How to encrypt a USB Drive on Linux Operating System?

How to encrypt a USB Drive and mount it to the filesystem on Linux Ubuntu OS?

Posted by Amritpal Singh on March 24, 2018

In this tutorial, you will learn to encrypt an external USB Drive and how you can mount it on your filesystem. In summary, you will setup a blank USB Drive to be an encrypted drive and you will  learn to map it on your system and perform writing and reading files operations on the USB. We will be using LUKS (Linux Unified Key Setup) which is the default encryption mode on cryptsetup package. LUKS is the standard for Linux hard disk encryption.

Why encrypt your data?
Mainly encryption is used to keep secrecy and privacy.

1. Use the fdisk command to find the device name for your USB Drive:
sudo fdisk -l

The above command lists all partition tables for the specified devices connected on your system. In my case I connected an external 8GB USB Drive on my computer and it showed up as device name /dev/sdb.

2. OPTIONAL: Use the shred command to overwrite random data by 1s and 0s several times on the USB Drive:
sudo shred -v -n 1 /dev/sdb

This way you start off having random data on your USB Drive to begin with.

3. Install cryptsetup package on your system:
sudo apt-get install cryptsetup

You may already have it installed by default on your Ubuntu OS.

4. Set up a new dm-crypt device in LUKS encryption mode:
sudo cryptsetup luksFormat /dev/sdb

You will need you enter the passphrase for your encrypted usb.

5. Open the device and setup mapping with name provided (e.g. USBDrive in this example):
sudo cryptsetup luksOpen /dev/sdb USBDrive

Provide the passphrase you had earlier setup in step 4.

6. Verify the new virtual block device mapper:
ls -arlt /dev/mapper | tail

7. Run ext4 filesystem directly on that device:
sudo mkfs -t ext4 /dev/mapper/USBDrive

8. Mount the device your filesystem:
sudo mount /dev/mapper/USBDrive /USBDrive

9. Verify the the mapper is properly mounted using the df command:
df -h /USBDrive/

10. Success, at this point you can use the filesystem as you normally would, you have an encrypted USB Drive in your hand now.

Additional Notes: Use the following two commands on every reboot to mount and unmount a drive:

sudo cryptsetup luksOpen /dev/sdb USBDrive
Provide your pass phrase:
sudo mount /dev/mapper/USBDrive /USBDrive

sudo umount /USBDrive
sudo cryptsetup luksClose USBDrive



Add Comment