How to Encrypt a USB Flash drive in Ubuntu - LUKS encryption with cryptsetup

Encrypting a usb drive is an excellent idea for ensure that your data is safe and secure.

If you are storing business data or any kind of personal sensitive information in a usb drive, its important to keep it safe it from hackers and snoopers.

Or if you accidentally loose your usb drive then you can be sure that the data can't be read by anyone.

Encrypting usb drives and handling them on linux is actually extremely easy.

You can either use the gnome-disks application to format the usb drive with encryption enabled. After that file browsers like Dolphin and Nautilus will be able to access it easily.

Gnome Disks Format with LUKS

Insert the USB drive and launch gnome-disks app, and then format to EXT4 with LUKS Encryption selected.

However this method of encryption works only with EXT4 file system.

Alternatively you can use commands like cryptsetup to encrypt the drive and use it the same way.

In this article we shall take a quick look at how to encrypt a usb pen drive using cryptsetup, which implements the LUKS standard.

1. Connect the USB Drive

Connect the usb drive to the system, but do not mount it. Don't click it inside a file browser, which actually mounts it.

If the drive is already mounted then either remove it and re-insert it or, use the umount command.

$ umount /dev/sde1

Now if you run the lsblk command it will show the usb drive device, but no mount point.

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0    7:0    0 281.6M  1 loop /snap/atom/273
loop1    7:1    0 282.4M  1 loop /snap/atom/275
loop2    7:2    0 138.8M  1 loop /snap/chromium/1514
loop3    7:3    0  99.2M  1 loop /snap/core/10859
loop4    7:4    0 138.8M  1 loop /snap/chromium/1523
loop5    7:5    0  98.4M  1 loop /snap/core/10823
loop6    7:6    0   219M  1 loop /snap/gnome-3-34-1804/66
loop7    7:7    0  55.5M  1 loop /snap/core18/1988
loop8    7:8    0 162.9M  1 loop /snap/gnome-3-28-1804/145
loop9    7:9    0  64.4M  1 loop /snap/gtk-common-themes/1513
loop10   7:10   0  64.8M  1 loop /snap/gtk-common-themes/1514
loop11   7:11   0   140K  1 loop /snap/gtk2-common-themes/13
loop12   7:12   0 944.1M  1 loop /snap/xonotic/64
loop13   7:13   0  61.6M  1 loop /snap/core20/904
loop14   7:14   0 916.7M  1 loop /snap/xonotic/53
loop15   7:15   0 111.3M  1 loop /snap/shutter/27
loop16   7:16   0  55.4M  1 loop /snap/core18/1944
sda      8:0    0 111.8G  0 disk 
└─sda1   8:1    0  95.4G  0 part /
sdb      8:16   0 111.8G  0 disk 
└─sdb1   8:17   0  95.8G  0 part /media/enlightened/f41b21a7-e8be-48ac-b10d-cad641bf709b
sdc      8:32   0 447.1G  0 disk 
└─sdc1   8:33   0   400G  0 part /media/enlightened/a935afc9-17fd-4de1-8012-137e82662ff01
sdd      8:48   0 465.8G  0 disk 
└─sdd1   8:49   0   420G  0 part /media/enlightened/757dcceb-3e17-4ca8-9ba1-b0cf68fb0134
sde      8:64   1  28.8G  0 disk 
└─sde1   8:65   1  28.8G  0 part 
$

No mount location is shown for the 32GB usb drive /dev/sde above.

2. Setup LUKS

Now run the cryptsetup command to setup LUKS based encryption

$ sudo cryptsetup luksFormat /dev/sde1 
WARNING: Device /dev/sde1 already contains a 'vfat' superblock signature.

WARNING!
========
This will overwrite data on /dev/sde1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sde1: 
Verify passphrase: 
$

In the above command we specify the partition that is /dev/sde1 .

3. Format the drive

Now we have to first open the encrypted partition and map it to a virtual device.

Use the luksOpen option with the cryptsetup command.

$  sudo cryptsetup luksOpen /dev/sde1 myusb
Enter passphrase for /dev/sde1: 
$

Now format the partition using the mkfs.ext4 command

$  sudo mkfs.ext4 /dev/mapper/myusb -L myusb
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 7550352 4k blocks and 1888656 inodes
Filesystem UUID: 4dd22bb7-022b-4175-8526-7776427c1089
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
        4096000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done   

$

Finally close the virtual device

$ sudo cryptsetup luksClose myusb

Remove the pen drive. Now insert it and use from any file browser like Nautilus and Dolphin. Fill the password when asked and it would become accessible like any regular drive.

Conclusion

If you want a quick and easy way to encrypt usb drives, then just use the gnome-disks program to format and encrypt the usb drive. It takes only a few clicks.

Make sure that your personal, business and other sensitive data is always secure whenever you are carrying them in a usb drive, specially when travelling.

Data theft can lead to un-imaginable problems and encryption will save you from it for free.

If you have any further questions or feedback, let me know in the comments below.

2 Comments

How to Encrypt a USB Flash drive in Ubuntu – LUKS encryption with cryptsetup

Things to do
July 15, 2022 at 12:12 pm

So clearly and interesting. Let’s keep it up

jamg
October 30, 2021 at 11:11 pm

Thanks. Clear and succint article. However, when I reinsert the USB drive, the notifier (in this case under KDE), it says “You are not authorized to mount this device.” However, it does mount, apparently as read only (because under Dolphin I see a lost+found directory, but I’m not able to create any new file/folder under this USB drive.

Do you think it has to do with my permissions as a user? Under /etc/group my user is part of plugdev

Thanks again.