Encrypted flash drives
- Date: Sun, 26 Mar 2017 18:04:56 +0900
- From: Mark Fletcher <mark27q1@xxxxxxxxx>
- Subject: Encrypted flash drives
Hello the list!
This is a problem of repairing an encrypted USB drive that isn't playing
nice with Gnome after setup although it is basically working and no data
has been lost.
Today I opened my desk drawer and found the USB flash drive I have used
to back up my GPG private keys, revokation keys etc had _something
sticky_ growing on it. Not nice. And bizarre because nothing around it
in the drawer was affected.
So I bought 2 identical relatively small new USB drives, with the intent
of copying the content of the
rapidly-becoming-unfit-for-human-consumption drive onto both of them,
and keeping one offsite. And this seemed like a great time to make my
first experiment with volume encryption.
I'm running Jessie and Gnome on the desktop, so my machine's default
behaviour when I plug in a flash drive is to pop up a, erm, pop-up
asking if I want to open the drive in Files (nautilus) or eject it. I
clicked Open with Files. Next I right-clicked on the drive in the left
pane and chose "Format..." To my rather pleasant surprise support for
encrypting the volume was right there in the Format dialog. I proceeded
to provide a label and passphrase for the drive and went through the
confirmation stages warning me I was about to lose data and so on.
Then, nothing apparently happened. Turns out it was creating the ext4
file system in the just-created encypted volume, but it didn't _say_
that, and I thought it was done, and had unmounted the volume, so I
removed it. D'oh!
I've filed a bug on Files for that because although I was stupid to
remove the device without doing SOMETHING to check if it was still being
used, the fact is Files gave me zero feedback that it was doing
After this Files couldn't do anything with the drive so I dropped to the
command line. There I executed the following as root:
cryptsetup luksFormat /dev/sdg1
(for 'twas /dev/sdg1 where the now-messed-up drive was). This completed
successfully, asking me for the passphrase on the way. Then:
cryptsetup luksOpen /dev/sdg1 SECRETKEY1
Which also completed successfully. Finally:
which took a bit longer to complete than I expected, but eventually
completed successfully. That was what tipped me off to what I had done
wrong in the first place in Files.
After this, I ejected the device, and plugged it back in. Gnome does not
respond, but if you manually start Files, you can see "8.1GB Encypted"
in the left hand pane. Clicking on that triggers the request to supply
the password and on correctly supplying the password you have access to
the device. However, can't write to it, and I have to drop to the
command line and su to root before I can do so.
I then used Files to format and encrypt the second device, and this time
was more patient to wait until it was finished, at which point the
device was mounted with the label I'd chosen and I could safely eject it
the normal way. After this, re-inserting the second device is
automatically detected by Gnome and I am prompted for the password, and
on supplying it, I get the usual "Open in Files or Eject" prompt and
everything operates after that as if it were not encrypted, including
With both drives mounted, I compared the /etc/mtab entries for the two
and this is what I found:
/dev/mapper/luks-378947be-2ef0-452e-8d80-04064aec5bc7 /media/mark/138b9d59-b0cd-49cc-a738-8fecea5f0035 ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
(that's the first drive, that I used the command line to fix after
messing it up in Files)
/dev/mapper/luks-0dfd326a-10ea-4f1f-8ca3-4ab492ebd62e /media/mark/SECRETKEY2 ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
(That's the second one that everything works properly for).
>From here, how can I fix the first one to play nice? (Wiping it and
re-formating from scratch is an option, but I figure I will learn more
from fixing it)