This howto will show you how easy it is to encrypt a partition on a removable device, like an USB stick, with LUKS (Linux Unified Key Setup).

Before we start, make sure you have backuped all the data on your drive. After that, dismount it. USB drives usually are being mounted at /media/usbdisk. So:

$ umount /media/usbdisk

Alternatively, you can install the package 'gparted', to dismount the device in a graphical interface. You'll find the tool in System -> Administration -> GNOME Partition Editor. The USB drive should be /dev/sda or /dev/sdb. You can also create more partitions, if you like,. For instance, you can create two partitions, and encrypt just one for your sensitive data. In this howto, I will encrypt /dev/sda1.

Install the package 'cryptsetup'. Type:

$ sudo luksformat /dev/sda1

You will be prompted for a passphrase. Memorize that phrase. If you forget it, there is no way to restore your data!!!

That's pretty much it. Unplug your USB device, and plug it in again. You should now see something like this:


Enter your passphrase, and the drive will be mounted.

If you want to change the encryption algorithm, the key size, etc ... , knock yourself out with this command:

$ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --ciper=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda1

Check --help, for more information.