 17.2 MB/s
dd: error writing '/dev/sdb': No space left on device
5869+0 records in
5868+0 records out
61530439680 bytes (62 GB, 57 GiB) copied, 3576.5 s, 17.2 MB/s
3. Create a partition in the device with fdisk.
Run sudo fdisk /dev/sdb. This starts an interactive session where you can
type d to delete any existing partitions, n to create a new partition,
and then finally w to persist the changes.
After partitioning, note the difference in lsblk output. sdb’s partition
is listed as a subtree.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 57.3G 0 disk
└─sdb1 8:17 1 57.3G 0 part
zram0 252:0 0 3.8G 0 disk [SWAP]
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
└─nvme0n1p2 259:2 0 237.5G 0 part
└─root 253:0 0 237.5G 0 crypt /var/log
/var/cache/pacman/pkg
/home
/
4. Encrypt the partition with LUKS with cryptsetup.
Run sudo cryptsetup luksFormat /dev/sdb1. Confirm it with ‘YES’ and give a
passphrase you won’t forget easily.
Note very carefully that you need to run this command on the partition sdb1,
not the device sdb itself. This will screw up all things if done wrong.
Phase 2: Create a Filesystem in the encrypted container
1. Open the encrypted partition with cryptsetup open.
Run sudo cryptsetup open /dev/sdb1 my_usb_stick. This creates a “mapped device” in /dev/mapper/my_usb_stick. You can see it in lsblk’s output:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 57.3G 0 disk
└─sdb1 8:17 1 57.3G 0 part
└─my_usb_stick 253:1 0 57.3G 0 crypt
zram0 252:0 0 3.8G 0 disk [SWAP]
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
└─nvme0n1p2 259:2 0 237.5G 0 part
└─root 253:0 0 237.5G 0 crypt /var/log
/var/cache/pacman/pkg
/home
/
2. Create a filesystem with mkfs.btrfs.
$ sudo mkfs.btrfs /dev/mapper/my_usb_stick
btrfs-progs v6.17
See https://btrfs.readthedocs.io for more information.
Label: (null)
UUID: 02d146df-1234-44f3-b4556-eerrttew
Node size: 16384
Sector size: 4096 (CPU page size: 4096)
Filesystem size: 57.29GiB
Block group profiles:
Data: single 8.00MiB
Metadata: DUP 1.00GiB
System: DUP 8.00MiB
SSD detected: no
Zoned device: no
Features: extref, skinny-metadata, no-holes, free-space-tree
Checksum: dcr3r2e
Number of devices: 1
Devices:
ID SIZE PATH
1 57.29GiB /dev/mapper/my_usb_stick
Phase 3: Mount the partition onto a directory in /mnt/
1. Create a mountpoint in /mnt/.
If it doesn’t already exist, create a directory in /mnt/ to mount this partition.
Create it with sudo mkdir /mnt/my_usb_stick.
2. Mount the ‘mapped’ partition onto this new mountpoint.
Run sudo mount /dev/mapper/my_usb_stick /mnt/my_usb_stick, and watch the output
of lsblk. Note that the opened partition is now mounted:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 57.3G 0 disk
└─sdb1 8:17 1 57.3G 0 part
└─my_usb_stick 253:1 0 57.3G 0 crypt /mnt/my_usb_stick
zram0 252:0 0 3.8G 0 disk [SWAP]
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
└─nvme0n1p2 259:2 0 237.5G 0 part
└─root 253:0 0 237.5G 0 crypt /var/log
/var/cache/pacman/pkg
/home
/
The Usage Phase
Now you can use the drive. Copy files to and fro from this.
Note that copying files to this usb drive requires sudo. If you ls -l the
files in the drive, you’ll see that the user is root.
But when you copy the files from the drive, it copies as the system user.
The Closing-Down Phase
After you’re done with moving the files, you need to unmount the mountpoint,
and close the mapping /dev/mapper/my_usb_stick like so:
sudo umount /mnt/my_usb_stick
Note that the mapped drive will stil be listed in lsblk, but the mountpoint
will have been gone.
You can close the mapping with:
sudo cryptsetup close my_usb_stick
Now, in lsblk even the my_usb_stick crypt type line too would be gone.
You can ‘eject’ the drive safely now.
The day-to-day terminal workflow
- Plug the usb
- Run
lsblkand determine the partition name. (sdb1,sdc1etc) - Unlock with
sudo cryptsetup open /dev/sdb1 my_usb - Mount with
sudo mkdir /mnt/my_usbandsudo mount /dev/mapper/my_usb /mnt/my_usb - NOW DO THE WORK. (files are accessible at
/mnt/my_usblocation) - Unmount with
sudo umount /mnt/my_usbandsudo rm -rf /mnt/my_usb - Lock the drive with
sudo cryptsetup close my_usb - Eject the usb