Usb drive encryption

[Markfree]

Guys,

I had 2 external usb drives connected to my Asus AC87u router. Unfortunately, one of them stolen but the other remained as a backup.

Since I lost one drive, probably all my data on it was seen, copied or something else. To avoid this misfortune, I was wondering if there is a software to encrypt my USB drives connected to Asus router, pretty much like Windows bitlocker. So, even if I take the drive off the router, it will open only with a password.

Thank you.

 

[ASAT]

Have you tried disk encryption with dm-crypt / LUKS ?

 

[sfx2000]

Sorry to hear about your loss - many external drives do have Kensington lock slots...

Not a big fan of encryption on external drives as it complicates swaps and recovery, but if one can't lock one down, encryption is better than anything...

 

[steven168]

i am using this

http://www.newsoftwares.net/usb-secure/

 

[ColinTaylor]

i am using this

http://www.newsoftwares.net/usb-secure/

That looks like it's Windows only? So presumably wouldn't work when attached to a Linux-based router? Or am I missing something?

 

[Markfree]

I was looking for a solution that would allow me to use USB drive through my router, including SMB and Webdav features. And, by removing the drive from the router and placing it on another computer, password would still be asked.
ASAT, do you think those options work like that?

 

[ColinTaylor]

Have you tried disk encryption with dm-crypt / LUKS ?

I doubt the router supports this?

 

[ASAT]

ASAT, do you think those options work like that?

I see that Entware-ng now has cryptsetup. However, I imagine at some point, that a person would need to type a 40 character alpha-numeric password into the router to unlock the encrypted volume.
https://gitlab.com/cryptsetup/cryptsetup

 

[ASAT]

the router supports this?

My wish is to read and write an encrypted USB flash drive plugged into the router that was originally formatted (ext4 + LUKS) on Ubuntu. So I will try enabling dm-crypt in the kernel config of the Asuswrt-Merlin firmware and see what happens...

~/asuswrt-merlin/release/src-rt-6.x.4708/linux/linux-2.6.36/config_base.6a

CONFIG_MD=y
CONFIG_BLK_DEV_DM=m
CONFIG_DM_CRYPT=m
CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_RMD160=m
CONFIG_CRYPTO_RMD256=m
CONFIG_CRYPTO_RMD320=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_TGR192=m
CONFIG_CRYPTO_WP512=m
CONFIG_CRYPTO_ANUBIS=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_CAMELLIA=m
CONFIG_CRYPTO_CAST5=m
CONFIG_CRYPTO_CAST6=m
CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_KHAZAD=m
CONFIG_CRYPTO_SALSA20=m
CONFIG_CRYPTO_SEED=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TWOFISH=m
CONFIG_CRYPTO_TWOFISH_COMMON=m

Then, I will install a package from Entware-ng and attempt to mount my encrypted USB flash drive. Will it work?

opkg update
opkg install cryptsetup
/sbin/insmod dm-mod.ko
/sbin/insmod dm-crypt.ko
/sbin/insmod gf128mul.ko
/sbin/insmod xts.ko
cryptsetup luksOpen /dev/sdb1 usbcrypt
/bin/mkdir /mnt/usbcrypt
/bin/mount /dev/mapper/usbcrypt /mnt/usbcrypt
/bin/umount /mnt/usbcrypt
cryptsetup luksClose usbcrypt
/sbin/rmmod xts
/sbin/rmmod gf128mul
/sbin/rmmod dm-crypt
/sbin/rmmod dm-mod

REFERENCES
https://gitlab.com/cryptsetup/cryptsetup
https://wiki.gentoo.org/wiki/Dm-crypt
https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption

 

[Thorton]

Did someone get real-time encryption working? I would also like external HDD (attached to AC87U via USB3) to be encrypted, so if someone takes my drive, he can't access files (pretty much like TrueCrypt works, for example). I don't mind typing a password every time disk is mounted or router is rebooted (since it not happens often).

 

[Fitz Mutch]

Did someone get real-time encryption working?

Yes, just in case the FBI comes, I believe someone did. For example, here is the things you must do to run Entware-NG from an encrypted USB3 HDD. Would be nice to see support from Asus here. Otherwise, you're stuck doing it all yourself.

1. Enable the dm-crypt feature and other required modules in the kernel and recompile the firmware.
2. Make a version of cryptsetup and its dependent libraries that either runs from /jffs or is compiled directly into the firmware. If your /opt partition resides on the encrypted disk, then you cannot run cryptsetup from /opt. Duh.
3. Create a pre-mount script to automatically mount the encrypted disk at boot time, and use services-stop to un-mount it. Unfortunately, there is no Asus /etc/crypttab as with a modern Linux OS.
4. You could use an 3.3V Arduino Pro Mini to automatically enter a passphrase, very early in the boot process. How to make it secure?

Thoughts?

• The only noticeable performance hit is when running Transmission, when it starts the download of a large file. The CPU spikes for more than a moment because it's pre-allocating the file and encrypting the empty space.
  
• Don't forget to encrypt the swap partition.
• Would be nice to encrypt the /jffs partition too.
• If all you want to do is encrypt a removable USB flash drive, then your task is simpler. No boot time authentication issues to figure out.

 

[zyxmon]

I have built encfs Entware packages for testing (armv7 & mipsel).
I have tested it on tomato (broadcom arm router) and mipsel mt762x routers (3.4 kernel).
You can find more info (Russian) here - http://forums.zyxmon.org/viewtopic.php?f=5&t=5386
(use online translators)

 

[Thorton]

That's nice. How long do you use it so far?

 

[zyxmon]

That's nice. How long do you use it so far?

I have compiled it today for testing )))

 

[Thorton]

Let us know how everything goes...

 

[zyxmon]

Let me know - if it works ok.

 

[SMW]

status?

 

[cafebueno]

There is a writeup on the Merlin wiki for this. https://github.com/RMerl/asuswrt-merlin/wiki/Encrypted-USB-Drive-HOWTO

 

[Thorton]

Am I the only who can't open this link (tested on 3 browsers)? Getting redirected to main docs page every time.

 

[ColinTaylor]

Am I the only who can't open this link (tested on 3 browsers)? Getting redirected to main docs page every time.

https://github.com/RMerl/asuswrt-merlin/wiki/LUKS-Encrypted-USB-Drive-HOWTO