Skip to main content

Linux - Create bootable USB Stick, create encrypted USB Stick, VeraCrypt Encryption, Cryptsetup Encryption

2358 words·
Linux Bootable USB-Stick VeraCrypt Cryptsetup Debian
Table of Contents

This tutorial shows how to create a bootable USB stick, how to revert a bootable USB stick back to a regular one, and how to create an encrypted USB stick. The foundation for this tutorial is a server running Debian 12 and a regular 32GB USB stick.

Bootable USB Stick
#

Download ISO File
# 

# Download the ISO file
wget https://releases.ubuntu.com/23.04/ubuntu-23.04-live-server-amd64.iso

Find USB Stick
# 

# List block devices
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk

Copy Data to USB Stick
# 

# Copy files to USB Stick
sudo dd bs=4M if=/path/to/linux.iso of=/dev/sdd status=progress oflag=sync

# Shell Output: (Wait till completion)
209715200 bytes (210 MB, 200 MiB) copied, 21 s, 10.1 MB/s

The disk image file will include its own partition table and bootloader.

  • /path/to/linux.iso Define path to ISO file
  • /dev/sdd Define path to USB stick
  • bs=4M Define the block size
  • status=progress Show progress
  • oflag=sync Data is written synchronously: Commit each write to the storage before moving on to the next block. This can help to prevent data corruption in case the system crashes or loses power during the write operation.

Wipe USB Stick
#

Fdisk
# 

# Find USB Stick / List block devices
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk
├─sdd1                      8:49   1   1.8G  0 part
├─sdd2                      8:50   1   4.9M  0 part
└─sdd3                      8:51   1   300K  0 part

# Unmount USB stick
umount /dev/sdd

# Start fdisk
fdisk /dev/sdd

# Shell Output
Command (m for help): d # Delete partiton
Partition number (1-3, default 3): 3
Command (m for help): d # Delete partiton
Partition number (1,2, default 2): 2
Command (m for help): d # Delete partiton
Selected partition 1
Partition 1 has been deleted.
Command (m for help): w # write / save

# Check
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk

Fdisk Commands

  • p List partitions
  • d Delete partition
  • g Create partition
  • w Write / Save (This removes all previous data)

Parted
#

As alternative to fdisk you can use the parted command with the mklabel option to create a new disk label, effectively deleting all partitions.

# Update Package Manager
sudo apt update

# Install Parted
sudo apt install parted

## Create new partiton table / remove all existing partitions

# Master Boot Record
sudo parted /dev/sdd mklabel msdos

# GUID Partition Table
sudo parted /dev/sdd mklabel gpt

# Shell Output:
Warning: The existing disk label on /dev/sdd will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? Yes

  • msdos This is also known as MBR (Master Boot Record). It’s an older method of partitioning disks, but it’s still widely supported across various operating systems, including Windows, macOS, and Linux. The msdos partition table has some limitations, such as a maximum disk size of 2TB and a maximum of four primary partitions.

  • gpt This stands for GUID Partition Table, and it’s part of the newer UEFI standard (Unified Extensible Firmware Interface). gpt doesn’t have the limitations of msdos/MBR, allowing for a virtually unlimited number of partitions and support for disks larger than 2TB. It’s the default for most modern systems, especially those running a 64-bit OS.

D, Scrub & Shred
#

Note: This simply removes the partition information from the partition table. The actual data is left intact until it gets overwritten by new data. To completely erase all data from the USB stick, you will need to use a tool specifically designed for that purpose, like dd, shred, or scrub.

# Overwrite the entire USB stick with zeros using dd
sudo dd if=/dev/zero of=/dev/sdd bs=4k


# Install Scrubed
sudo apt install scrub

# Scrub USB Stick
sudo scrub /dev/sdd


# Shred USB Stick: Overwrite data 3 times
sudo shred -v -n 3 /dev/sdd

Create regular USB Stick
#

FAT32 / vFAT
#

Prerequisites
# 

# Update Package Manager
sudo apt update

# Install Dosfstools (mkfs.vfat utility forDebian)
sudo apt install dosfstools

Create Filesystem
#

The mkfs.vfat command will delete all data and previous filesystems on the USB stick.

# Unmount USB Stick
umount /dev/sdd

# Create filesystem: FAT32 (Windows & Linux)
sudo mkfs.vfat /dev/sdd -n "usb-stick"

# Create folder for mountpoint
mkdir /mnt/usb-stick

# Mount USB stick
mount /dev/sdd /mnt/usb-stick

# Umount USB stick
umount /dev/sdd
  • -n Define name

Ext4
# 

# Unmount USB Stick
umount /dev/sdd

# Create filesystem: ext4 
sudo mkfs.ext4 /dev/sdd -L usb-stick

# Create folder for mountpoint
mkdir /mnt/usb-stick

# Mount USB stick
mount /dev/sdd /mnt/usb-stick

# Umount USB stick
umount /dev/sdd
  • -L Define label / name

Create encrypted USB Stick
#

VeraCrypt
#

Prerequisites
# 

# Update Package Manger
sudo apt update

# Install exfatprogs: Necessary for exFAT Filesystem
sudo apt install exfatprogs

Find VeraCrypt Repository:
https://www.veracrypt.fr/en/Downloads.html

# Download Software Package
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-console-1.25.9-Debian-12-amd64.deb

# Install Package
sudo dpkg -i veracrypt-console-1.25.9-Debian-12-amd64.deb

Encrypt USB Stick
# 

# Create Encrypted Volume
veracrypt -t --quick -c /dev/sdd

# Shell Output:
Volume type:
 1) Normal
 2) Hidden
Select [1]: 1

# Shell Output:
Encryption Algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) Camellia
 5) Kuznyechik
 6) AES(Twofish)
 7) AES(Twofish(Serpent))
 8) Camellia(Kuznyechik)
 9) Camellia(Serpent)
 10) Kuznyechik(AES)
 11) Kuznyechik(Serpent(Camellia))
 12) Kuznyechik(Twofish)
 13) Serpent(AES)
 14) Serpent(Twofish(AES))
 15) Twofish(Serpent)
Select [1]: 1

# Shell Output:
Hash algorithm:
 1) SHA-512
 2) Whirlpool
 3) SHA-256
 4) Streebog
Select [1]: 1

# Shell Output:
Filesystem:
 1) None
 2) FAT
 3) Linux Ext2
 4) Linux Ext3
 5) Linux Ext4
 6) NTFS
 7) exFAT
 8) Btrfs
Select [2]: 7

# Shell Output
Enter password: # Define your PW
Re-enter password: # Re-enter your PW
Enter PIM: # [Enter = Default]
Enter keyfile path [none]: # [Enter = none]
Please type at least 320 randomly chosen characters and then press Enter:

# Shell Output:
The VeraCrypt volume has been successfully created.

Mount USB Stick (Linx)
# 

# Mount encrypted USB Stick
veracrypt /dev/sdd /mnt/usb-stick

# Shell Output:
Enter password for /dev/sdd: # Enter your PW
Enter PIM for /dev/sdd: # Use same PIM as used during setup. (Enter = default)
Enter keyfile [none]: # [Enter = none]
Protect hidden volume (if any)? (y=Yes/n=No) [No]: n

Unmount USB Stick (Linux)
# 

# Unmount USB Stick
veracrypt -d /mnt/usb-stick

# Unmount all mounted VeraCrypt volumes
veracrypt -d

Mount USB Stick (Windows)
#

Download and install VeraCrypt:
https://www.veracrypt.fr/en/Downloads.html

  • Put the USB stick into an USB port
  • Ignore the Windows popup
  • Open VeraCrypt
  • Select the USB stick
  • Enter your password and select the hash algorithm
  • Select a drive letter to mount the USB stick
  • Right click to open the USB stick in File Explorer
  • Click “Dismount” to unmount the USB stick

Explanation
#

Options

  • --quick Don’t override USB Stick with random data (less secure, but faster)

Volume Types

  • Normal Standard VeraCrypt volume. Anyone who examines the disk will be able to tell that it has been encrypted, although they won’t be able to access the data without the password.

  • Hidden A hidden volume resides inside a normal VeraCrypt volume in such a way that it’s impossible to prove the hidden volume exists.

Encryption Algorithms

  • AES (Advanced Encryption Standard): This is the most widely used encryption algorithm, and it’s considered very secure. It’s the standard encryption algorithm used by the U.S. government for encrypting classified information.

-Serpent This was one of the finalists in the competition that selected AES as the standard. It’s considered even more secure than AES, but it’s also slower.

  • Twofish This is another AES finalist. It’s a balance between Serpent and AES in terms of security and speed.

  • Camellia This is a Japanese encryption algorithm that’s considered on par with AES in terms of security and speed.

  • Kuznyechik This is a Russian encryption algorithm standardized in Russia. It’s considered secure, but it’s not as widely used or studied as the others.

The options that include multiple algorithms (like AES(Twofish) or Serpent(Twofish(AES))) are using a technique called cascading. The data is encrypted multiple times with different algorithms. This can provide additional security.

Hash Algorithm

The hash algorithm is used for storing the password.

  • SHA-512 This is a member of the SHA-2 (Secure Hash Algorithm 2) family. It generates a 512-bit hash. It’s widely used and considered very secure.

  • Whirlpool This is a hash function that produces a 512-bit hash. It’s not as widely used as SHA-2, but it’s considered secure.

  • SHA-256 This is another member of the SHA-2 family. It generates a 256-bit hash. It’s also widely used and considered secure, but it’s not quite as strong as SHA-512 (although the difference is academic for all but the most sensitive data).

  • Streebog This is a Russian hash function that is less commonly used in the West. It’s considered secure, but it hasn’t been as thoroughly examined by the international community as the other options.

PIM

PIM stands for “Personal Iterations Multiplier”. It’s an advanced feature in VeraCrypt that controls how many times the password is hashed as part of the key derivation process.

  • Security: The more iterations, the harder it is for someone to guess your password through a brute force attack. Each additional iteration makes the process of checking a potential password slightly longer.

  • Speed: The more iterations, the longer it takes to mount the volume.

Note: When you want to access the encrypted volume later, you need to provide the same PIM along with your password.

Enter keyfile path

VeraCrypt provides the option to use a keyfile in addition to (or instead of) a password. A keyfile is a file whose contents are used as part of the encryption key. This can add an extra layer of security because in order to decrypt the volume, an attacker would need both your password and the specific keyfile.

Protect hidden volume

VeraCrypt is asking if you want to enable protection for a hidden volume.

VeraCrypt allows you to create two types of volumes: standard volumes and hidden volumes. A hidden volume is a volume located within another volume. The space not taken by the hidden volume can be used as a standard volume. The purpose of this setup is plausible deniability; if you are forced to disclose your password, you can reveal the password for the outer (standard) volume without revealing the existence of the hidden volume.

However, if you write data to the outer volume after the hidden volume has been created, you could accidentally overwrite and damage the hidden volume. VeraCrypt’s hidden volume protection option is designed to prevent this. If you enable it, VeraCrypt will prevent writes to the outer volume from overwriting the area of the disk where the hidden volume is located.


Cryptsetup
#

Prerequisites
# 

# Install Cryptsetup
sudo apt install cryptsetup

# Find USB Stick: List block devices
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk

# Unmount USB Stick
umount /dev/sdd

Create Partition
# 

# Partition the USB Stick
sudo fdisk /dev/sdd

# Shell Output:
Command (m for help): d # Delete existing partiton

Selected partition 1
Partition 1 has been deleted.

Command (m for help): w # write / save

Create LUKS Container
#

Create a LUKS container on partition one.

# Optional: Write random data to the partition to avoid pattern based encryption
dd bs=4K if=/dev/urandom of=/dev/sdd

# Create LUKS Container one partition one
sudo cryptsetup luksFormat /dev/sdd

# Shell Output:
WARNING!
========
This will overwrite data on /dev/sdd irrevocably.

Are you sure? (Type 'yes' in capital letters): # YES

Enter passphrase for /dev/sdd1: # Define your PW
Verify passphrase: # Re-type your PW

Open LUKS Container
# 

# Open the LUKS Container
sudo cryptsetup luksOpen /dev/sdd usb-stick

# shell Output:
Enter passphrase for /dev/sdd: # Enter your PW

Create Filesystem
# 

# Create Filesystem on LUKS Container
sudo mkfs.vfat /dev/mapper/usb-stick

Mount LUKS Container
# 

# Mount LUKS Container
sudo mount /dev/mapper/usb-stick /mnt/usb-stick

Close LUKS Container
# 

# Unmount Encrypted Partition
sudo umount /mnt/usb-stick

# Close LUKS Container
sudo cryptsetup luksClose usb-stick

Cryptsetup with 2 Paritions
#

The following tutorial creates two partitions on the USB stick. An encrypted partition that needs to be opend with a password and a regular partition, that can be accessesd without password.

Prerequisites
# 

# Install Cryptsetup
sudo apt install cryptsetup

# Find USB Stick: List block devices
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk

# Unmount USB Stick
umount /dev/sdd

Create Partitions
# 

# Partition the USB Stick
sudo fdisk /dev/sdd

# Shell Output:
Command (m for help): d # Delete existing partiton

Selected partition 1
Partition 1 has been deleted.

Command (m for help): n # Create new partition
Partition number (1-128, default 1): 1 # Create partition no 1
First sector (34-61439967, default 2048): # Enter = default
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-61439967, default 61437951): +10GB # Create 10GB partiton

Created a new partition 1 of type 'Linux filesystem' and of size 9.3 GiB.

Command (m for help): n # Create new partition
Partition number (2-128, default 2): 2 # Create partition no 2
First sector (19533824-61439967, default 19533824): # Enter = default
Last sector, +/-sectors or +/-size{K,M,G,T,P} (19533824-61439967, default 61437951): # Enter = default

Command (m for help): w # write / save

Check the partitions:

# Check the partitions / list block devices
lsblk

# Shell Output:
sdd                         8:48   1  29.3G  0 disk
├─sdd1                      8:49   1   9.3G  0 part
└─sdd2                      8:50   1    20G  0 part

Create LUKS Container
#

Create a LUKS container on partition one.

# Optional: Write random data to the partition to avoid pattern based encryption
dd bs=4K if=/dev/urandom of=/dev/sdd1

# Create LUKS Container one partition one
sudo cryptsetup luksFormat /dev/sdd1

# Shell Output:
WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.

Are you sure? (Type 'yes' in capital letters): # YES

Enter passphrase for /dev/sdd1: # Define your PW
Verify passphrase: # Re-type your PW

Open LUKS Container
# 

# Open the LUKS Container
sudo cryptsetup luksOpen /dev/sdd1 encrypted_partition-1

# shell Output:
Enter passphrase for /dev/sdd1: # Enter your PW

Create Filesystem
# 

# Create Filesystems on both partitions
sudo mkfs.vfat /dev/mapper/encrypted_partition-1
sudo mkfs.vfat /dev/sdd2

Mount Partitions
# 

# Mount LUKS Container
sudo mount /dev/mapper/encrypted_partition-1 /mnt/usb-stick-partition-1

# Mount Unencrypted Partition
sudo mount /dev/sdd2 /mnt/usb-stick-partition-2

Close LUKS Container
# 

# Unmount Encrypted Partition
sudo umount /mnt/usb-stick-partition-1

# Close LUKS Container
sudo cryptsetup luksClose encrypted_partition-1