I’ve blogged in the past on the possibility of using a USB key to store senitive information like passwords. In the post, I was refering to using LUKS. I had not taken time before today to test that setup.
I’ve tested it and it seems to work nicely, beautifully integrated in the Gnome environment (relying on HAL, etc.).
For the curious, here are the steps I used :
- I installed the cryptsetup package which (in testing, at least) contains the necessary patches for using LUKS.
- I’ve followed some steps of a LUKS wiki page to prepare a crypted partition on my USB key, except that instead of using cryptsetup to create the encrypted partition, I used the Debian provided /sbin/luksformat tool (see /usr/share/doc/cryptsetup/README.Debian for more details). Update: Note that I prefer using luksformat with the “-t ext3” option to get an ext3 partition inside the crypted volume.
That’s mostly it. I have a FAT16 partition of 100 M on the first partition of my USB key, useable unencrypted, and then a “Linux” partition containing a LUKS crypted partition for using in GNU/Linux.
Whenever I plug the USB key under Gnome, I will get prompted for the passphrase for unlocking the partition, and that’s it !
Really cool.
A couple interesting links for more details :
- The already mentioned
http://luks.endorphin.org/aboutLUKS site (now at http://code.google.com/p/cryptsetup/), as well as the wiki page explaining the setup : http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS, - Again, the first post that led me on the right way, with an animation showing what’s happening : http://blog.fubar.dk/?p=64,
- http://www.wideopen.com/magazine/012oct05/features/hal/, a paper titled “Adding encryption support to HAL: A user’s experience with Fedora� development”, which explains the whole thing,
- http://www.flyn.org/projects/luks-tools/index.html for the luks-tools package (not yet in Debian AKAIK), including the gnome-luks-format tool, allowing GUI use for setting up a crypted partition… not really useful if you manage with the command-line ;).
Go ahead, try it.
I setup a WD 120GB external USB drive the same way, and was pleasantly surprised when I plugged it into another box, which happened to be running Fedora 8. Quite neat.