Encrypting external hard drive partition.

Hi,

I have an external USB hard drive that I would like to use as a backup.
My “old” Maxtor usb/firewire is very fast and usefull, but it is not encrypted.

My idea is to use the dm-crypt and cryptsetup/Luks and make a ext3 partition mount only with password.
This would be suficient for protecting data.

Does anyone tried this before?
How is the beahviour of the USB drive when mounting after the encryption process. Does it automount and asks for the password?
Or it as to be done manually with luksOpen ?

Regards,
Pedro

I am running two encrypted disks but internal. The idea would be to make that disk identified by its UUID. Also if i’m not wrong if You remove the disk (after mounting it etc.) and try to boot without it then You’ll encounter problems. I may be wrong but it will be asking You for the passphrase and You’ll have three options:

  1. Forget it immediately
    2)Remember until logout
  2. Remember indefinitely (it’s kinda stupid as You want it to be secure right?)

Hi,

I do not want an encrypted disk.
I want just an encrypted partition …

I also have my internal 500GB hard drive partitions encrypted.
By the boot process is not configured to boot using UUID as mentioned in:

Encrypted Root File System - openSUSE

it is the normal device name.
Mapper will also detect whatever is encrypted.
But this is at boot time …
I was wondering what happens during usb connection …

Also if i’m not wrong if You remove the disk (after mounting it etc.) and try to boot without it then You’ll encounter problems.

Why?

I may be wrong but it will be asking You for the passphrase and You’ll have three options:

  1. Forget it immediately
    2)Remember until logout
  2. Remember indefinitely (it’s kinda stupid as You want it to be secure right?)

Option 3) is really a no go :slight_smile: !

My problem with the encrypted partitions is just the manual mount. It is not really a problem actually! But the convenience of mounting authomatically is precious.

Regards,
Pedro

Problem with booting is simple, etc/fstab is not correct to what is available.

And by disks i naturally meant partitions :slight_smile: since there is ALMOST no real difference :smiley:

Hi,

Hummm … you are right, that is indeed the case …
In my laptop I will put a /dev/mapper entry … but the problem is still mounting the disk (luksOpen) … I have a strong feeling this can only be mounted on the shell …

And by disks i naturally meant partitions :slight_smile: since there is ALMOST no real difference :smiley:

:slight_smile: Indeed … Why make things so complex :slight_smile:

Oh, googling around I found that the good Ubuntu folks have made some progress …

https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorageOnHardy

Regards,
Pedro

but the problem is still mounting the disk (luksOpen) … I have a strong feeling this can only be mounted on the shell

What do You mean by that? I’m using gnome and it automatically asks me if i want to mount it (after stting it up with dm-crypt etc.) set it up once and forget :D??
I was afraid on the beginning that if i have to reinstall the system then i will lose all the data (a guy convinced me pretty much about that:)).But now i know everything is stored on the encrypted disk :slight_smile: I read a bit about how LUKS works so it’s better now:)

Hi,

Ok, I use KDE, I will check that stuff …

Meanwhile looking at the link:
https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorageOnHardy

There is a dmesg list that detects a 500GB hdd disk … and the author refers TWO days encription, I hope it is a /dev/random process … not the one I intent to use …

Also I have a 1TB external drive … :open_mouth:

I was afraid on the beginning that if i have to reinstall the system then i will lose all the data (a guy convinced me pretty much about that:)).But now i know everything is stored on the encrypted disk I read a bit about how LUKS works so it’s better now:)

Yeah …
I also had some problems with custom kernels compiled by me and the like … and I never had a problem with luksFormat partitions … even when I had to rebuild the /boot/grub/menu.lst with the correct kernel parameters…
The data is there the partitions are there … it is just a matter of correctly oppening the partitions.
I fully trust this procedure …

Regards,
Pedro

Hi,

Just finished dd if=/dev/urandom of=/dev/my_usb2.0_1TB_hdd and it took … :open_mouth:

404207 s

That is 4.67 days folks …

If someone tries this I recommend that it is better to use a PC that is available to remain always there for 5 days an always connected to the external disk as this is a very long process …

Regards,
Pedro

4 days WOW!!! Incredible!!!

Does it work now? How is the performance?

Also, it is not very clear to me why you should always boot with that device plugged. The encrypted drive should work at the same way on any computer, right? Any Opensuse (or possibly any Linux) should detect that it is an encrypted partition and ask for the password. Am i wrong on this? (i am not sure as i have never tried myself)
If that is correct, then these computers might not have any fstab entry. So you could just remove the fstab entry on your machine and you would not need the device plugged at boot time.

Hi,

Sorry for the late reply.

I think that is CPU time … it took about 5 days actually :open_mouth: . It finished during night time I can’t be precise about the actual time it took …

Does it work now? How is the performance?

Oh Yes! it Runs perfectly !
And it mounts very well, in KDE simply plug the usb cable and a pop-up asks for the password … and then it gets mounted!
Simple. (the mount dir still need a chmod a+wr has it mounts as root wr only … I will change this … )

About performance: I did not yet run any of those performance utility commands just to check the actual specs.
What I can say right now is that I am moving some DVD’s (4.4GB/each) from internal hdd to the backup and I get speeds of up to 35MB/s … ususally it is like 20-25MB/s, but this is very much dependent on the file size … It gets to the 35MB/s … I think this is the hdd max transfer limit for SATA2 5400rpm (not sure).

I am also not sure if this is a performance problem, the disk I use is a Western Digital My Book, (essential edition)
I think this device uses a Westen Digital Green disk … it also does not mention any speed specifications.
So quite frankly I really do not know about that specific issue.

[/QUOTE]
Also, it is not very clear to me why you should always boot with that device plugged. The encrypted drive should work at the same way on any computer, right? Any Opensuse (or possibly any Linux) should detect that it is an encrypted partition and ask for the password. Am i wrong on this? (i am not sure as i have never tried myself)
If that is correct, then these computers might not have any fstab entry. So you could just remove the fstab entry on your machine and you would not need the device plugged at boot time.[/QUOTE]

Humm … Right … well I never mentioned the “boot with” the device connected.
That is not necessary … My issue was simply around the fact that the automount process could possibly not kow what to do with a disk whose partition is encrypted.
But that is indeed not the case.
Like you mention, it Should run and be autodetected in Any Linux that contains the Luks tools and apropriate encryption modules (Sha and the like, all current Linux distros have no problem with this).
The problem with fstab was that one …

But has I can assure: I just made a dd comand and then encrypted the partitions and thats it!
Under kde 3.5 and kde 4 OpenSuSE 11.1 64 bits … it simply just works :slight_smile:

The encryption process was simple: I just used the following commands:

First:

  • fdisk /dev/sdb … clear all partitions: with d option, then w option.
    Exit fdisk

write random data to the disk:

  • dd if=/dev/urandom of=/dev/sdb (folks /dev/random takes Even longer then urandom … )

this takes the 4.67 days +

When finished create a Linux partition:

  • fdisk /dev/sdb

created a primary partition, option n, then write, option w.

Then :

  • cryptsetup -v --key-size 256 luksFormat /dev/sdb1

Then:

  • cryptsetup luksOpen /dev/sdb1 securitybackup

Then Format the new partitions:
I used this advices from the Ubuntu link (for large disks):

  • mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/securitybackup

Thats it!

Regards,
Pedro

Thank you for the detailed feedback and comments! Very useful explanation!

I was considering myself about encrypting one of my external drives… you can never be too careful when it comes to your personal data! :slight_smile: