memorystick (128 MB)


  1. sda1: (97.9 MB) Data partition to carry encrypted data
  2. sda2: (32.0 MB) Key partition which I will use to hold the notebooks system key


$ fdisk /dev/sda

After the partitions are created its time to fill the partitions with useless data.

$ shred --verbose /dev/sda1
$ shred --verbose /dev/sda2

After that is done, we can create the encrypted data partition on sda1.

$ cryptsetup -y create memorystick /dev/sda1

If you want to use a secure key, have a look below how to use that key instead of a directly entered passphrase.

This can be verified by

$ dmsetup ls
$ cryptsetup status memorystick

which must show something like

memorystick     (254, 0)

/dev/mapper/memorystick is active:
  cipher:  aes-plain
  keysize: 256 bits
  device:  /dev/sda1
  offset:  0 sectors
  size:    191146 sectors

Now it can be formatted with

$ mkfs -t ext2 /dev/mapper/memorystick
$ tune2fs -c 0 -i 0 /dev/mapper/memorystick

Note: Do NOT use a journaling filesystem if you run your encrypted device ontop of a normal filesystem!

Quoting from Jari Ruusu on Linux-crypto:

However, if loop is file backed (ext3 → loop → ext3 → device), the underlying file system must be mounted data=journal or data=ordered. If underlying filesystem is mounted data=writeback or if it is plain old ext2, write ordering expectation by journaled filesystem (ext3, reiserfs, jfs, xfs, or whatever) on top of loop driver is not guaranteed, and journal replay may corrupt data. Use of non-journaled file systems on top of file backed loop don't have above mentioned write ordering issues, as they must be repaired using fsck, not by replaying journal.

Its much safer to use a secure key than a simple password. This key can then be used by this syntax:

$ gpg --decrypt keyfile.gpg | cryptsetup create memorystick /dev/sda1

Finally, the key partition sda2 can be formatted.

$ mkfs -t ext3 /dev/sda2
$ tune2fs -c 0 -i 0 /dev/sda2


$ gpg --decrypt keyfile.gpg | cryptsetup create memorystick /dev/sda1
$ mount /dev/mapper/memorystick /mnt


To unmount the whole security device the following steps are necessary:

$ umount /mnt
$ cryptsetup remove memorystick

FIXME we need a way to move this process into userspace.

harry/memorystick.txt · Last modified: 2004/09/09 10:39 (external edit)
Locations of visitors to this page

Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki