Linux and USB Full Disk Encryption

Written on 2018-02-24

With the new Notifiable Data Breaches scheme coming into effect as of the 22nd February 2018, I started looking at what options were available to have full disk encryption on the one thing that we all lose most often – USB drives.

The thought was to make them as easy to use in the normal workflow as normal, but useless if plugged into an unauthorised system.

So, this is what I came up with.

Firstly, create a place to put the keys, and then create a new key file – we’re going to go with a 4096 byte key – which is massive, but you’re going to store it in a 4Kb block on a disk anyway – so eh. We need to do all this as root, so don’t forget that part!

# mkdir /etc/luks-keys/
# chmod 700 /etc/luks-keys
# dd if=/dev/random of=/etc/luks-keys/new-key-file bs=1 count=4096

Now plug in your USB key and see what it comes up as… In this example, mine is /dev/sdc1. Create the luks container.

# cryptsetup luksFormat /dev/sdc1 /etc/luks-keys/new-key-file

Next up, we want to grab the UUID of the new luks container. I’m going to use the example UUID of fea52a1b-9e8d-4144-af33-1a7f05371ead – so remember to replace this with the one you get from the below command.

# cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 33
MK salt:        11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF
                11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE DD
MK iterations:  373000
UUID:           fea52a1b-9e8d-4144-af33-1a7f05371ead

Key Slot 0: ENABLED
        Iterations:             3827459
        Salt:                   00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
                                ff ee dd cc bb aa 99 88 77 66 55 44 33 22 11 00
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Rename the key we create this with to match the UUID, and make sure the world can’t read it:

# mv /etc/luks-keys/new-key-file /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead
# chmod 400 /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead

Set up a udev rule to run a script each time we plug in a drive. If we have a drive that matches the UUID of a key file we have, we’ll run a script to auto-open it. Plonk this as /etc/udev/rules.d/auto-mount.rules:

ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}=="crypto", RUN+="/usr/local/bin/"

Then we set up our script that udev fires to check our device. Throw this as /usr/local/bin/


if [ -f "/etc/luks-keys/${ID_FS_UUID}" ]; then
        logger "Key found for ${ID_FS_UUID}. Unlocking device"
        /usr/sbin/cryptsetup --key-file "/etc/luks-keys/${ID_FS_UUID}" open ${DEVNAME} luks-${ID_FS_UUID}
        logger "No key found for ${ID_FS_UUID}. Not decrypting"

Unplug your drive, plug it back in again and you should see your open, encrypted drive listed under /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead.

Create your filesystem – in this case I used btrfs:

# mkfs.btrfs -L "Encrypted Filesystem" /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead

That should be just about it. You can mount your filesystem and away you go.

Your normal filemanager should be able to mount / unmount the filesystem – but it may not be able to close the encrypted volume off. To do this, drop to a root shell and close it off.

# cryptsetup close luks-fea52a1b-9e8d-4144-af33-1a7f05371ead

Happy Encrypting!