Linux and USB Full Disk Encryption

Written on 2018-02-24 With the new Notifiable Data Breaches scheme coming into effect as of the 22nd February 2018, I started looking at what options were available to have full disk encryption on the one thing that we all lose most often - USB drives. The thought was to make them as easy to use in the normal workflow as normal, but useless if plugged into an unauthorised system. So, this is what I came up with. Firstly, create a place to put the keys, and then create a new key file - we're going to go with a 4096 byte key - which is massive, but you're going to store it in a 4Kb block on a disk anyway - so eh. We need to do all this as root, so don't forget that part!
# mkdir /etc/luks-keys/
# chmod 700 /etc/luks-keys
# dd if=/dev/random of=/etc/luks-keys/new-key-file bs=1 count=4096
Now plug in your USB key and see what it comes up as... In this example, mine is /dev/sdc1. Create the luks container.
# cryptsetup luksFormat /dev/sdc1 /etc/luks-keys/new-key-file
Next up, we want to grab the UUID of the new luks container. I'm going to use the example UUID of fea52a1b-9e8d-4144-af33-1a7f05371ead - so remember to replace this with the one you get from the below command.
# cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 33
MK salt:        11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF
                11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE DD
MK iterations:  373000
UUID:           fea52a1b-9e8d-4144-af33-1a7f05371ead

Key Slot 0: ENABLED
        Iterations:             3827459
        Salt:                   00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
                                ff ee dd cc bb aa 99 88 77 66 55 44 33 22 11 00
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Rename the key we create this with to match the UUID, and make sure the world can't read it:
# mv /etc/luks-keys/new-key-file /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead
# chmod 400 /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead
Set up a udev rule to run a script each time we plug in a drive. If we have a drive that matches the UUID of a key file we have, we'll run a script to auto-open it. Plonk this as /etc/udev/rules.d/auto-mount.rules:
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}=="crypto", RUN+="/usr/local/bin/"
Then we set up our script that udev fires to check our device. Throw this as /usr/local/bin/

if [ -f "/etc/luks-keys/${ID_FS_UUID}" ]; then
        logger "Key found for ${ID_FS_UUID}. Unlocking device"
        /usr/sbin/cryptsetup --key-file "/etc/luks-keys/${ID_FS_UUID}" open ${DEVNAME} luks-${ID_FS_UUID}
        logger "No key found for ${ID_FS_UUID}. Not decrypting"
Unplug your drive, plug it back in again and you should see your open, encrypted drive listed under /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead. Create your filesystem - in this case I used btrfs:
# mkfs.btrfs -L "Encrypted Filesystem" /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead
That should be just about it. You can mount your filesystem and away you go. Your normal filemanager should be able to mount / unmount the filesystem - but it may not be able to close the encrypted volume off. To do this, drop to a root shell and close it off.
# cryptsetup close luks-fea52a1b-9e8d-4144-af33-1a7f05371ead
Happy Encrypting!


Comments powered by Disqus