Tuesday, November 1, 2011

Using cryptsetup to encrypt a USB drive.

This morning I received an email from the Fedora Project reminding me that this month we're expected to do a password and SSH key refresh. So that got me to thinking about how I securely store my keys separately from my laptop. I do keep a copy of the keys in an password-encrypted zip file stored on my hope server and backed up onto a separate drive, but want to do something in addition to that to keep things more secure.

So I decided to break off a section of my 4GB thumb drive, make it an encrypted drive, and store the keys there as well. Following are the steps I used to do just that.

So I did a Google search and found this page, which got me through most of what I needed to do. But a few steps that didn't work included naming the partition itself.

On the page the author recommends doing:

/sbin/e2label /dev/mapper/cryptmap “Brad’s Files”

However, for me, this failed consistently (on my system the mapper is /dev/mapper/cryptmcp). What I had to do instead was refer to the partition by its UUID instead:

/sbin/e2label /dev/mapper/udisks-luks-uuid-ec00b89c-8a65-4fa5-8a9d-de0b7ecc5efa-uid500 "McPierceSecure"

Disconnecting and reconnecting the drive, entering my password and now the device is mounted with the correct label.

Accessing The Drive As A User

When that was all done, I found I wasn't able to write to either partition as my regular user. To fix that, just run the command:

sudo chown mcpierce:mcpierce /media/McPierceSecure

Verify by unmounting, removing then re-inserting the drive.

1 comment:

  1. And to change the password (since I used an old one here and wanted to replace it):

    sudo cryptsetup luksAddKey /dev/sdc1

    This lets you add a new password to the encrypted device. So I typed in my new password here. A LUKS device can hold up to, I believe, 8 total passwords for a device.

    Then to get rid of the old one:

    sudo cryptsetup luksKillSlot /dev/sdc1 0

    This removes the old password so that it's no longer accepted.