Easy, free removable storage encryption that works with Ubuntu Hardy and Intrepid

I’ve been playing with encryption for some time now and I am always curious about removable storage encryption.

There are tons of guides to do this but it always seems to require either too many steps or some non-free software. I’ve been using this method succesfully adapted from this post for some time now so I wanted to share it here, if anyone has better ideas I’d love to hear it. Removable storage encrypted using this method can also be read directly from Intrepid Live CD sessions as Intrepid now includes cryptsetup by default.

You will need to install the cryptsetup package in Hardy, and also gparted as a helper graphical application to setup partitions and format your media. Gparted is already available on LiveCD sessions. Yes I know this can be done in command line, but I try to limit that as I show this to other CLI-agnostic friends.

Notice I’ve added a step (formatting with a regular partition first), and I used partitions instead of device names.

Find out which device your stick is by issuing from command line:
sudo lshw -C disk -short

This may also help detect other types of storage:
Find out which device your stick is by issuing from command line:
sudo lshw -C storage -short

Example output:
H/W path Device Class Description
/0/100/1f.1/0 /dev/sda disk 251GB Maxtor 6L250R0
/0/100/1f.1/1 /dev/sdb disk 251GB Maxtor 6L250R0
/0/100/1f.1/2 /dev/cdrom disk DVD-RW DVR-110D
/0/100/1f.1/3 /dev/cdrom1 disk RW/DVD GCC-4521B
/0/100/1f.1/3/0 /dev/cdrom1 disk
/0/1/0.0.0 /dev/sdc disk 256MB Cruzer Micro
/0/1/0.0.0/0 /dev/sdc disk 256MB

In this case the device is /dev/sdc.

Next make sure the device is unmounted:
sudo umount /dev/sdc1

Format your removable storage device using gparted, create one single ext3 partition on it. This will end up being partition /dev/sdc1 (assuming your device is /dev/sdc like in my example).

If you do not want to encrypt the whole removable storage, repartition it using gparted.

Overwrite the created partition with an encrypted partition on the target media:
sudo luksformat /dev/sdc1

This will ask you for a passphrase. The default file system is “vfat”, but you can specify a different one with the “-t” option. An example of the same, using an ext3 partition:
sudo luksformat -t ext3 /dev/sdc1

Make sure you type YES in all capitals when prompted, read the prompts carefully.

After this procedure, remove the stick and plug it in again. This should trigger a dialog which asks you for the passphrase and mounts the encrypted partition (along with any unencrypted one, of course).

I was able to read a stick encrypted this way in other computers, just by installing cryptsetup on them. You will need to install cryptsetup and reboot every computer where you want to access this.

Intrepid already comes with cryptsetup installed BTW.

I hear this kind of encrypted removable media can also be read from Windows using FreeOTFE but I haven’t tried it. If anyone can share how to do that, I’d also like to hear about it.

Just a little warning at the end: Please be aware that if you lose the passphrase, I CAN’T HELP RECOVERING THE DATA! This may sound obvious but in a previous posting about this I got private requests about such problems. No comments!


Welcome our new Dell Mini 9 friends

If the amount of people that called for support for their Dell Mini 9 over the holidays is any indication, we’re bound to see quite a few new users of Ubuntu that own this nice system!

If you know someone that uses a Mini 9, remember there is official documentation for the Ubuntu version (8.04) that ships in it at http://help.ubuntu.com . That may sound obvious but many experienced Ubuntu users don’t refer much to those docs and as a result don’t know it even exists 🙂

I also wanted to share a lot of tips, tricks and known issues as well as useful links (such as where to ask a question in Launchpad Answers) that have been put together at:

If you have a Mini 9 and know your way around Ubuntu, you may also want to make yourself available as a contact for Launchpad Answers:

That’s particularly useful if you know about things that are specific to your geographic location (like ISP-specific settings, broadband access with USB keys, etc.).