Where do you store your important PDFs, your digital certificates or even your local database of passwords? What if you lose your laptop or, even worse, it gets stolen?
In this article I will approach encryption and I will propose one solution to encrypt your USB stick to hide your secrets from eavesdroppers. The USB can be used as your main source for these files, but it can also serve as an offline backup of your confidential files.
What is encryption?
Here is my own simple definition of encryption. In few words, assuming we know a secret key (usually a password), encryption is the process of using this key to transform some message (known as plaintext) into an alternate representation (known as ciphertext). That is, the ciphertext will not make sense without the decryption key.
Formally, a Shannon Cipher is a pair of functions: E for encryption and D for decryption. It works as follows:
E(key, plaintext) = ciphertext
D(key, ciphertext) = plaintext
Let’s see a real example (check it in Cyberchef) for the RC4 cipher:
Secret information.) = Ciphertext =
Rcµó½ü5Óº¨11fÑÄÇ¿) = Plaintext =
Am I using encryption?
Encryption is used to ensure confidentiality of the information. No one will not be able to read the original plaintext from the ciphertext version without the key.
For example, when you are using your favorite messaging app or when you are buying online through an HTTPS website. This is called data in transition encryption. However, when we want to hide some information we are not sending, but we are keeping in our hard drive, this is called data at rest encryption.
As another example, we have seen that passwords could be stored locally in a like a password manager database file, stored in your computer. This database file is not stored in a plain file that anyone can read, but in a file encrypted with a strong password.
Why do I need encryption?
If you have not seen it yet, encryption will make you the only one that can access your protected information. This information can be some documents, pictures or any file you store in your PC. Your data will be secure as long as you are the only one that knows the password to access it.
However, data at rest encryption is not common to be enabled by users. Most of our laptops and desktop PC do not have their disks ciphered. Mobile devices, namely smartphones, are the exception to the rule. If you are using a screen lock in your phone, it is probably encrypting your data.
Get on with it: encrypting your USB
Although I will explain how to enable full disk encryption for your Operating System in later posts, we can start by ciphering your USB stick. In this example, we will cover a solution widely used in Linux: LUKS.
Warning! If you forget the password of your LUKS device, you will lose all your files. That's the point of being secure!
LUKS (Linux Unified Key Setup) is widely used for manage keys when encrypting disk partitions with
dm-crypt in Linux Operating Systems. In this case, we will not encrypt a partition of our system drive, but an external storage like a USB stick. This is really handy, as you can use it across any Linux for file backup or offline transfer. A good example is saving electronic keys or certificates.
How to encrypt your USB with LUKS
Here I will show the graphical steps for a GNOME desktop, together with the terminal commands. These are the steps:
1. Check your available devices
Graphically, you can use the Disks utility, available in GNOME.
2. Format your USB stick
warning! –> This will delete all the files on your USB stick.
sudo umount /dev/sdXX sudo mkdosfs -F 32 -I /dev/sdXX
3. Make a LUKS partition and
ext4 file system
sudo cryptsetup -y -v luksFormat /dev/sdXX sudo cryptsetup open /dev/sdXX cryptroot sudo mkfs.ext4 /dev/mapper/cryptroot sudo mount /dev/mapper/cryptroot /mnt
- Just use it!
Using your USB: compatibility
In order to use your USB stick, just plug it in and you will be asked for a password when the system tries to mount it. Then, you can simply use it as you would with any other external storage. When you are done, just eject your device (unmount it) and you have all your files at rest encrypted.
In the terminal, you would need to something like this:
sudo cryptsetup open /dev/sdXX cryptroot sudo mount /dev/mapper/cryptroot /mnt
This should be compatible with almost all Linux distributions. However, there is no current and trusted support for Windows. If you search on the Internet, you will find some unmaintained old software that allows you to mount LUKS on the Microsoft OS. I will cover in the next week post an Open Source encryption that also works for Windows.
Extra: allow someone else to use it
You can add an extra password to your LUKS device. That is, you can allow someone to use your device without telling them your password. You can do it as follows:
cryptsetup luksAddKey /dev/sdXX
If you are a Linux user, LUKS provides an easy way of encrypting a USB stick that you can use as a backup for your important files. You can also manage to encrypt one of your system partitions so, in case your computer or drive gets stolen, they will not be able to access your private information.
Obri! Remember: next week I will talk about a encryption solution for USB sticks compatible with Windows