I Encrypt All My USB Drives with LUKS.
ฝัง
- เผยแพร่เมื่อ 23 พ.ย. 2024
- I show you how to setup an encrypted USB drive with a LUKS partition and cryptsetup. I wrote a script to automatically decrypt and mount drives on the fly too which does this automatically. Get it here:
`mounter`. For mounting drives (encrypted, normal and Android phones):
github.com/Luk...
`unmounter`. For unmounting. Also closing decryption of drives for safety:
github.com/Luk...
Might do more on drive encryption, including full disk encryption later.
My website: lukesmith.xyz
Classical books reprinted by me: lindypress.net
Get all my videos off TH-cam: videos.lukesmi...
or Odysee: odysee.com/$/i...
Please donate: donate.lukesmi...
BTC: bc1qd20r7phdct3t0e0z6jqs55ulectg25pngt7hyl
XMR: 89yML3AtqnTNdo3wNuoaW44D94Zx1kBZNSBc9SyNxGdaKEZwZNdVzvy9zpbzJMzysiWZEU3b5LwjQ3XwWuQsknCF8JK73yv
OR affiliate links to things l use:
www.vultr.com/... Get a VPS and host a website or server for anything else.
www.epik.com/?... Get a cheap and reliable domain name with Epik.
![BOWKYLION - วิงวอน (ex-change) [Official MV]](http://i.ytimg.com/vi/cLdnZWDaO-w/mqdefault.jpg)
holy crap a Luke Smith computer video in 2023
Personally I prefer life stuff over tech, but happy to see how encryption work on Linux
I thought this was purely a Kayzinskite vlog channel?
but genuinely though what does luke even use his computer for anymore other than uploading videos
@Pavao Sratković yes? the reason I felt the need to mention it is Luke has been minimizing the presence of computers in his life and reducing his upload frequency. I'm not asking why any generic person would use a computer, because I already know. I depend on one for my income. However, _Luke in particular_ seemed like he was preparing to transition from making money on the internet to something more analog.
@@xXx_Regulus_xXx he's living off agricultural subsidies
LUKS stands for LUK SMIT
Luke's Unique Key Secret.
Luke's Unusual Kock Size
I'd probably make a small FAT32 partition with some "where to return if found".txt info. And to keep windows from reformatting the drive as soon as someone plugs it into that monstrosity
Wow, Luke droppin vids like crazy, no break from consooming for us
For real. Between Luke's daily uploads and Mental Outlaw starting a podcast, how am I supposed to get any work done, let alone keep up with Switched to Linux and DistroTube?
@@kpcraftster6580 You can simply watch less of the content, or only parts that interest you. You have no obligation of watching all the videos if there are simply too many of them to feasibly watch.
@@snail8720 ... whoosh. You realize Luke's on record as saying to not consoom his content unless you are learning something and applying it to your life, right?
@@kpcraftster6580 I might've skipped the video(s) where he said that?
4:04 shot of moonshine straight from the jar, like a chad.
Luke is encrypting drives and using btrfs, 2023 is gonna be a really interesting year.
switching to btrfs as a clear successor to ext4 is a very *BASED* choice
and now what?
Luckily, Luke's LUKS looks like it kills leaks. Like!
🙏🙏🙏🙏
8:06 lukes academic field of study makes moments like these 100x funnier
Also the notification text at 10:31 lol
Luke between writing a 30-or-so-byte file and unmounting: *sync*
Me: This guy has been through some shit.
thats a habit :(
So if u don’t close it and someone stole the drive while it’s mounted, what’ll happen to ur drive? Still open? 🤔🤔🤔
I would genuinely watch a video series of Luke Smith installing and maintaining a Gentoo system.
Luke is so chad he has his own format.
Timely video. I just started encrypting everything. And I have to say, cfdisk is way easier to use and less likely overwhelm novices users.
Luke’s LUKS looks lit
'Trust me it works' ~Luke Smith, Feb 1st 2023
Anyone remember their WIndows XP days?
And how seeing the green hills wallpaper would evoke a certain atmosphere from memories associated with that?
Luke's mildly surreal desktop background with that boat on its curvy river bridge starts feeling similar.
It LUKS like we need a new video about FULL Artix installation with drives encryption and further setup EXACTLY like yours (and also dwm)... But I still will install it with Windows in dualboot tho
you dont need to encrypt fake partition when doing fde. you can just directly encrypt /dev/sdx without having partition table on it. partition comes later in the /dev/mapper/ as you pointed out
LUKS is great. I have been using it for 3 years now, on both USB drives and SSD partitions.
Would apperciate a video on why you choose BTRfs. Since EXT4 is the goto on a lot Linux distro would be curious your reasoning for using it.
My guess would be probably using transparent compression to reduce potential flash wear and even actually speed up the data transfer on slower drives. The other thing may be him doing some kind of snapshots and syncing them across devices from time to time, maybe? :d
Probably to see who was going to be autistic about the file system choice and make a comment about it.
@@otten5666 Heh, you right, my autistic ass fell for it.
Of course you do. You are LUKSmith 💪😎
I can't wait for the Artix installation video !
If we later put this usb in my mobile how do we open that as we would not be able to run command?
Great stuff Luke. I wanted to do this for a while but been lazy about it, thank you for showing us how simple it is. Also, do you do regular backups of your system, e.g. with anacron? It would be nice to see a video on that.
Waiting for next session do the whole disk encryption🎉🎉🎉
IMO, VeraCrypt is much simpler and has GUI interface.TrueCrypt 7.1a (not later versions) still works fine too. VeraCrypt/Decrypt also create "virtual disks" which are files that mount as disk drives and can be copied to the USB or Cloud storage (box, dropbox, onedrive, google, etc).
truecrypt 7.1a conflicts with wxwidgets and the cli version has been orphaned for a while. it doesnt get simpler than a mount and dismount command that can be aliased. i'd bet the encryption is more thorough with true/vera but for a simple encrypt this is it.
Luke's LUKS looks nice
Nice video. You could also talk about preparing the drive filling it with /dev/zero first so previous data cannot be accessed in first days of use.
You can do all this from Gnome-disks if you prefer a GUI option.
It is fun to have a video about luks from Luke Smith not knowing what luks means
Luke you are amazing dude, this is the exact thing I needed help with. Literally as we speak I'm figuring out disk management and luks stuff after not being able to get in my bios due to lvm bugging out the shortcut time-frame realised I knew like nothing about disk management. Your timing and accuracy is impeccable major props and thank you dude.
maybe it's YOUR timing that's impeccable. keep it up
@@YourFriends223 Thank you friendly stranger you made my day, wanna know something funny? I got a new pc that uses the del key instead of f12 or print screen so I was just insanely hitting every key except the right one and realised half way into my research on disk management lol, may as well finish anyway, such is linux.
next should be encrypting hard drive, come on Luke you can do it!
it's the same process
@@K12-r4v Probably meant the main drive.
Use veracrypt
@@lamename2010 in that case I think it's just a matter of adding the encrypt hook to mkinitcpio and setting some kernel parameters with the boot loader to tell it which partition to decrypt at boot. Been a while since I set this up myself but I know Arch wiki has good info on this stuff
I've been using pgp to entrypt my files, but this is also handy to have an entire partition encrypted.
"Hey kids..." I see you're a cultured attendee of the Sam O'Nella Academy as well
Thanks for the howto! Excellent. I think it is really necessary for USB drives. Cheers.
The glow in the dark use Van Eck phreaking to get my encryption password from my keyboard/ram electromagnetic emission. I need to turn my computer room into a faraday cage before I do this. But I also live in a ghetto and the men who glow in the dark fear the dark men they cant see in the dark, so it's unlikely they will come here.
What's the best encryption protocol to use? For example: aes, bluefish, sha, etc.
While not mandatory its good to zero the luks partition before use 'pv -tpreb cat /dev/zero > /dev/mapper/usb'
Thank you Luke! You have awesome videos!
This guy Luks
Encrypt your drives with AES-256 is a must if you basically care about his privacy and security, not just for paranoid schizos tho.
I don't see a reason for encrypting USB Drives since I only use them to transfer stuff to Windows computers anyway. I only encrypt my internal drives and some individual stuff on external drives (since most media players can't read LUKS anyway)
I recently installed artix in a sd card (with good IOPS) having FAT32 + LUKS2 (partition table)
inside LUKS2 btrfs with compress=zstd (as a mount option) following the archwiki dm-setup page
Interesting attempt. Personally I never found the need to script this, because I configure encrypted volumes via /etc/crypttab. Using a script might allow more flexibility of course.
Wonder why he didn't mention crypttab
Luke teaches us how to crypt and that we have to close everything and how important it all is jada jada... Also Luke: 6:38
I’m thinking about making a similar video on a big ransomware incident
I use ecryptfs to encrypt files. I've got a backup script that opens the drive, copies my files over, then closes the drive, and the contents of that drive is then uploaded to an offsite backup.
Nice tutorial and an important tool to know about, but I find it irrelevant for usb drives : when was the last time you pluged an usb drive to a linux computer that wasn't yours ?
You might want to keep something safe from hard drive failure and offline. Also can work for other types filesystem formats not only Linuxy ones like btrfs
Would this work on a ventoy usb or could I just encrypt certain folder? I like to just keep all my stuff on one usb though I suppose it would be smart to just have a separate one for important data
Use veracrypt, only work with ventoy if you have separate partition
Use veracrypt. It's better than this.
That’s what I do. I even wrote a little howto for my fellow supporters at work. If you want, I can dig up a link to it.
there is an xkcd about security, everyone should read it.
basically encryption protects you from normies or people who don't plant to abuse you to get it
I already knew how to do this, but this script is very useful.
Luke should do these type of videos more.
What kinda tea do you enjoy, Luke?
Thank you for your video. The question is, how can I encrypt a server which is used by many. Yes it is possible, but after every boot it must be decrypted. Have you an answer for that?
I created the drive successfully with a USB stick on Linux Mint. And I tried your script but the drive is not recognized it just shows disk drives with blank boxes as icons but those aren't encrypted just connected to the computer. However as soon as I plug the drive in it prompts for a password and mounts it to some random place. To get the menu of your script to work i did have to install dmenu but still does not show my USB drives.
Why newest videos not on your Peertube?
Opinion on True crypt for windows? I know the project is abandoned for ages now, but better than nothing
This is awesome. Could we turn it into a Thunar plugin/addon?!
fun with luksmith
Luke x luks
I'd love to know what's on the unencrypted 1.8T sdb drive.
We can't know if it is unencrypted or not
Ventoy key with QubesOS, Tails, Live Kali ISOs on one partition and LUKS encrypted content on another 🔑
"Bitcoin/Monero payments will be accepted sometime in 2022." you let me down with lindypress, luke.
Crypto payments are really really hard. I only process crypto payments on my site manually because it's really hard without a proprietary solution.
Use veracrypt. Simple as.
Is this method NSA certified?
My dad used to encrypt his job computer with part of that encryption on usb. So even if you'd guessed password you need that USB. I don't know why he did that... He always said i don't want my important scripts get leaked.
important scripts = homework folder
Hey, please keep uploading your videos to PeerTube
Mental Outlaw looks pale today.
When you reach peak autism you start drinking water from a vase
Or you can use gnome disk utility to do it
Is it possible to do it in the GUI? I mean why show it in the terminal?
with regards to encrypting a hard drive (main) , do you still need an unencrypted partition to boot off of , or can you go completely encrypted without an unencrypted boot partition?
If you're using UEFI boot, then at least the ESP needs to be unencrypted (typically plain FAT32). In case of (IBM-PC-compatible) BIOS, it's the master|volume boot record that will be unencrypted. Idk if that's sufficient for GRUB and other bootloaders.
I have it set up like that:
2 (GPT) partitions:
1. one small, FAT32 EFI System Partition - between .5 and 1 GiB
2. one big LUKS volume - spanning the rest of the free space
Inside the (2) LUKS volume, create your file system(s) - I use btrfs with its subvolumes for stuff like /home. Luke probably uses LVM to divide this one volume into several smaller ones and create all his file systems inside those.
Arch puts new kernels and initramfs images into /boot/, which through some bind-mount magic end up at \EFI\archlinux\{vmlinuz-linux,initramfs-linux.img} within the ESP. Since I didn't want any bootloader 'owned' by a distribution, I just stick with EFISTUB - kernels being directly bootable by UEFI.
Setting up swap can be done in one of three ways: a) a separate (LUKS-encrypted) partition with swap inside - needs to be somehow unlocked; b) a separate LVM volume alongside your file systems; and c) a swap file on (one of) your encrypted file system(s).
Hibernation (suspend to and resume from swap) needs more things to align, but essentially boils down to passing resume parameter to the kernel (and resume_offset in case of a swap file) and having an initramfs setup that will unlock the necessary device at that stage. I use a systemd-based initramfs and it works really nice - except one bug which makes resume from hibernation fail (yeah, yeah, sooner or later I'll go and try to fix that upstream).
Oh, and having your ESP not encrypted shouldn't really be an issue. If you want everything to be secure then you can try rolling your own UEFI keys and then locking it all down with secure boot. You're still trusting your firmware, but hey - it's x86 with all its SMM (ring -2) and Intel ME glory!
(this was a rough overview of your options here. Arch wiki has much more detailed documentation and guides)
If you have libreboot or your own homebrew coreboot then you can decrypt a luks2 boot partition with PBKDF2. What machine are you looking at encrypting?
may be a dumb question, but why isn't your usb drive sdc? 0:45
“Unclear”
⚠️ Too fast
⚠️ Scramble information (Commands)
⚠️ Rushing ( Looks like you didn’t want your tea cold )
Don't even have one......isn't that from the 90s like VHS?
do one video on how to encrypt your whole system (including boot) i tried for parabola but theres not enough info online
You can follow the arch wiki if you have a proprietary BIOS. If you have coreboot then you can encrypt /boot as well. Let me know if you have any trouble and I can explain it in detail.
Encrypted Artix install video plz
Artix's wiki explains the procedure very well
How is the load on the usb disk with and without encryption?
Will a 1 GB file touch the whole partition of the usb disk when encrypted, or just the area that requires that 1 GB space?
I feel like usb drives tend to die quick when you use them hard like running running an OS on it
Depends on if your flash drive supports TRIM or whatever. If it does, you can enable the `discard` | `--allow-discards` option when opening the LUKS volume for all the sector discards from deleted|moved files to be propagated below - to the underlying block device (your flash drive). LUKS works in each sector rather independently, and so if your file resides somewhere around 195MiB into /dev/mapper/foo, it will indeed reside somewhere around 195MiB into /dev/sdc - only as some incomprehensible gibberish instead.
When decrypting it manually (via `cryptsetup open`), you can use the `--persistent` flag, to not have to repeat these flags every single time. If you're using /etc/crypttab{,.initramfs}, just use the `discard` option and it will always work.
Discards slightly weaken opaqueness of the encryption, as now anyone can see where is the empty space between the files or other file system data. But it's really not much - you can figure out what type of file system is used and maybe if there are many big|small files.
As much as I want to encrypt my USB sticks... to date I cant find a normie way of doing it. Something that would be compatible with Windows, Mac and Linux, without requiring additional drivers, or special filesystems, or partitions (which Windows doesnt like). The best thing I can come up with is to have an encrypted 7z file on a single exFAT partition, and putting my secret files there, but it's not convenient to use because you'd still need a special program to browse it. The program can be bundled on the nonencrypted part of the flash drive, but still
In the end a lot of people want to use USB sticks to share files with other people, but if other people can't use it easily because it's encrypted with a niche Linux program, what's the point?
those screen colors make it hard to read in the video.
excellently clicky keyboard
LUKS2 looks like some piece of software crafted for me.
okay but what if i don't want to
what will happen to me
Luks on usb sticks is all fun and safe until you need to grub some files from a windows user and you have to re-format the drive with fat...
Thanks Luke!
How long does it take while enc/decryp open/close for large spaces kinda 1 TB ?
how do i encrypt my google drive folders?
Lol
Use veracrypt secret volume
Teach us veracrypt cli.
thanks Luke.
Gigachad coded his own USB encryptor
No. Gigachad invents his own encryption algorithm.
Randy Pitchford should have watched this video.
i have nothing sensitive in my usb drives lol.
What about stuff that can be recovered by a undelete programme?
A lot of people have had scans of their ID on a USB a one point or another, or something else important
👑
@@mor4y i never have anything sensitive on my usb, if i did either i'd encrypt or scrub it.
You look healthy!
Sounds amazing until there's only Windows at work. Then it's less amazing.
This. The point of USB drives is to be able to easily store and allow access to mass amounts of data across multiple and various systems easily. Not really useful when it's operational environment is super limited.
Use veracrypt which is supported on any modern OS, there's no point in using this over veracrypt.
100% correct
mfw "back up 16 terabytes"
Click video, Pause video, Scroll thru comments, Watch video
Who does he remind me of, someone famous ---- oh shit it is Lenin.
now show us a ransomware usb install.
great video look
0:05 Boring. I've had multiple devices with full disk encryption. Also my current one. I had it on Arch and now on Void.