In this article, I'll describe a procedure for preparing a brand-new USB flash drive for use. First we'll securely erase all the data on the drive, then we'll encrypt the entire drive, and--finally--we'll check the drive for bad blocks.
Ah, remember the good-ole days of spinning disks? When your OS could tell your hard *disk* to shred a specific sector? Like it or not, those days are gone in the land of USB flash volumes.
There's a lot of great reads on the complications of securely erasing data on a USB thumb drive. Unfortunately, a lot of the techniques are not universal to all technologies or manufacturers. Consequently, my approach is more ignorant, straight-forward, and broad (at the risk of causing these cheap usb drives to fail sooner & the process taking longer):
- First, I make sure never to write any unencrytped data to the disk
- Second, when I want to wipe the disk, I fill it entirely with random data
Below are the commands that I use to prepare a new usb drive for my use immediately after purchase. These commands are presented as a rough guide; they're mostly idempotent, but you probably want to copy & paste them one-command-at-a-time until you've followed this procedure a few times & know what to expect.
# first, mount the drive & assign this var to the device we're dealing with sudo su - shredDevice="/dev/sde" # make temporary mount dir tmpDir="`/bin/mktemp -d -p '/mnt'`" shredMount="${tmpDir}" # unique name without slashes in it (for log files, etc) uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`" # attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding) umount "${shredDevice}" umount "${shredMount}" umount "/dev/mapper/${uniqueName}" mount "${shredDevice}" "${shredMount}" # verify before proceeding that this isn't blank echo "${shredDevice}" echo "${tmpDir}" echo "${shredMount}" # verify contents match what's expected in thunar ls -lah "${shredMount}" # delete all existing files srm -v -f -l -r "${shredMount}/" # do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works) srm -v -f -l -r "${shredMount}/" # make sure it's all been applied sync "${shredMount}/" # create new, temp fs on device directly (no partitions) umount "${shredMount}" mkfs.ext4 -j -F -v "${shredDevice}" # mount it & fill it up mount "${shredDevice}" "${shredMount}" sfill -v -f -l "${shredMount}/" # make sure it's all been applied sync "${shredMount}/" # verify it's empty ls -lah "${shredMount}" # umount umount "${shredMount}" # create encrypted luks volume on the entire device cryptsetup luksFormat "${shredDevice}" # decrypt the new encrypted volue cryptsetup luksOpen "${shredDevice}" "${uniqueName}" # create a new FS on the entire drive + check for bad blocks mkfs.ext4 -j -F -v -c -c "/dev/mapper/${uniqueName}" e2fsck -v "/dev/mapper/${uniqueName}" # umount cryptsetup luksClose "/dev/mapper/${uniqueName}" # cleanup rm -rf "${tmpDir}"
And below are the commands I use when I want to securely erase the (already encrypted) data on a drive that's already been setup following the guide above:
# first, mount the drive & assign this var to the device we're dealing with sudo su - shredDevice="/dev/sde" # make temporary mount dir tmpDir="`/bin/mktemp -d -p '/mnt'`" shredMount="${tmpDir}" # unique name without slashes in it (for log files, etc) uniqueName="`echo \"${shredMount:1:(-1)}\" | tr '/' '-'`" # verify before proceeding that this isn't blank echo "${shredDevice}" echo "${tmpDir}" echo "${shredMount}" # attempt to mount (if this fails, you'll have to proceed manually--perhaps with per-partition mount & shredding) cryptsetup luksOpen "${shredDevice}" "${uniqueName}" umount "${shredDevice}" umount "${shredMount}" umount "/dev/mapper/${uniqueName}" mount "/dev/mapper/${uniqueName}" "${shredMount}" # check contents ls -lah "${shredMount}" # delete what's already there srm -v -f -l -r "${shredMount}/" sync "${shredMount}/" # do it a second pass, because it sometimes errors-out at the end & needs a double-tap to finish properly (yes, yes--but this works) srm -v -f -l -r "${shredMount}/" sync "${shredMount}/" # then secure-ish wipe sfill -v -f -l "${shredMount}/" sync "${shredMount}/" # use badblocks through the e2fsck command using read-write umount "/dev/mapper/${uniqueName}" e2fsck -v -c -c "/dev/mapper/${uniqueName}" sync "${shredDevice}/" # exit cleanly cryptsetup luksClose "/dev/mapper/${uniqueName}" rm -rf "${tmpDir}"
Related Posts

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Leave a Reply