«  
  »
Michael Altfield's gravatar

New Thumb Drive Encryption Procedure

By Michael Altfield, on February 4th, 2018

In this article, I'll describe a procedure for preparing a brand-new USB flash drive for use. First we'll securely erase all the data on the drive, then we'll encrypt the entire drive, and--finally--we'll check the drive for bad blocks.

Ah, remember the good-ole days of spinning disks? When your OS could tell your hard *disk* to shred a specific sector? Like it or not, those days are gone in the land of USB flash volumes.

There's a lot of great reads on the complications of securely erasing data on a USB thumb drive. Unfortunately, a lot of the techniques are not universal to all technologies or manufacturers. Consequently, my approach is more ignorant, straight-forward, and broad (at the risk of causing these cheap usb drives to fail sooner & the process taking longer):

  1. First, I make sure never to write any unencrytped data to the disk
  2. Second, when I want to wipe the disk, I fill it entirely with random data

Below are the commands that I use to prepare a new usb drive for my use immediately after purchase. These commands are presented as a rough guide; they're mostly idempotent, but you probably want to copy & paste them one-command-at-a-time until you've followed this procedure a few times & know what to expect.

# first, mount the drive & assign this var to the device we're dealing with
sudo su -
shredDevice="/dev/sde"

# make temporary mount dir
tmpDir="`/bin/mktemp -d -p '/mnt'`"
shredMount="${tmpDir}"

# unique name without slashes in it (for log files, etc)
uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`"

# attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding)
umount "${shredDevice}"
umount "${shredMount}"
umount "/dev/mapper/${uniqueName}"
mount "${shredDevice}" "${shredMount}" 

# verify before proceeding that this isn't blank
echo "${shredDevice}"
echo "${tmpDir}"
echo "${shredMount}"

# verify contents match what's expected in thunar
ls -lah "${shredMount}"

# delete all existing files
srm -v -f -l -r "${shredMount}/"

# do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works)
srm -v -f -l -r "${shredMount}/"

# make sure it's all been applied
sync "${shredMount}/"

# create new, temp fs on device directly (no partitions)
umount "${shredMount}"
mkfs.ext4 -j -F -v "${shredDevice}"

# mount it & fill it up
mount "${shredDevice}" "${shredMount}"
sfill -v -f -l "${shredMount}/"

# make sure it's all been applied
sync "${shredMount}/"

# verify it's empty
ls -lah "${shredMount}"

# umount
umount "${shredMount}"

# create encrypted luks volume on the entire device
cryptsetup luksFormat "${shredDevice}"

# decrypt the new encrypted volue
cryptsetup luksOpen "${shredDevice}" "${uniqueName}"

# create a new FS on the entire drive + check for bad blocks
mkfs.ext4 -j -F -v -c -c "/dev/mapper/${uniqueName}"
e2fsck -v "/dev/mapper/${uniqueName}"

# umount
cryptsetup luksClose "/dev/mapper/${uniqueName}"

# cleanup
rm -rf "${tmpDir}"

And below are the commands I use when I want to securely erase the (already encrypted) data on a drive that's already been setup following the guide above:

# first, mount the drive & assign this var to the device we're dealing with
sudo su -
shredDevice="/dev/sde"

# make temporary mount dir
tmpDir="`/bin/mktemp -d -p '/mnt'`"
shredMount="${tmpDir}"

# unique name without slashes in it (for log files, etc)
uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`"

# verify before proceeding that this isn't blank
echo "${shredDevice}"
echo "${tmpDir}"
echo "${shredMount}"

# attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding)
cryptsetup luksOpen "${shredDevice}" "${uniqueName}"

umount "${shredDevice}"
umount "${shredMount}"
umount "/dev/mapper/${uniqueName}"
mount "/dev/mapper/${uniqueName}" "${shredMount}"

# check contents
ls -lah "${shredMount}"

# delete what's already there
srm -v -f -l -r "${shredMount}/"
sync "${shredMount}/"

# do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works)
srm -v -f -l -r "${shredMount}/"
sync "${shredMount}/"

# then secure-ish wipe
sfill -v -f -l "${shredMount}/"
sync "${shredMount}/"

# use badblocks through the e2fsck command using read-write
umount "/dev/mapper/${uniqueName}"
e2fsck -v -c -c "/dev/mapper/${uniqueName}"
sync "${shredDevice}/"

# exit cleanly
cryptsetup luksClose "/dev/mapper/${uniqueName}"
rm -rf "${tmpDir}"

Related Posts

bash, computers, privacy, security, software, technology   , , , , , ,  
«  
  »

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

«  
  »