Encrypting external hard disk or USB stick with Veracrypt or LUKS

Encrypt file




Encrypt fileIn another post I wrote about how to encrypt a folder using Gnome EncFS Manager on Linux.

In this article I want to tell how to encrypt an USB stick or an external hard disk, but first I want to explain why.

The answer is quite easy, I need to encrypt an hard disk or an USB stick if I use it to save important information and this device is accessible easily from many people. For example: if I use an hard disk for backups and I often stay in places where there are a lot of people (offices, public transports and so on), there is a high risk of it being stolen or lost. In this situation, if the disk is encrypted you will lose only its economic value, but if it isn’t encrypted everybody can have access to his information!!!

Now, how to encrypt an hard disk?

VeraCrypt

VeraCrypt is one of the many forks of the TrueCrypt project which was abbandoned few months ago.
It’s a good solution to encrypt a disk, a disk partition or also a single folder.

It’s opensource and multi-platform, so, you can use it on Linux, Mac OSXx and Windows.

Installation/Uninstallation VeraCrypt on Linux

Installation

Download the package from the VeraCrypt’s site in the folder that you prefer.

Then extract it and copy the file veracrypt-*-setup-gui-x64 or veracrypt-*-setup-gui-x86 into the home folder, and finally execute the following commands:

chmod +x veracrypt-*
./veracrypt-*

Now it’s enough to write VeraCrypt in the Dash to find the icon and start it.

Uninstallation

sudo /usr/bin/veracrypt-uninstall.sh

To make an encrypted container

A container is an encrypted file where you can store other files or folders.

It’s possible to use VeraCrypt to make a container that you can mount like a virtual disk and so you can register all the documents you want.

To do it you have to click on the Create Volume button, then choose Create an encrypted file container on the window that will appear and follow the instructions.

To make an encrypted volume

If you want to encrypt a whole USB stick, an external hard disk or a whole hard disk’s partition you have to click on Create Volume button and choose Create a volume within a partition/drive on the window that appear, then follow the instructions.

After this operation, when you will connect the USB stick or the hard disk to your PC it won’t happen anything, nothing will be mounted; If you want to access to the encrypted volume you have to select it and mount it using VeraCrypt.

VeraCrypt

Both in the case of the encrypted file container and the encrypted volume during the creation VeraCrypt will ask you the kind of the file system to use for the volume to create: FAT, ext2, ext4, …

The choise depends on how you want to use it: if you want to use it on a Windows PC you can encrypt it only with the file system FAT; but if you want to use it only on Linux you can also choice the other file systems like ext2 or ext4 which permit to mantain the attributes of every file.

Performance

Many people think the encrypted volumes slow your operation because encryptation and decryptation needs of a lot of resources.
This isn’t ever true. In my case writing and reading on encrypted containers using VeraCrypt is quicker than the same operations on not encrypted disk. It depends on the Parallelization technique used by Veracrypt that use all the core of the processor for the operation, instead the OS use only one core for the same operation.

LUKS

To encrypt a disk partition, an hard disk or an USB stick on Ubuntu Linux there is also LUKS that is installed by default.

To do it, you have to use the application Disks, select the partition (hard disk or USB stick) you want to encrypt, click on the gear and choose Format.

Choose the filesystem’s type LUKS + Ext4, that is Encrypted, compatible with Linux systems.

ATTENTION:it won’t be readble on Windows or Mac.

LUKS Format

Now when you connect the USB stick or the external hard disk to the PC, a window will appear asking the encryptation passphrase before to mount it.

LUKS Mount

Differences between LUKS vs VeraCrypt

About performance there aren’t difference.

If you want to use the encrypted device on every operting system (Windows, Mac and Linux) the choise is only one: VeraCrypts with the FAT file system. Otherwise, if you want use it only on Ubuntu Linux, you can use both but I prefer LUKS because it’s perfectly integrated in Ubuntu Linux and it’s easier to use.

Another important difference is that VeraCrypt needs to work like super user if the volume is encrypted with ext4 file system …quite boring.

If you want to create only an encrypted container in the hard disk, VeraCrypt is the solution because LUKS can’t do it; but, for the same goal, the are other good solution like Gnome Encfs or Cryptkeeper prefectly integrated with the Unity notification-bar.

At last a little suggest: all thes solutions are very good but the most important thing is the choice of the encryption key (the passphrase), if it isn’t very strong your data are unsafe 😉




Comments

  1. Gael

    Just to let you know that, indeed, you can use LUKS for encrypted container by using a file as a loopback device.

  2. claudio

    Only some adds, better use NTFS than FAT (or at least FAT32, not FAT); FAT is very limited versus FAT32 and if you need files greater than 2GiB FAT is not an option, also if >=4GIB FAT32 is not an option, need NTFS.

    I have a file on a NTFS partition, or inside a FAT32, etc. and i encrypt its contect with Lucks. The steps are very simple, use a loop mount on that file, then there is a block device that can be encrypted by Lucks.

    Also more… you can do this (if really paranoid on hide your Linux), will describe only boot proccess to let it be understand, it is too complex and it is very hard to configure for really experts, so risk yourself in a Virtual Machine prior to do it on physical:

    Power on PC with USB Stick plugged, USB boot code loaded, Luks layer decrypts on the fly the Grub2 partition (yes pendrive has 4 primary partitions maded with Linux, and yes, Grub2 bootloader resides on an encrypted partition that is able to be booted from it), menu appears with only one option (boot from internal hdd), then it crypto mounts internal hdd as a whole Luks without headers, then it see an empty (yes, empty) partition formatted with Ext4, next grub command will loop mount from sector X a number of Y sectors on that partition (that hides the whole Linux root filesystem), over that loop there is another Luks without headers, it is mounted, now root filesystem of Linux is visible to grub, it can load initram, etc… have in mind you (this is the most tricky, hard part) adapt initram scripts, to do all internal hdd mount operations again, when initram runs all what sees grub2 is not visible if not mounted.

    That gives a whole disk encrypted (100% sector, also the MBR, etc), no clue to see if it is gatrbage or not, now imagine a gun on your head and someone telling you, give memthe key or i shot the gun, no problem, give the key, after be mounted (will see the key is correct), only what can be seen is an empty Ext4, without knowing what sector starts your other Luks there will be no clue (neither forensic analisis would be able to see it) there is something hidden, it will be seen as garbage (see next paragraph), so you can say, oh yes this is an empty disk i was preparing to hold my music files, photos, etc… i yet not put anything on it… i allways boot pc from a LiveCD, i am very afraid of viruses, etc… the attacker would have no option, no clue to think it can be something hidden.

    To really, really hide, create on sector A, on sector N, etc a lot of lukc without headers, mount all of them (one by one), fill them with random data (that get encrypted by internal LUKs and then by external LUKs), unmount them, forget about all except one, the one you use… that way is weird paranoic, the disk is LUKs, then an empty Ext4 with free space divided in a lot of different LUKs (ensure you use same algorithm on all LUKs for best hide, but each one with its own unique passphrase), all of them if mounted will show Ext4 full with garbage, except one, the one you want to hide… this way all the disk can be detected as a LUKs one, if correct passphase only will be seen an empty Exr4 and if forensic check, all free sectors will look like encrypted data or garbage, no way to tell the diference… there is no LUKs header anywhere. Main external LUKs can be detected, because it is not a “normal” plain partition scheme (it is a LUKs), since it has no sence to have a non formatted disk filled with garbage, so it must be an encrypted one (easy to think that way), but in an empty Ext4 the fact that free space sectors have garbage is well known to be a technique to ensure that external LUKs security, so not so easy to think there may be some hidden LUKs, and since no LUKs headers, can not search for it.

    As i said, paranoid to max, hidden linux root system stored inside a LUKs stored on only some sectors on the free space of an empty Ext4 partition that resides on a LUKs that uses the whole disk (including MBR), and to boot it you need a USB with Grub2 on a LUKs encrypted partition (special parameters when installing such grub2 are needed, search for encrypeted /boot).

    And just really weird paranoid… but to much work to do to boot… carry on such USB the SystemRescueCD.iso and Grub2 boot it… s¡but no “boot from my hdd”… so when boot from usb, at menu go to console, and type manually all needed command to do the complex mount of the hdd, load the kernel and initram…. so such comands are only on your brain, no clue on the pendrive of them… weird paranoid! But it works great!

Leave a Reply to claudio Cancel reply

Your email address will not be published. Required fields are marked *