$ fdisk /dev/sda
After the partitions are created its time to fill the partitions with useless data.
$ shred --verbose /dev/sda1 $ shred --verbose /dev/sda2
After that is done, we can create the encrypted data partition on sda1.
$ cryptsetup -y create memorystick /dev/sda1
If you want to use a secure key, have a look below how to use that key instead of a directly entered passphrase.
This can be verified by
$ dmsetup ls $ cryptsetup status memorystick
which must show something like
memorystick (254, 0) /dev/mapper/memorystick is active: cipher: aes-plain keysize: 256 bits device: /dev/sda1 offset: 0 sectors size: 191146 sectors
Now it can be formatted with
$ mkfs -t ext2 /dev/mapper/memorystick $ tune2fs -c 0 -i 0 /dev/mapper/memorystick
Note: Do NOT use a journaling filesystem if you run your encrypted device ontop of a normal filesystem!
However, if loop is file backed (ext3 → loop → ext3 → device), the underlying file system must be mounted data=journal or data=ordered. If underlying filesystem is mounted data=writeback or if it is plain old ext2, write ordering expectation by journaled filesystem (ext3, reiserfs, jfs, xfs, or whatever) on top of loop driver is not guaranteed, and journal replay may corrupt data. Use of non-journaled file systems on top of file backed loop don't have above mentioned write ordering issues, as they must be repaired using fsck, not by replaying journal.
Its much safer to use a secure key than a simple password. This key can then be used by this syntax:
$ gpg --decrypt keyfile.gpg | cryptsetup create memorystick /dev/sda1
Finally, the key partition sda2 can be formatted.
$ mkfs -t ext3 /dev/sda2 $ tune2fs -c 0 -i 0 /dev/sda2
$ gpg --decrypt keyfile.gpg | cryptsetup create memorystick /dev/sda1 $ mount /dev/mapper/memorystick /mnt
To unmount the whole security device the following steps are necessary:
$ umount /mnt $ cryptsetup remove memorystick
we need a way to move this process into userspace.