Strong Encryption for Your USB Flashdrive - Linux

Protecting data on your flashdrive Linux system .

Bootable Linux flashdrives are great tools for portable computing, but one area that has needed improvement is data security. Whomever posesses your USB memory stick, for example, may get access to your personal documents, internet browser (with bookmarks and passwords), email contacts, and all sorts of things that could be harmful in the wrong hands. This page guides you through installation of strong encryption on your Linux flashdrive.

Not enough time on Earth...

I often use a USB flashdrive which is configured for dual usage: as a bootable Linux device with Firefox, OpenOffice, and other applications, plus an encrypted data folder where I keep important documents, pictures, and other files. The procedure below will show how to create the encrypted area (for use by the on-board Linux distro) and keep those important files safe. For GNU/Linux, the encryption software, Truecrypt, is available as source code, Debian, and OpenSuSE packages. A brute force attack on this system is quite futile. If all of the computers on Earth were devoted to the attack, the time needed to try all possible keys would exceed the lifetime of the planet. That is the nature of "strong encryption."

Step One - Install Truecrypt

Boot your Linux system, and use your distribution's package manager to retrieve and install Truecrypt. Another option is to get the latest precompiled package or source code from the Truecrypt website. If electing to install from source code, be sure to already have the proper kernel headers and "build essential" software installed. Invoke superuser priveleges and proceed with compiling and installing Truecrypt. Information below relates to using Truecrypt within SLAX after installing the procompiled module.

Step Two - Create the Encrypted Area

Go into the "K" menu, System submenu, and open the Truecrypt graphical user interface. When Truecrypt is running, click the "Create Volume" button to start the Volume Creation Wizard.

The Volume Creation Wizard will offer two choices of the kinds of available volumes:

1. Creation of an "encrypted file container." This creates one large encrypted archive containing items the user intends to protect from unauthorized access. It uses strong encryption and is orders of magnitude better than password protecting zip and rar archives.
2. Creation of a volume within a non-system partition or device. If you have a separate partition on your USB drive for personal data and documents, the whole partition will be protected with this choice. It is used in a similar manner as the file container, but it is a whole partition.

For this article, the choice will be creation of a file container. Follow the given instructions and an encrypted container will be created. Locate the volume within your USB flashdrive (for example, /mnt/sda1/truecryptvol0001). The process involves many steps, but there are three that are rather critical:

1. Hidden or standard volumes? A hidden volume can be installed inside a standard container. Under duress, the user gives up the password for the standard container, and plausibly denies the existence of the hidden volume. Without a correct password, this hidden volume can't be found or proven to exist.
2. Use a long password with numbers and both upper and lower case letters. Avoid short words or combinations that can be looked up in a dictionary. Also, avoid simple number combinations such as birth dates, telephone numbers, etc. The closer your password is to random monkeychatter the better.
3. Making the container too large may cause problems; use no more than 75 percent of the available space.



Step Three - Move Programs and Data Into The Encrypted Area



Once the encrypted container has been made, you will have a new file on your USB flashdrive - the encrypted container for your sensitive data. Next you will copy your programs and files to the new container.

1. In the main Truecrypt window, pick a "slot" for your encrypted volume.
2. Right click the xlot, and in the context menu, choose "Select File and Mount..."
3. Select for mounting the encrypted container you have just created (for example, /mnt/sda1/truecryptvol0001)
4. Right click again on the slot, and choose "Mount."

Executing the "mount" command opens and decrypts the container, making it available for adding, removing, or even editing files. Operation in the encrypted volume is transparent in nature; the data protection is automatically applied to anything inside it.



Simply drag and drop your files into the container, then unmount it. Truecrypt closes and protects it with strong encryption. No-one can get inside now without knowing the password. The data appears quite randomized, and it is resistant to cryptanalysis. You should also delete your original files (now COPIED into the encrypted area), and sanitize the free space outside the container with secure delete and free space wipe utilities, which will repeatedly overwrite the free space with random data and eliminate traces of files previously deleted.




Procedure Completed!

Bear in mind that entire USB flashdrive is NOT encrypted. Truecrypt has been installed and an encrypted container has been created on the USB flashdrive. If the USB flashdrive is lost or stolen, the encrypted data can not be accessed. Sleep soundly, and worry not about who is reading your USB stick.