Yet another thing that has been on my TODO list for quite a while: encrypted USB thumb drives and/or encrypted external USB hard drives.
I have finally tried this over the weekend using loop-AES. This is very useful for securing your USB thumb drive contents in case you lose it or it gets stolen. Also, I use an external USB hard drive for backups (previously unencrypted). This is encryped now, too.
Here's a quick HOWTO:
- Get the loop-AES kernel patches, apply them, enable "AES encrypted loop device support" in "Device Drivers -> Block Devices -> Loopback device support", and recompile the kernel.
I also enabled "loop encryption key scrubbing support" as it seems to promise higher security (can anybody confirm that?).
If you're using the Debian kernel packages, apt-get install loop-aes-2.6-686 (or a similar package) should suffice.
- Get a loop-aes enabled losetup, mount etc.:
apt-get install loop-aes-utils
- Securely delete the target partition: shred -n 1 -v /dev/sda3.
Use -n 25 or higher if you want more security and have a few days time to wait for the thing to finish...
- Setup the loopback device: losetup -e aes256 -C 3 -S 'seed' /dev/loop0 /dev/sda3.
- I used AES-256 as cipher, but others are possible.
- The -C 3 means "run hashed password through 3000 iterations of AES-256 before using it for loop encryption. This consumes lots of CPU cycles at loop setup/mount time but not thereafter." (see losetup(8)). This is supposed to be more secure.
- Using -S 'seed' (replace "seed" with a secret string like "g7sN4" or something) should make brute force attacks a bit harder. Don't forget the seed!
- You'll be asked for a passphrase > 20 characters. Choose a good one. Don't forget it!
- Create the filesystem (I used ext3): mke2fs -j /dev/loop0
- Detach the loopback device: losetup -d /dev/loop0
- Add this to /etc/fstab:
/dev/sda3 /mnt/crypted_sda3 ext3 noauto,loop=/dev/loop0,encryption=AES256,itercountk=3 0 0
- Mount the (now encrypted) partition by supplying the seed and entering the chosen password: mount -o pseed=seed /mnt/crypted_sda3
- Done. You can now copy stuff to /mnt/crypted_sda3 which will be encrypted automatically.
For a more detailed guide read the Encrypted-Root-Filesystem-HOWTO. A performance comparison of different ciphers is available, but in general I didn't notice too much of a slow-down because of the encryption...