I read a while ago that HAL/pmount/GNOME Volume Manager has LUKS integration in Fedora, I though it would be neat to try this on Debian unstable. It turned out to be quite simple:

- Besides pmount, the 'cryptsetup' package is required.
- After splitting up the USB flash drive in two partitions, I created an encrypted partition with 'luksformat':

luksformat -t ext2 /dev/sdc2

luksformat sets up a ext2 filesystem (journaling is bad for USB flash drives) on an AES-encrypted volume. It will ask a keyphrase.

- After that I reconnected the flash drive, GNOME popped up a nice "Enter your password." window, and the filesystem was mounted after doing this.

It has been possible to encrypt filesystems quite a while in Linux, but it is nice to see that this has been integrated with GNOME this well these days. Next up is encryption on FreeBSD with the GEOM framework :).

BTW. The prices of these drives a dropping without an end. Yesterday I bought a 512MB drive for 11 Euro. A 1GB drive was about 20 Euro.

I was just wondering if one could format those USB drives!

I was just wondering if one could format those USB drives!

You can use them as normal disks. Some old USB flash drives did not like repartitioning, but new drives work perfectly. I have an 512MB Imation Sandisk Cruzer (Titanium) (which I can not recommend!) set up with one ext2 partition, and a Danelec 512MB set up with two partitions that I am tinkering with now.

Setting up an encrypted parition on FreeBSD was very easy:


# geli init -s 512 /dev/da2s2 (initializes GELI encryption)
# geli attach /dev/da2s2 (attaches the GELI partition, asks for password)
# newfs /dev/da2s2.eli (create an FFS filesystem on the encrypted device)
# mount /dev/da2s2.eli /mnt


After that attaching and detaching is easy:


# geli attach /dev/da2s2
# mount /dev/da2s2.eli /mnt



# umount /mnt/
# geli detach /dev/da2s2


This is very interesting by the way:
http://www.proportion.ch/index.php?page=31

It describes how you can encrypt the whole harddisk of a system, using an USB flash drive as a token to access the disk. So, only the person who owns the token, and knows the passprase can boot the notebook. Since notebooks get stolen quite often, this is an interesting way to protect your data (even if a thieve also steals the USB disk, he/she'll still need the correct passphrase).

Since notebooks get stolen quite often, this is an interesting way to protect your data (even if a thieve also steals the USB disk, he/she'll still need the correct passphrase).

What happens if the Laptop is recovered but not the USB disk?

Paul

What happens if the Laptop is recovered but not the USB disk?

Then you can't access the data. If you could, it would not be safe.

Can one make a clone of the usb drive and keep it in a safe place for that purpose?

Can one make a clone of the usb drive and keep it in a safe place for that purpose?

Yes, it's a key file, so you can back it up where you want.

Yes, it's a key file, so you can back it up where you want.

That was what I was aiming for.