Encrypting flash drives with UsbCryptFormat

USB storage sticks, SD cards, and external hard drives are essential tools in the daily life of almost every PC user. However, there are some drawbacks to these small storage media: They can disappear pretty easily, for example. If your device gets into the wrong hands, unprotected data is typically visible to all who want to look at it. To protect data found on removable storage devices, all you need is a Linux PC and the encryption software UsbCryptFormat [1].

Basics

UsbCryptFormat uses the LUKS method that runs on Linux to encrypt data. LUKS is designed so that it saves the information necessary for decryption in the header of an encrypted partition. Up to eight keys and diverse metadata can be stored in the header. The advantage of this method is that it allows the user to open an encrypted storage device on a computer system even if the system does not run UsbCryptFormat. In that case, the user just needs the cryptsetup package to call the software. Most of the current Linux distributions include this package as part of the standard installation.

Getting Started

UsbCryptFormat is distributed under a GPL and comes as a DEB package for Debian, Ubuntu, and their derivatives that you can download from the project website. Because UsbCryptFormat consists entirely of Bash scripts, the source code is practically built into the system. Users running distributions that have RPM package management can also take advantage of UsbCryptFormat. Here you should first install the program alien that is available in the software repositories of most of the distributions.

The next step is to start the program in the terminal using the following command:

alien -r -v --scripts usbcryptformat_12.05.20_all.deb

The software converts the Debian package into RPM format so you can install it on your system.

When installing UsbCryptFormat, the package creates the entry Encrypt external storage media in the menu structure on your desktop. Clicking the entry starts the program with the appropriate administrative rights. If the application does not appear, you should check the package administration to determine whether the zenity package manager is installed on your computer. UsbCryptFormat uses this program to display its dialogs in the graphical desktop environment.

It's also a good idea to check the corresponding menu entry for the correct command syntax for invoking the software. In other distributions, you may need to replace the su-to-root command, which only comes up in Ubuntu, with either kdesu , which is used on the KDE desktop, or the gksu command for Gnome work environments. In both cases, you should remove the command parameters -X -c . UsbCryptFormat should start without any problems after this preparatory work.

How the System Works

USB storage sticks and SD cards commonly come equipped with filesystems from the Microsoft world. Depending on the size of the storage media, this will be FAT16, FAT32, exFAT, or NTFS. These filesystems offer the greatest possible compatibility with various devices and operating systems. Thus, the first task for UsbCryptFormat is to create a new partition where the encrypted filesystem will reside on each external storage device that is to be encrypted.

To start the encryption process, you should insert the storage device into the computer. When it appears in the system, you should start UsbCryptFormat with administrative rights. The software will open a window that lists all data storage devices that are connected and mounted on the computer system. From this list, select the device that you want to encrypt and click OK . UsbCryptFormat will then issue an explicit warning advising the user that all data saved on the medium will be lost during formatting (Figure 1).

Figure 1: The security message is conspicuous.

If, for some reason, you selected the wrong device, you can end the program with a click on No . Otherwise, you should continue with yes and UsbCryptFormat will create a new partition on the data medium. The next dialog is for entering the password you want to use with the encrypted data medium. You should then enter the password for a second time in the subsequent security dialog.

In the next window, UsbCryptFormat will ask whether you want to completely overwrite the removable data medium with randomly generated data. You should definitely answer yes to this question because old data can be reconstructed through manual partitioning of the storage device. (Figure 2).

Figure 2: The program overwrites before reformatting the data medium.

Reformatting without overwriting the old data beforehand will change only the partition table and not touch the existing data. Remember that it may take considerable time to overwrite old data depending on the size of the data medium. However, it just takes a few minutes to overwrite the data and set up the new filesystem on the customary 16 or 32GB USB sticks and SD cards.

UsbCryptFormat has an animated status bar that shows the progress of this process. A closing dialog indicates that you will be asked for the encryption password the next time you connect the storage medium to your system. Then, with a click on OK , UsbCryptFormat ends.

Uncomplicated

In practice, integrating the encrypted data device works reliably. Simply plug in the USB stick or the external hard drive and then correctly answer the password request. It is well known that storage media cannot simply be pulled out of the system. Instead, you should use the corresponding functions on your desktop environment or enter the umount command from the command line. Formatting tools like cfdisk or the Ubuntu disk manager show that the partitions installed on the storage medium are encrypted (Figure 3).

Figure 3: Partitioning software displays the encrypted device correctly.

If you are thinking about reformatting and encrypting a data storage device that has already been encrypted with UsbCryptFormat, you will first need to partition the device with partitioning software. This is done by erasing the existing partition table using cfdisk or fdisk and then setting up a new partition that covers all of the storage space of the device. You won't have to necessarily format it immediately. Instead, you can once again install an encrypted filesystem using UsbCryptFormat.

Conclusion

You can forget having to use cumbersome commands and complex parameters when encrypting and decrypting an external storage device. UsbCryptFormat makes it easy and uncomplicated to create encrypted storage devices of any kind and capacity. Modern Linux distros let you view the connection to the system as soon as you type in the password. Road warriors who keep lots of data on USB sticks, SD cards, or external SSDs and hard drives should have UsbCryptFormat as standard equipment.