Encrypted SD card
SD memory cards and USB Flash is the most compact and affordable storage on market. But it is not secure to use it with default formatted FAT filesystem because any data you put on it is available to anyone who own your card. In this post I will show you how to protect your data by creating encrypted LUKS partition on your memory card.
Detecting storage
Use dmesg to detect which device appears when you insert your SD memory card:
sudo dmesg -w
[390965.740708] sd 0:0:0:0: [sda] 122880000 512-byte logical blocks: (62.9 GB/58.6 GiB)
[390965.742115] sda: sda1
Another way to find out which device file has been assigned for SD memory card is to use lsblk utility:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 58.6G 0 part
Most modern laptops has NVME storage by default. SD cards can be defined as /dev/mmcblk* or /dev/sd* depends on controller type. OK, so my Lenovo Thinkpad T580 assigned the /dev/sda device path on my SD card.
Partitions
The next step is to remove any existant partitions and create the new one with parted utility.
sudo parted /dev/sda
Use (parted) p command to get current partitions state.
(parted) p
Model: Generic- SD/MMC (scsi)
Disk /dev/sda: 62.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
1 16.8MB 62.9GB 62.9GB primary
Remove the only partition SD card currently has:
(parted) rm 1
Create new partition with maximum available size and quit parted. Check out (parted) help mkpart if you want to create partition with custom/smaller size.
(parted) mkpart primary 1 -1
(parted) p
(parted) q
Create encrypted LUKS partition. Read careful.
sudo cryptsetup luksFormat /dev/sda1
Open your LUKS encrypted partition as sdcard. The LUKS mapping device will now be available at /dev/mapper/sdcard.
sudo cryptsetup luksOpen /dev/sda1 sdcard
Create ext4 filesystem on /dev/mapper/sdcard.
sudo mkfs.ext4 /dev/mapper/sdcard
Usage
Mount /dev/mapper/sdcard and create an accessible directory where user can create copy files and directories.
sudo mkdir /tmp/mycard
sudo mount /dev/mapper/sdcard /tmp/mycard
sudo mkdir /tmp/mycard/dir
sudo chown <username> /tmp/mycard/dir
sudo cryptsetup luksClose /dev/mapper/sdcard
sudo umount /tmp/mycard
Desktop environments such as Plasma 5 can show your encrypted devices in Dolphin filemanager right after you insert your SD card. Plasma 5 provides comfortable mount dialog. But you can open encrypted filesystem manually:
sudo cryptsetup luksOpen /dev/sda1 sdcard
sudo mount /dev/mapper/sdcard /tmp/mycard
ls /tmp/mycard
cp -rv ~/Desktop/* /tmp/mycard/dir
Don't forget to close and unmount your encrypted SD card:
sudo umount /tmp/mycard
sudo cryptsetup luksClose /dev/mapper/sdcard
You can now take out your SD card from laptop slot.
Links
Encrypted files with GPG
Beside the LUKS formatted memory cards there is another way to protect sensitive information - GPG encryption. gpg - OpenPGP encryption and signing tool. It allows you to copy your data to any platform or send it by email. You even can safely move your encrypted files to an unencrypted FAT-formatted USB drive. In this post I will show you how to encrypt and decrypt files and directories with GPG.
Key
Generate new GPG key.
gpg --gen-key
gpg --list-keys
Encryption
Encrypt file with symmetric cipher delivered from a passphrase.
gpg --output <encrypted-filename>.gpg --symmetric <filename>
Encrypt file with recipient's public key. Recipient can decrypt it with own private key. You can set youself as recipient.
gpg --output <encrypted-filename>.gpg --encrypt --recipient email@example.org <filename>
Decryption
Decryption command is the same for symmetric cipher and for public key encrypted files.
gpg --output <decrypted-filename>.png --decrypt <encrypted-filename>.gpg
Sign
You may want to be sure your files had not been modified since been sent. There are three ways to make digital signature described in The GNU Privacy Handbook.
In Plasma 5 desktop environment you can encrypt/decrypt files with Kleopatra certificate manager.