Encrypting the data on your USB key to use with GNOME

I just got a brand new Sony Micro Vault Tiny USB key. As you can see on the picture, it’s about half the size of an SD card, although slightly thicker. The trick it uses to be so small is to slide directly inside the USB port. The size makes it very handy to keep in a wallet, and it can be used with any USB port without requiring any adapter, cable or card reader.

Just like with the previous USB keys and SD cards I’ve owned, it will be used to backup important data which I want to carry with me at all times. But just like any other important work and personal data, I don’t want anyone to be able to read it, so most of the key will be encrypted.

For encryption, I use LUKS, since it’s nicely integrated into GNOME and has been for a while (in Fedora since Fedora Core 5, so also in RHEL5). But since it’s a hassle to access such a partition from Windows computers, I find it handy to partition the key in two and also keep a simple unencrypted FAT32 partition which can be used to exchange non sensitive data easily with just about any computer.


Here is the device’s partition table. I’ve wiped out the original one, along with all the useless Windows programs Sony provides :

# fdisk -l /dev/sdf

Disk /dev/sdf: 4059 MB, 4059561984 bytes
229 heads, 32 sectors/track, 1081 cylinders
Units = cylinders of 7328 * 512 = 3751936 bytes
Disk identifier: 0xc3072e18

   Device Boot      Start         End      Blocks   Id  System
/dev/sdf1               1         228      835376    c  W95 FAT32 (LBA)
/dev/sdf2             229        1081     3125392   83  Linux

To create the FAT32 filesystem :

# Format as FAT32 with a nice label
mkfs.vfat -n "FAT Vault" /dev/sdf1

To create the LUKS encrypted volume with EXT3 on top :

# Install the required tools
yum install cryptsetup-luks
# Create the LUKS volume, set the passphrase
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdf2
# Open the LUKS volume, enter the passphrase which was just set
cryptsetup luksOpen /dev/sdf2 vault
# Format as EXT3 with a nice label and 0% space reserved for root
mkfs.ext3 -L "GNU Vault" -m 0 /dev/mapper/vault
# Disable forced filesystem checks
tune2fs -c 0 -i 0 /dev/mapper/vault
# Close the LUKS volume
cryptsetup luksClose /dev/mapper/vault

After this is done, remove the USB key and insert it again. If you are running GNOME, the “FAT Vault” partition should show up automatically, and for the “GNU Vault” you should be prompted for the passphrase you’ve set when creating the LUKS volume. Once entered, the “GNU Vault” partition’s content should also show up. That’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *