Where do you store your important PDFs, your digital certificates or even your local database of passwords? What if you lose your laptop or, even worse, it gets stolen?

In this article I will approach encryption and I will propose one solution to encrypt your USB stick to hide your secrets from eavesdroppers. The USB can be used as your main source for these files, but it can also serve as an offline backup of your confidential files.

What is encryption?

Here is my own simple definition of encryption. In few words, assuming we know a secret key (usually a password), encryption is the process of using this key to transform some message (known as plaintext) into an alternate representation (known as ciphertext). That is, the ciphertext will not make sense without the decryption key.

Cryptography terms

Cryptography terms.

Formally, a Shannon Cipher is a pair of functions: E for encryption and D for decryption. It works as follows:

  • E(key, plaintext) = ciphertext
  • D(key, ciphertext) = plaintext

Let’s see a real example (check it in Cyberchef) for the RC4 cipher:

  • Key: MySecretKey
  • Plaintext: Secret information.
  • E(MySecretKey,Secret information.) = Ciphertext = Rcµó½ü5Óº¨11fÑÄÇ¿
  • D(MySecretKey, Rcµó½ü5Óº¨11fÑÄÇ¿) = Plaintext = Secret information.

Am I using encryption?

Encryption is used to ensure confidentiality of the information. No one will not be able to read the original plaintext from the ciphertext version without the key.

For example, when you are using your favorite messaging app or when you are buying online through an HTTPS website. This is called data in transition encryption. However, when we want to hide some information we are not sending, but we are keeping in our hard drive, this is called data at rest encryption.

HTTPS website

HTTPS uses TLS, a system using encryption for protecting your browsing.

As another example, we have seen that passwords could be stored locally in a like a password manager database file, stored in your computer. This database file is not stored in a plain file that anyone can read, but in a file encrypted with a strong password.

Why do I need encryption?

If you have not seen it yet, encryption will make you the only one that can access your protected information. This information can be some documents, pictures or any file you store in your PC. Your data will be secure as long as you are the only one that knows the password to access it.

However, data at rest encryption is not common to be enabled by users. Most of our laptops and desktop PC do not have their disks ciphered. Mobile devices, namely smartphones, are the exception to the rule. If you are using a screen lock in your phone, it is probably encrypting your data.

Get on with it: encrypting your USB

Although I will explain how to enable full disk encryption for your Operating System in later posts, we can start by ciphering your USB stick. In this example, we will cover a solution widely used in Linux: LUKS.

USB sticks

USB sticks.

Warning! If you forget the password of your LUKS device, you will lose all your files. That's the point of being secure!

Why LUKS?

LUKS (Linux Unified Key Setup) is widely used for manage keys when encrypting disk partitions with dm-crypt in Linux Operating Systems. In this case, we will not encrypt a partition of our system drive, but an external storage like a USB stick. This is really handy, as you can use it across any Linux for file backup or offline transfer. A good example is saving electronic keys or certificates.

How to encrypt your USB with LUKS

Here I will show the graphical steps for a GNOME desktop, together with the terminal commands. These are the steps:

1. Check your available devices

Graphically, you can use the Disks utility, available in GNOME.

Checking available devices

Step 1: Check your available devices. In this example, I will use a partition of a USB stick.

fdisk -l

2. Format your USB stick

warning! –> This will delete all the files on your USB stick.

Formatting USB stick

Step 2: Format your USB stick with MBR partition table.

sudo umount /dev/sdXX
sudo mkdosfs -F 32 -I /dev/sdXX

3. Make a LUKS partition and ext4 file system

LUKS partition

Step 3: Create a new partition: LUKS with ext4.

LUKS password

Step 3: Setup the LUKS password.

sudo cryptsetup -y -v luksFormat /dev/sdXX
sudo cryptsetup open /dev/sdXX cryptroot
sudo mkfs.ext4 /dev/mapper/cryptroot
sudo mount /dev/mapper/cryptroot /mnt
  1. Just use it!

Using your USB: compatibility

In order to use your USB stick, just plug it in and you will be asked for a password when the system tries to mount it. Then, you can simply use it as you would with any other external storage. When you are done, just eject your device (unmount it) and you have all your files at rest encrypted.

Use LUKS partition

Prompt asking for your password when mounting your LUKS partition.

In the terminal, you would need to something like this:

sudo cryptsetup open /dev/sdXX cryptroot
sudo mount /dev/mapper/cryptroot /mnt

This should be compatible with almost all Linux distributions. However, there is no current and trusted support for Windows. If you search on the Internet, you will find some unmaintained old software that allows you to mount LUKS on the Microsoft OS. I will cover in the next week post an Open Source encryption that also works for Windows.

Extra: allow someone else to use it

You can add an extra password to your LUKS device. That is, you can allow someone to use your device without telling them your password. You can do it as follows:

cryptsetup luksAddKey /dev/sdXX

Conclusion

If you are a Linux user, LUKS provides an easy way of encrypting a USB stick that you can use as a backup for your important files. You can also manage to encrypt one of your system partitions so, in case your computer or drive gets stolen, they will not be able to access your private information.

Obri! Remember: next week I will talk about a encryption solution for USB sticks compatible with Windows