The USB disk or flash drive is probably one of the biggest potential security risks we have today. Everyone from home users to small businesses, large corporations and even governments are having issues with information being lost or stolen via USB flash drives. Remember that unless you’re using a hardware encrypted drive like Iron Key any information you place on a flash drive is easily read by anyone who has access to the device. Because flash drives are often attached to a key ring or tossed in a jacket pocket or purse they are easily and often lost and / or stolen. It may therefore be more important to encrypt flash drives than it is to encrypt your home or office computer where physical access can be controlled. If you’re not using Iron Key you can still use software to encrypt the data on the drives.
In this article I’m going to show you how easy it is to encrypt a USB flash drive using the Disk Utility feature of Ubuntu 11.04. I will address other operating systems in later posts.
To get started go to the Ubuntu “System > Administration” menu and select “Disk Utility”. You can also start the program by opening a terminal window and typing the command: sudo palimpsest. You will see a display something like this:
The adapters and drives reported will of course vary depending on the specifics of your computer setup. Now connect the USB flash drive and you’ll see something like this:
You should see your flash drive at the bottom of the list. In my case, it’s the SanDisk U3 Cruzer Micro flash drive that’s highlighted in the left hand panel. You will see that Ubuntu automatically mounts the device and opens it in a file manager. In my case it was mounted at /media/New Volume.
IMPORTANT! If you have files stored on the device, you must copy them to a folder on your hard drive now. If you do not they will be lost when we reformat and encrypt the drive. After you have copied the files you will need to unmount the volume before continuing with the format. You can do that by clicking “Unmount Volume” in the Disk Utility panel. Once you’ve unmounted the volume you then click “Format Volume”. You are presented with this dialog:
You can select the disk format from the drop down list next to “Type”. I chose Ext4 since it is the native and default format for Ubuntu and most other modern Linux distributions. You can name the volume what ever you wish. I used the default New Volume. You will want to make sure you check “Take ownership of filesystem” and “Encrypt underlying device”. Then click the “Format” button. You will be prompted with an “Are you sure dialog” and then be presented with this dialog box that asks for your passphrase:
You will want to choose a strong passphrase and store it in your password manager so that you won’t forget it later. Your selection of “Forget passphrase immediately”, “Remember passphrase until you log out” or “Remember forever” is up to you. If you’re on a home or office computer that no one else uses then you probably could probably be safe in choosing “Remember forever”. If not, then you should choose one of the other options. Click “Create” to proceed. Once the formatting is complete you will see something like this:
Note that the device is now shown with two volumes on it. At the top is the encrypted container showing status unlocked. The bottom volume represents the ext4 formatted volume. If you click the bottom volume you can then select “Mount volume”. Once it’s mounted you can then move your files (if you had any) from the hard drive back to the device. Be sure to use “Eject” or “Safely Remove Device” before actually removing the flash drive from the USB port. When you connect the encrypted flash drive to another Ubuntu computer it will automatically prompt you for a password and mount the drive. To the best of my knowledge the drive will be unreadable on a Windows or Mac machine. This may be inconvenient if you’re using a mix of computers in your operation. On the other hand, it could be a good thing if you want to further reduce the chance that someone could read your data.
If you must have encryption that works across all three major OS then you should use TrueCrypt rather than the native Linux dm-crypt tools. I will discuss that in a future post.