Encrypt a Disk in Ubuntu 10.10 With Disk Utilities and Cryptsetup

Whats the best way to keep data safe and sound? Keep it unmounted from active filesystems, especially when a system is connected to the internet. Using an SD card, a thumb drive/USB stick, or even a rewritable CD will work great for this (though CD quality degrades - and DVD even more rapidly).

I will keep this pretty simple for folks who are new to Gnu/Linux and who may not be used to using terminals. If you are more experienced you will obviously know when/where you can make shortcuts!

Download Packages

Ubuntu 10.10 comes pre-packaged with Disk Utility, a pretty awesome User Interface for partition management, filesystem management, and, of course, disk encryption.

You will usually find it under System > Administration > Disk Utility. If it is not there, try:
$ sudo apt-get install gnome-disk-utility
(Or install it with the Ubuntu Software Center.)

You will also need cryptsetup, which is used to encrypt block devices.
$ sudo apt-get install cryptsetup
(Or, again, install it with the Ubuntu Software Center.)

cryptdisk-start.png

Now, you can open Disk Utility and perform many different operations. BE SUPER CAREFUL!! Clicking the wrong button in here can easily destroy all your data.

Preparing the Filesystem

Now, insert whatever rewritable media you wish to turn into your encrypted drive. It can be a USB stick, an SD card of some sort, or an external hard drive.

Backup Everything!

Backup all the files on it that you need to backup. In my case, mine was an MSDN promotional stick that someone gave me from some conference they went to. Of course, I deleted everything on it :).

End all related processes and unmount

Once you have backed up EVERYTHING, you are ready to format the drive. First, you need to make sure you unmount it. Close all open file browser windows, make sure all file transfers are completed, etcetera. Then, under 'Volumes' in Disk Utility you can click 'Unmount Volume'. You can be sure that you are working on the proper drive as it will likely be listed under peripheral devices, and the size of the drive will be a reference point, under 'capacity'.

Delete the partitions

Now, you will need to delete the existing partitions. In the window, you may see one big block, or you may see multiple blocks. These are the partitions on the drive.
You will need to select each one click 'delete partition'.

cryptdisk-deletepart.png

Format the drive

Now you can format the drive! This is where you wipe it clean and start from square one. You can use the "Master Boot Record" scheme for most use cases.

Building the new filesystem

Considerations

This is a good opportunity to think about what your needs are, how much space you have, and what kinds of systems you will be using this disk with. You may want to research some filesystem types to see what best suits your needs.

Since I only like to have one USB stick at a time (except for bootdisks), I like to use a large, regular FAT system, and a small portion encrypted. Encrypting the entire thing will mean that you will have to enter the password every single time you need to access something - if you want to retrieve non-sensitive files more than sensitive ones, then encrypt a smaller proportion of drive space.

For our purposes, we will be using FAT as it is compatible with almost all operating systems and is backwards compatible. Yes, it's a windows format - because of course Microsoft won't have any other :P. No, using ext4 won't protect you from any hackers, because any self respecting hacker would be using Gnu/Linux anyways.

Partition the damn thing!

Ok, so I will show you how I will partition my own drive.

Click 'Create Partition' and narrow the size down to, say, 1.4 gigs (out of 2). I only need like 600 megs of encrypted space - mostly accounting files, documents, etc. Chose type 'FAT', enter a silly name, and do NOT select 'encrypt underlying device'.

Your settings may look something like this:
cryptdisk-format.png

Then, select the chunk on the right, and 'Create Partition' for that as well.

This time, leave the size untouched if you want this partition to take up the entire rest of the drive. Select type 'FAT' again, enter another silly name, and this time DO select 'encrypt underlying device':
cryptdisk-formatcrypt.png

They will then prompt you for a password. You can chose how often it remembers the passphrase, as well. Chose a decent password - your encryption will only be as strong as your password. Don't use your birthdate, or your IP, or your address.

Now you have an encrypted partition. From Disk Utilities, you can lock it and unlock it by selecting the partition with the little lock and clicking 'Lock Volume' or 'Unlock Volume'. You will be prompted for your password depending on how often you chose for it to prompt. I would suggest not selecting 'remember forever' on a system unless you are absolutely the only person to use it, and it is secure.

Make sure that you leave it closed before unmounting the system, otherwise you will get an error. Also, with two partitions, you will have to unmount both before being able to safely remove the drive.

cryptdrive-finished.png

Now you are finished! Enjoy your new method of storing and transporting encrypted files. Please comment if you have any questions!

Further Reading

You can visit the following links for more detailed information on file encryption, especially if you'd like to encrypt your whole system:

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Mounting on XP

Thanks, some time ago I encrypted a small portion of a USB drive with Disk Utility with ext4.
Recently I reformatted it to FAT so I could access it on windows.

Do you know how I can mount it from a pc?

Post new comment

The content of this field is kept private and will not be shown publicly.
By submitting this form, you accept the Mollom privacy policy.