## Encrypt hard drives and usb drives with dm-crypt and TrueCrypt

REMINDER: PASSHPHRASE SHOULD BE 42+ CHARACTERS LONG TO BE EQUIVALENT TO A 256 BIT KEY.

I recently explored encrypting usb drives and external hard drives (well, any hard drive really). I always wanted to lock all of my hard drives just to feel more secure about my files, but never got around to learning how to. In this post, I’ll describe my experience for usb drives and hard drives that aren’t used as the main disk for a computer to boot. I’ll describe full disk encryption for Ubuntu (where the OS resides) in another post.

I explored two methods. The first is using DM-Crypt with LUKS, which is the free and truly open-source solution. The second is using TrueCrypt, which is free (as in beer) and is open-source/proprietary (you can see source code, but I don’t know about modifying and redistributing). A more extensive list can be found here.

This post describes how one can go about encrypting the drive with dm-crypt. You can format the drive as FAT32, ext2, ext3, or anything really (this describes how to format a drive as FAT32 on the command line). On Linux, you just have to use cryptsetup to unencrypt the drive first. Then mount it for use. Ubuntu Desktop does this automatically (asks you for your passphrase) when the drive is plugged in. On a Windows machine, you have to install FreeOTFE in order to decrypt the drive. If the drive is FAT32, you will have access to it automatically after mounting the encrypted drive. If the drive is ext2 or ext3, you will have to install Ext2Fsd first in order to mount the drive. As of now, there isn’t a way to decrypt the drive on Mac OS X.

TrueCrypt is available on all three major platforms: Windows, Mac, and Linux. Thus, it is better than dm-crypt for usb drives in the sense that you can also use them on a Mac. You can use it to encrypt an entire disk or create an encrypted container file (pseudo partition?) to place files you want secured into. The latter approach is good for smaller files. For archives (big size), the FAT32 combination won’t work due to the 4.7GB file size limitation. Getting started with TrueCryt is quite easy as you just have to follow the GUI. To access the drive on any machine, you have to install TrueCrypt. If the drive is ext2 or ext3, again, you have to install Ext2Fsd on Windows. To mount an ext2 or ext3 drive on a Mac, you have to install ext2fuse, of which MacFuse is a pre-requisite.

What will I use? For a hard drive that I know I will only use with Linux, I’ll go the dm-crypt approach. For drives that I might bring around and plug into other platforms, I will either go with the dm-crypt + ext3 or TrueCrypt + ext3 approach. Why ext3? FAT32 is recognized on all three platforms, PS3, and most other devices that you can plug in the USB drive. However, if the disk is encrypted, the places I can plug the disk into is VERY limited (i.e. a computer). There’s no reason to prefer FAT32. Sure, I would have to install additional software on a Mac or Windows machine in order to read ext2/3. However, to unencrypt on those platforms, I would have needed to install TrueCrypt or FreeOTFE anyways, so this addtional install is trivial. Hmm, since I don’t really plug my drives into a Mac anymore, I think I’ll just stick with dm-crypt. The trick to all this is to have a spare unencrypted usb drive that you can use on a daily basis =].

### Change passphrase by adding a new one and removing the old one

I thought it was impossible, but it’s quite easy. Just use cryptsetup luksAddKey /dev/MYDEVICE to add a new passphrase, and cryptsetup luksRemoveKey /dev/MYDEVICE to remove the old passphrase.

## Create bootable USB drives of Windows installation CD’s in Linux

Nearly all netbooks and many laptops don’t come with an optical storage drive (DVD/CD). To re-install an OS, one would need to boot it from a USB drive. In this post, I outline how I could create a bootable usb drive for a Windows 7 disc. The information was taken from a reply on this post. I assume the usb drive is /dev/sdb on the Linux machine. ms-sys is required.

 <pre class="src src-sh"><span style="color: #ff4500;">## </span><span style="color: #ff4500;">Run under root</span>


cfdisk /dev/sdb mkfs.ntfs -f /dev/sdb1 mount -o loop win7.iso /mnt/iso mount /dev/sdb1 /mnt/usb cp -r /mnt/iso/* /mnt/usb/ ms-sys -7 /dev/sdb