Home    |     News    |     Reviews    |     Features    |     Tips+Tricks    |     Downloads    |     Contact Us  

Linux Disk encryption in 2 easy steps

How to create an encrypted memory stick, USB disk, or partition with Linux

Initial Setup

These steps will create a newly initialized encrypted partition on any block device (e.g. memory stick, memory card, USB disk, internal hard disk partition, DVD-RAM disk, etc.).
Any existing data on the partition will be lost, therefore must be backed up first!

  • open a console and type the following command to initialise the partition with random data (depending on your system configuration you might need to do this as 'root' user):
     dd if=/dev/urandom of=/dev/sdXX bs=512 
    ('sdXX' needs to be replaced by the actual device name of the partition to be encrypted), with a large partition or on a slow system this command can take a long time!

  • The following command will create the encrypted device 'partname' mapped to the physical device /dev/sdXX:
     cryptsetup -y -c twofish-cbc-essiv:sha256 create partname /dev/sdXX 
    (where 'partname' can be any suitable unique name for the encrypted partition)
    At this point you will be asked for a passphrase, choose one that's easy enough for you to remember but not easy to guess for anyone else. You will have to enter it a second time to avoid accidental typos.
    Remember: if you forget your passphrase, you won't be able to access your data on the encrypted partition anymore!
That's it! Now you have an encrypted partition ready for creating a filesystem on it and then mounting. The device name for the encrypted partition you have just created is:
The following command can be used to create an ext2 (more suited for flash based disk devices than ext3) filesystem on it:
 mkfs.ext2 -m 0 -I 128 /dev/mapper/partname 

Now you can mount your encrypted partition with:
 mount -o noatime /dev/mapper/partname /mountpoint 

Day to day usage

Mounting a previously created encrypted partition:
 cryptsetup -c twofish-cbc-essiv:sha256 create partname /dev/sdXX 
 mount -o noatime /dev/mapper/partname /mountpoint 

Unmounting it again:
 umount /dev/mapper/partname 
 cryptsetup remove partname 

If you have any comments, questions or suggestions about this procedure, please post them on the dedicated thread on the forum at:

For more information please read the 'cryptsetup' man-page and have a look at the following excellent (but long) guide from Justin Wells:

[08-Mar-2009 - art-linux_disk_encryption_mini_how-to]