Encrypted USB drive on Linux with Cryptsetup

If there is something I love about USB drives is their usefulness: you can take your favourite applications with you or even install Linux on it, but the main use is clearly moving files around, maybe documents containing sensitive information. What about if you lose it?
If you’re a Linux user, Cryptsetup could just suit you right. It is a tool for encrypting disks based on the LUKS (Linux Unified Key Setup) standard for secure disk encryption.
Let’s see how to create two partitions on the flash drive and encrypt one. Backup your data first as you will lose it!

What do you need:

  • A Linux distribution
  • A USB drive
  • Root access on the machine (every command has to be run as super-user!)

Additional packages could be needed. Install it on Ubuntu with:

sudo apt-get install lvm2 cryptsetup


Before proceeding, think about securely erasing previous files. Could be paranoia, but you can never be sure these days. 😉
Dumping random bytes to the disk only once is generally considered safe enough.

dd if=/dev/urandom of=/dev/sdX bs=4M oflag=direct

#Version with nice progress informations are given by pv
echo "MiB Written - Time Elapsed - Speed" && pv -tab /dev/urandom | sudo dd of=/dev/sdX bs=4M iflag=fullblock oflag=direct


Lets start by creating a new partition table on the device. Let’s say I want my primary partition 5 Gigabytes wide and use the remaining space for the encrypted partition.
Be sure disk isn’t mounted and check the name tenfold before issuing every command (pick it up with “fdisk -l” or “lsblk“). Wrong device name and data on your hard drive is gone forever.
After creating the partition table, we format the first partition with the FAT32 filesystem:

parted -s /dev/sdX mklabel msdos mkpart primary 0% 5G mkpart primary 5G 100%
mkfs.vfat -F 32 /dev/sdX1


We create the LUKS volume inside the second partition and open it. Cryptsetup then will map it to an “old-style” dev name, under /dev/mapper/.
After opening it, we can treat it as a standard partition, so let’s format it with ext4. The “root_owner=1000:1000” filesystem option is needed to use the partition as a standard user, and not just root. Check your uid and gid by simply issuing “id” and replace them in the command if they’re different from 1000.

cryptsetup -v luksFormat /dev/sdX2
cryptsetup luksOpen /dev/sdX2 Crypto
mkfs.ext4 -E root_owner=1000:1000 -L Crypto /dev/mapper/Crypto
lsblk screenshot

Here’s my pretty partition showing up as “Crypto”.


Last step, mount it and add files to it!

mkdir /media/Crypto
mount /dev/mapper/Crypto /media/Crypto


When you’re finished copying files, unmount and stop cryptsetup:

umount /dev/mapper/Crypto
cryptsetup luksClose Crypto



And that’s it! You have now a secure and fast way to store sensible informations. Note that on most desktop environments you can create and mount/unmount LUKS partitions very easily, but now we know what’s going on in the background. Any other doubt should be erased by reading the Cryptsetup FAQ.