Encrypt a USB drive through LUKS in Ubuntu

Published: November 02, 2022

Encrypt a USB drive through LUKS in Ubuntu

In this article, we cover how to encrypt a USB drive through LUKS in Ubuntu. Encryption is done to prevent unauthorized access to data. So, anyone who doesn't provide a correct passphrase won't be able to access the data stored in our USB drive. It is particularly useful in case our USB drive gets stolen.

Linux Unified Key Setup (LUKS) is used for block device encryption. Though we have kind of covered this earlier in article - Password protect a USB drive in Ubuntu. This time around, we would try to get similar results through command-line tool - cryptsetup.

Note: Following operations require superuser privileges. In case you don't have one then, we advise you to contact your System Administrator for assistance.

Important: Backup data stored in your USB drive first. What we are trying to achieve here will eventually erase your data on the USB drive. Also, don't forget the passphrase otherwise all your stored data in USB drive would be gone forever.

Install cryptsetup in Ubuntu

The package is installed as default, if somehow its not there then issue the following in terminal to install -

sudo apt update
sudo apt install cryptsetup cryptsetup-bin

Encrypt USB drive through LUKS in Ubuntu

First, connect the USB drive and identify the partition -

lsblk
sudo fdisk -l

Now, to format it -

sudo cryptsetup luksFormat <device_name>

For us device name was - /dev/sdb1. It would be different for you. Enter YES if you are okay with data on device being written. Thereafter, enter the passphrase twice.

If it says -

Device device_name is in use. Cannot proceed with format operation.

Then, use umount tool to unmount the partition -

umount <device_name>

Next, to view summary of encryption -

sudo cryptsetup luksDump <device_name>

Now, look for LUKS UUID for the USB drive -

sudo cryptsetup luksUUID <device_name>

Note it down somewhere, the mapping name would be luks-uuid. For instance,

luks-ea27b3f1-d9cb-4ca5-4527-39f3ed78hg75

We will use luks-uuid to access decrypted content of our USB drive.

sudo cryptsetup luksOpen <device_name> <map_name>

where, <map_name> would be luks-uuid.

And, enter passphrase. To check whether is worked or not?

sudo cryptsetup -v status <map_name>

Create a filesystem and mount it somewhere -

sudo mkfs -t <filesystem_type> /dev/mapper/<map_name or luks-uuid>

sudo mkdir -p /media/myUSB

sudo mount /dev/mapper/<map_name or luks-uuid> /media/myUSB

Lastly, only a superuser can modify contents of the USB drive. So, we need to change the ownership -

sudo chown -R $USER:$USER /media/myUSB

And, that is pretty much everything we need to do for now. Plug it in some other Linux distribution to check whether it asks for a passphrase or not. We would like to add here that, to make it work in the same machine we had to reboot it. Otherwise, it kept throwing Failed to activate device error.