Michael Altfield's gravatar

New Thumb Drive Encryption Procedure

In this article, I’ll describe a procedure for preparing a brand-new USB flash drive for use. First we’ll securely erase all the data on the drive, then we’ll encrypt the entire drive, and–finally–we’ll check the drive for bad blocks.

Ah, remember the good-ole days of spinning disks? When your OS could tell your hard *disk* to shred a specific sector? Like it or not, those days are gone in the land of USB flash volumes.

There’s a lot of great reads on the complications of securely erasing data on a USB thumb drive. Unfortunately, a lot of the techniques are not universal to all technologies or manufacturers. Consequently, my approach is more ignorant, straight-forward, and broad (at the risk of causing these cheap usb drives to fail sooner & the process taking longer):

  1. First, I make sure never to write any unencrytped data to the disk
  2. Second, when I want to wipe the disk, I fill it entirely with random data

Below are the commands that I use to prepare a new usb drive for my use immediately after purchase. These commands are presented as a rough guide; they’re mostly idempotent, but you probably want to copy & paste them one-command-at-a-time until you’ve followed this procedure a few times & know what to expect.

# first, mount the drive & assign this var to the device we're dealing with
sudo su -
shredDevice="/dev/sde"

# make temporary mount dir
tmpDir="`/bin/mktemp -d -p '/mnt'`"
shredMount="${tmpDir}"

# unique name without slashes in it (for log files, etc)
uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`"

# attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding)
umount "${shredDevice}"
umount "${shredMount}"
umount "/dev/mapper/${uniqueName}"
mount "${shredDevice}" "${shredMount}" 

# verify before proceeding that this isn't blank
echo "${shredDevice}"
echo "${tmpDir}"
echo "${shredMount}"

# verify contents match what's expected in thunar
ls -lah "${shredMount}"

# delete all existing files
srm -v -f -l -r "${shredMount}/"

# do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works)
srm -v -f -l -r "${shredMount}/"

# make sure it's all been applied
sync "${shredMount}/"

# create new, temp fs on device directly (no partitions)
umount "${shredMount}"
mkfs.ext4 -j -F -v "${shredDevice}"

# mount it & fill it up
mount "${shredDevice}" "${shredMount}"
sfill -v -f -l "${shredMount}/"

# make sure it's all been applied
sync "${shredMount}/"

# verify it's empty
ls -lah "${shredMount}"

# umount
umount "${shredMount}"

# create encrypted luks volume on the entire device
cryptsetup luksFormat "${shredDevice}"

# decrypt the new encrypted volue
cryptsetup luksOpen "${shredDevice}" "${uniqueName}"

# create a new FS on the entire drive + check for bad blocks
mkfs.ext4 -j -F -v -c -c "/dev/mapper/${uniqueName}"
e2fsck -v "/dev/mapper/${uniqueName}"

# umount
cryptsetup luksClose "/dev/mapper/${uniqueName}"

# cleanup
rm -rf "${tmpDir}"

And below are the commands I use when I want to securely erase the (already encrypted) data on a drive that’s already been setup following the guide above:

# first, mount the drive & assign this var to the device we're dealing with
sudo su -
shredDevice="/dev/sde"

# make temporary mount dir
tmpDir="`/bin/mktemp -d -p '/mnt'`"
shredMount="${tmpDir}"

# unique name without slashes in it (for log files, etc)
uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`"

# verify before proceeding that this isn't blank
echo "${shredDevice}"
echo "${tmpDir}"
echo "${shredMount}"

# attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding)
cryptsetup luksOpen "${shredDevice}" "${uniqueName}"

umount "${shredDevice}"
umount "${shredMount}"
umount "/dev/mapper/${uniqueName}"
mount "/dev/mapper/${uniqueName}" "${shredMount}"

# check contents
ls -lah "${shredMount}"

# delete what's already there
srm -v -f -l -r "${shredMount}/"
sync "${shredMount}/"

# do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works)
srm -v -f -l -r "${shredMount}/"
sync "${shredMount}/"

# then secure-ish wipe
sfill -v -f -l "${shredMount}/"
sync "${shredMount}/"

# use badblocks through the e2fsck command using read-write
umount "/dev/mapper/${uniqueName}"
e2fsck -v -c -c "/dev/mapper/${uniqueName}"
sync "${shredDevice}/"

# exit cleanly
cryptsetup luksClose "/dev/mapper/${uniqueName}"
rm -rf "${tmpDir}"

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>