Aerospace Software Ltd.

LUKS on Removable USB Disk Drives How-to Guide

For Mandriva Linux 2009.1

Scope

This guide explains how to encrypt a USB disk drive with LUKS AES256 in such a way that a Windows machine can access it with FreeOTFE.

The Mandriva diskdrake wizard mainly offers cryptoloop encryption and with some effort can do LUKS too, but not very well - explained below. The cryptoloop wizard is very slick, but it is insecure. So the only way to get a secure disk, is the hard way. I hope this little guide will help some, but you have to read the man pages on cryptsetup and ntfs-3g. Then go to the FreeOTFE web site for details on that and look for the Linux pages in the guide, since it is a little obscure.

HAL will detect USB drives that are plugged in and that are NOT described in /etc/fstab and /etc/crypttab. HAL will then mount these drives under /media using names like /media/disk. You can control the mount point to some degree by giving the disk a label.

More Wizardry

LUKS wizards are all still rather immature, so I had to write my own too, which are a little different and also immature. You can try my wizards which do both NTFS and Ext3 luks-password-1.tgz and luks-format-2.tgz. These wizards are written in simple Perl, so you can hack them easily yourself.

Also read the LUKS Mount FreeOTFE guide.

Put the two (Perl and Glade) files in the tar ball somewhere keeping them together, e.g. /usr/local/bin. You must run these wizards as root. Since formatting a disk is destructive, I included a test function that will flash the activity light on the device, to confirm that you are accessing the correct disk.

Install

Install some missing tools:

# urpmi luks-tools
# urpmi ntfs-3g
# urpmi ntfsprogs

Plug it in

Plug the disk in and use dmesg to see what device it is mapped to:

# dmesg

Mine showed up as /dev/sdd.

Partition

Make a whole disk partition /dev/sdd1 to keep Windows happy, since Windows doesn't like having a NTFS file system on the root partition - it wants to see at least one sub partition, so make a sub partition, but use the whole disk:

# fdisk /dev/sdd
n
p
1
[enter]
[enter]
w
q

Replug the disk. It should now have a partition sdd1 or some such. Have a look with:

# ls /dev/sd*

and

# dmesg

to make sure.

Note that you could also use the Mandriva diskdrake wizard to partition the device if you don't like running fdisk by hand.

LUKS Format

Prepare the LUKS header and fill the disk partition with zeros:

# cryptsetup luksFormat -c "aes-cbc-essiv:sha256" /dev/sdd1
  YES
  password
  password

Note that you could use the "gnome-luks-format" wizard to do all this, but the wizard doesn't support NTFS or FreeOTFE. This wizard is part of the "luks-tools" package. Alternatively, you can try my wizards which do both NTFS and Ext3 luks-password-1.tgz and luks-format-2.tgz. These wizards are written in simple Perl, so you can hack them easily yourself.

Open the LUKS Device

Map /dev/sdd1 to /dev/mapper/sdd1:

# cryptsetup luksOpen /dev/sdd1 sdd1
  password

Format with NTFS

Format the NTFS file system:

# mkntfs -L data /dev/mapper/sdd1
  Very, very, long wait...
  Go and watch a ball game and get some fresh air!

The "-L data" sets the NTFS partition label. HAL will then mount the partition on /media/data. The "-Q" option will make it much faster.

The disk drive should now be ready for use, but you should test it properly as explained below.

Test

Manually mount the newly formatted disk to see if it works:

# mkdir /mnt/sdd1
# mount -t ntfs-3g /dev/mapper/sdd1 /mnt/sdd1

Test it:

# echo test>/mnt/sdd1/test.txt

Unmounting is a two step process but you can do it in one line:

# umount /mnt/sdd1 && cryptsetup luksClose sdd1

Remounting is likewise a two step process:

# cryptsetup luksOpen /dev/sdd1 sdd1
   password
# mount -t ntfs-3g /dev/mapper/sdd1 /mnt/sdd1

HAL and Removables

From now on, if this is a removable USB disk, HAL should detect the disk when it is plugged in, pop up a password prompt and mount it under /media.

So unmount the thing, yank the USB plug, wait a few seconds for the dust to settle and plug it back in. HAL should ask for the password and a Nautilus file browser window should open up if all went well.

Passwords

LUKS can store multiple passwords per partition. It calls these 'slots'. You can manage passwords either by slot number or by letting it search for a known password, so it is quite easy to use. Here is a script that can be used to change a password:

#! /bin/bash
echo Change the password of a LUKS device
echo Example: luks-password /dev/sdc1 oldpass newpass

# Do the password juggle
# The /tmp directory is a RAM disk
echo -n "$2">/tmp/oldpass
echo -n "$3">/tmp/newpass

# Add the new password, then remove the old one
cryptsetup -d /tmp/oldpass luksAddKey "$1" /tmp/newpass
cryptsetup -d /tmp/newpass luksRemoveKey "$1" /tmp/oldpass

# Remove the files even though it is a RAM disk - still a good idea
rm /tmp/oldpass
rm /tmp/newpass

echo Done

Put that in /usr/local/bin/luks-password and make it executable. Read the cryptsetup man page for details. There is no wizard for changing passwords.

Here is a Perl utility that will do the above with a nice GUI luks-password-1.tgz.

Diskdrake Revisited

I have recently learned that Mandriva Diskdrake can in fact make LUKS encrypted partitions, but it only works on a pristine disk or one that has been zapped with "dd". Here is how:

If the disk has been partitioned before, zappit thoroughly:

Plug it in and run dmesg to see what device it is:
# dmesg
# dd bs=1M count=1 if=/dev/zero of=/dev/sdX

Run "diskdrake" and select "Expert mode". Click on the block of space to be used and select "Create". In the "Create a new partition" dialog select the Filesystem type as "Encrypted". When you hit "Ok" the partition status will now show as "Not formatted" and "Encrypted (inactive)". Click "Format" and you'll be asked to enter your encryption key (twice). After you do this you'll have a new device tab "dmcrypt" with the actual partition displayed, which you can then format with whatever type of filesystem you prefer.

La Voila!