Incompetence and Encryption in the Clutch

by William 5hacksphere  (w5hacksphere@proton.me)

By the time I pull up the manual for the Kingston IronKey LP50, I'm already starting to panic.

I Ctrl+F to run a quick search for Linux, but by the time I enter my fourth keystroke the query turns red and my worst suspicions are confirmed.  I need to be on the other side of the city to deliver these files in four hours, and my dumb ass has a Linux-incompatible encrypted USB drive on my hands.

Now, I know what you're thinking: 2600 Magazine, in-person rendezvous delivering encrypted files, enigmatic author with clever pseudonym inspired by an Elizabethan playwright - it's pretty clear we're dealing with a seriously cloak-and-dagger caper here.

But the truth of this tale, dear reader, is far more banal.

The Backstory

I'm an amateur freelance web dev, self-taught and still cutting my teeth on tiny sites for small businesses.  I managed to talk my way into this completely unnecessary and easily avoidable situation last week, when a client asked if I could deliver a physical copy of his new codebase along with his final invoice.  The code was already secured on his host via 2FA and backed up on GitHub, but sure, why not?  A little redundancy never hurt anybody.  No problem.

"And you'll make sure it's password-protected, right?  We wouldn't want to risk the project getting out in the open," he said, like we were planning to move the NOC list in 1996's Mission Impossible.

At this point, if you knew just how innocuous this site was in nature, you probably wouldn't fault me for assuring the client that his HTML and CSS files in the wrong hands would be about as threatening as a lame wildebeest calf with blunt horns seeking revenge against a pride of hungry lions, but discouraging an improved security posture is rarely a good look when you're the web guy, and I knew there was no sense trying to tell him anything anyway.

Ever since a brush with identity theft last year, the dude switched from Windows to Ubuntu and - while he still isn't terribly tech savvy - he has become aggressively pro-password, so this was expected behavior.  I just told him what I thought he wanted to hear.

"I'll make sure it's locked down according to modern encryption standards."

Granted, I wasn't sure what that meant when I said it, but it sounded about right and the client thankfully seemed to buy it.  I spent about three minutes smartphone-researching on the bus ride home, concluded that IronKey was widely considered a top-shelf, nearly unhackable option (shout-out to the shit disturbers at Unciphered for making the word nearly a mandatory inclusion there), and ordered the LP50 with plans to bury the cost somewhere under miscellaneous expenses, never to give it a second thought.

The Research

Now, with the clock ticking and just a few hours until my final presentation, it seems that my options are to tell the client I made a mistake (an unforgivable faux-pas for the fake-it-til-you-make-it freelancer), find a viable alternative at a bricks-and-mortar retailer (an unfavorable option for the freelancer on foot), or skill-up in short order and spin up my own solution on short notice.

I take stock of the possibilities and within moments I'm frantically digging through docs, Guantanamo interrogating large language models and prowling page one of DuckDuckGo, ready to pounce on any blog post halfway worthy of an F-scan.

Because my initial searches are Linux-centric, the first solution that presents itself is LUKS.

Created in 2004 by Clemens Fruhwirth, the Linux Unified Key Setup (LUKS) now comes standard with most distributions, and offers an experience seamlessly integrated with the operating system.  Sounds promising.  I look a little more and find that it uses 256-bit Advanced Encryption Standard (AES) by default (which does turn out to be something of a modern standard), and it seems like encrypting a drive from the command line should be a fairly trivial process for anybody with basic terminal skills.  I'm in.

I shut my ThinkPad and I'm about to start scouring my study for a spare jump drive when it hits me: that "L" in LUKS solved my compatibility problem, but does that mean that... I fire my laptop back up, head back into Firefox, and within a minute confirm what should've been immediately and intuitively apparent to any ape of average intelligence: the Linux Unified Key Setup isn't natively compatible with Windows or MacOS, making it a less than ideal solution for some 96 percent of the desktop market.

Are there workarounds?  Likely, but our current circumstance demands a work-through approach.  LUKS is out.

What I want is a squeaky-clean, out-of-the-box, cross-platform solution that supports the major operating system trifecta, something like what I thought (O.K., assumed) I was ordering with the IronKey LP50, and when I shift the focus of my search to a cross-platform solution, VeraCrypt becomes the dominant option being suggested.

A fork of TrueCrypt - a ten-year reigning champ of the open-source disk encryption space that abruptly shut down in 2014, leading way to conspiracies of intervention by government agencies - VeraCrypt offers a level of encryption that's similar to LUKS, plus excellent cross-platform compatibility.

On top of that, it supports hidden volumes, which allows multiple undetectable partitions to be encrypted with separate passphrases.  This feature is geared more toward activists and journalists working in hostile regions, and less toward PTSD-suffering victims of identity theft, but I bet the client would be stoked all the same.

Satisfied by my superficial inspection, I start taking first steps toward setting this up in a hurry, but it isn't long before I clue in to the catch: In order for a VeraCrypt drive to be viable, its software needs to be separately installed on every machine that needs to access it.  Even with the app, unlocking a drive isn't nearly as smooth as LUKS, which prompts you for a passphrase with a simple modal in the GUI.

This just isn't acceptable, not today.  The goal today is to be done with this project the moment I drop this drive in the client's hand.  The last thing I want is an extra reason for him to need tech support down the road.

With only two hours left to my meeting, I need to be out of the house in a little more than an hour - calm, composed, and at my most charismatic.  At present, I'm unprepared, unshowered, and rapidly unraveling.  I do what any desperate degenerate would do: heat my vaporizer up to 175°C and pack a bowl of homegrown alien kush to force a system reboot.  I flop on the futon and start sorting my next move out while the pot plumes swirl over my head like weather systems on TV news.

The time for research is over.  For better or worse, I'm going to need to proceed with what little I've managed to gather.  I'm desperate, under the gun with more ambition than sense, and I begin to hatch an ill-conceived scheme to cobble together a half-assed, jury-rigged imitation of the IronKey setup (which requires launching its included access software to be prompted for your passphrase), by plotting to stake out an unencrypted partition to house VeraCrypt binaries.

But before I get the chance to proceed further down that path to my inevitable defeat, it hits me: We don't need new tools or a better solution at all, not today anyway.  Today, all we need is spin.  We don't have to disappoint the client with some half-assed just-Linux LUKS drive; we can impress the client with our Linux-specific LUKS drive especially tailored to his daily driver!  Of course!  How could I have forgotten this guy's trauma-spurred migration to Ubuntu?

The Execution

With renewed hope that I might actually successfully avert this crisis, I'm back on my feet, clambering through the house, rifling through desk drawers, backpacks, and messenger bags, searching for some suitable hardware.  I normally can't stop tripping over these things, but today we're facing an inexplicable critical scarcity.

My search parameters broaden from classy-looking brand-name drive, to brand-name drive, to any unused drive at all.  When that fails, I break down, crack open my hackpack, and head back to my laptop with a sacrificial piece of kit.

$ sudo dd if=/dev/zero of=/dev/sda bs=4M status=progress conv=fsync

And just like that, my Kali Live USB - and along with it, my dreams of boldly booting into some unknown PC at some unknown time to save the world from some unknown threat - are completely overwritten by zeroes.  This step wasn't strictly necessary.  LUKS can handle overwriting on its own, but in a saga of this magnitude, what's one extra command in the name of technical thoroughness and literary flair?

I check the bus schedule and it looks like I'll need to be out of the house in half an hour if I don't want to be late.  Time's tight, but I've got what I've assessed to be the Internet's most comprehensive walk-through on the matter open on the right side of my screen with a terminal on the left, and so far things are going good.

Sure, our recycled drive is a bit on the small side - a Samsung FIT Plus plug-and-stay, which is large enough for easy removal/insertion even with my indelicate digits, but still small enough to easily get lost in a decently disorganized desk drawer - but all things considered, I'm gonna call it a win.

The terminal prompts me for a passphrase, and I pause for a moment to pick something personalized to the client.  Personally, I typically default to one of the lesser-known quotables of prolific Staten Island poet Ghostface Killah, whose esoteric lexicon and dozen-disk discography are sure to deliver a high-entropy passphrase every time, but in this case I've got the client pegged as less of a hip-hop head and more of a classic rock guy (best guess anyway, heard The Beatles in his car once), so I pick a memorable snippet from the last verse of Lucy in the Sky With Diamonds and enter it twice.

The encryption succeeds!

And I still have 22 minutes until I need to be out of the house.  Gravy.  The last leg of the walk-through explains that I still need to set up a file system, which I don't know the first thing about, but after reading for a minute and a half, the first thing I learn is that ext4 is a safe bet (even recommended?) for Linux.  Sign me up.

The operation looks like it succeeded, so I hold my breath, attempt to transfer over a copy of the client's repo and wait to see if it works...  Victory!!!

With 11 minutes until I need to be out the door (we can push it to 13 if I run for the bus), I open the client's invoice, rename the line item IronKey to Samsung drive and set a new copy to print while I bolt for the shower.

The Aftermath

In the end, I got to the bus stop just in time, only for the bus to be eight minutes late, getting me to my meeting five minutes late, which ended up being three minutes before the client, so all was well.

He seemed happy with the site overall, and tickled with his new toy when I told him he could keep the encrypted drive (I'm not sure if he realized he was billed for it).  I've clearly got a lot to learn when it comes to this encryption game, and I suppose most folks might've done a bit more research before submitting an article on the subject, but I guess I like to approach life a little differently.

If you, like me, are a Linux user who's unfamiliar with LUKS, here's a script I wrote that sums up what little I learned during this story.

I'm a Bash novice, so this one comes without warranty, but it's running smooth over here and maybe it'll help get you started.

LUKS-encrypter.sh:

#!/usr/bin/env bash ############################### # # # Ye'olde LUKS Encyrpter # # by # # William 5hacksphere # # written for 2600 # # in 2025 A.D. # # tested on: # # Pop!_OS 22.04 LTS # # satisfaction not guaranteed # # # ############################### # to do a dependency check before you start the party: dependency_check() { for cmd in cryptsetup mkfs.ext4 mkfs.exfat fdisk wipefs lsblk; do command -v "$cmd" >/dev/null 2>&1 || { echo "$cmd is required but not installed."; exit 1; } done } # lists devices and prompts user for selection: display_devices() { echo "=== Available Devices ===" lsblk -d -o NAME,SIZE,MODEL | grep -vE "nvme|loop|zram" || { echo "No suitable devices found."; exit 1; } read -rp "Enter the device basename to work with (e.g., sda): " DEV_BASENAME DEV="/dev/$DEV_BASENAME" if ! lsblk "$DEV" &>/dev/null; then echo "Error: Device $DEV does not exist."; exit 1; fi } # helper function for wipe_device(): find_root_ancestor() { local device="$1" while true; do local parent parent=$(lsblk -nr -o PKNAME,NAME | awk -v dev="$device" '$2 == dev {print $1}') [[ -z "$parent" ]] && break device="$parent" done echo "$device" } # optional function, only runs when user selects 2): wipe_device() { echo "WARNING: This will irreversibly wipe all data on $DEV." read -rp "Are you sure you want to continue? (yes/no): " CONFIRM if [[ "$CONFIRM" != "yes" ]]; then echo "Aborting."; exit 1; fi # combats drives that automount before re-encryption: echo "Ensuring all partitions on $DEV are unmounted..." if mount | grep "$DEV" &>/dev/null; then echo "Found mounted partitions. Unmounting..." sudo umount "$DEV"* || { echo "Error: Failed to unmount partitions on $DEV."; exit 1; else echo "No mounted partitions detected." fi # look for LUKS containers... echo "Checking for active LUKS containers on $DEV..." CONTAINERS=$(lsblk -nr -o NAME,TYPE | awk '$2 == "crypt" && $1 ~ /^luks-/ {print $1}') # ...if you find any, shutdown the one on your target drive: if [[ -n "$CONTAINERS" ]]; then for container in $CONTAINERS; do root_ancestor=$(find_root_ancestor "$container") if [[ "$root_ancestor" == "$DEV_BASENAME" ]]; then echo "Closing LUKS container: $container" sudo umount "/dev/mapper/$container" &>/dev/null || echo "Warning: Failed to unmount $container." sudo cryptsetup luksClose "$container" || { echo "Error: Failed to close $container."; exit 1; } else echo "Skipping unrelated container $container." fi done else echo "No active LUKS containers detected on $DEV." fi # you should now be able to wipe the drive with no issues. # note that this isn't strictly necessary, and can be # time consuming for big-capacity hardware echo "Wiping filesystem signatures from $DEV..." sudo wipefs --all "$DEV" || { echo "Error: Failed to wipe filesystem signatures."; exit 1; } echo "Overwriting $DEV with zeros. This may take some time..." sudo dd if=/dev/zero of="$DEV" bs=4M status=progress conv=fsync || { echo "Warning: Partial overwrite detected." } echo "Device wipe completed." } # this is the main event: encrypt_device() { # start by partitioning the device: echo "Partitioning $DEV..." ( echo o echo n echo p echo 1 echo echo echo w ) | sudo fdisk "$DEV" PART="${DEV}1" if ! lsblk -o NAME | grep -q "$(basename "$PART")"; then echo "Error: Partitioning failed."; exit 1; fi echo "Partition created: $PART" # gather a couple matching passphrases... while true; do read -rsp "Enter LUKS passphrase: " PASS echo read -rsp "Confirm passphrase: " PASS2 echo if [[ "$PASS" == "$PASS2" ]]; then break else echo "Error: Passphrases do not match. Please try again." fi done # ... and use them to encrypt your partition: echo "Encrypting $PART with LUKS..." echo "$PASS" | sudo cryptsetup luksFormat --type luks2 "$PART" -q || { echo "Error: LUKS encryption failed."; exit 1; } echo "$PASS" | sudo cryptsetup open "$PART" encUSB || { echo "Error: Failed to open encrypted partition."; exit 1; } echo "Encrypted partition is open." # now you can setup your filesystem: REALUSER="${SUDO_USER:-$(logname)}" while true; do echo -e "Select filesystem for encrypted partition:\n1) ext4 (Linux-only)\n2) exFAT (Cross-platform)" read -rp "Enter 1 or 2: " FSCHOICE case "$FSCHOICE" in 1) echo "Creating EXT4 filesystem..." sudo mkfs.ext4 /dev/mapper/encUSB || { echo "Error: Failed to create EXT4."; sudo cryptsetup close encUSB; exit 1; } break ;; 2) echo "Creating exFAT filesystem..." sudo mkfs.exfat /dev/mapper/encUSB || { echo "Error: Failed to create exFAT."; sudo cryptsetup close encUSB; exit 1; } break ;; *) echo "Invalid choice. Try again." ;; esac done # and mount the partition for testing: echo "Mounting the encrypted partition..." sudo mkdir -p /mnt/enc_test if [[ "$FSCHOICE" == "2" ]]; then # come down this alley exFAT: echo "Mounting with UID and GID options for exFAT..." USER_ID=$(id -u "$REALUSER") GROUP_ID=$(id -g "$REALUSER") if ! sudo mount -o uid="$USER_ID",gid="$GROUP_ID" /dev/mapper/encUSB /mnt/enc_test; then echo "Error: Failed to mount encrypted partition." sudo cryptsetup close encUSB exit 1 fi else # and roll down this lane for ext4: if ! sudo mount /dev/mapper/encUSB /mnt/enc_test; then echo "Error: Failed to mount encrypted partition." sudo cryptsetup close encUSB exit 1 fi echo "Assigning ownership of /mnt/enc_test to $REALUSER..." if ! sudo chown -R "$REALUSER":"$REALUSER" /mnt/enc_test; then echo "Error: Failed to assign ownership." sudo umount /mnt/enc_test sudo cryptsetup close encUSB exit 1 fi fi # unmount and close down before we exit: echo "Partition mounted at /mnt/enc_test. Press Enter when done." read -r sudo umount /mnt/enc_test sudo cryptsetup close encUSB echo "Encryption process complete." } # the main script logic is straightforward: dependency_check display_devices while true; do echo -e "What would you like to do with $DEV?\n1) Encrypt fresh drive\n2) Wipe existing LUKS drive" read -rp "Enter 1 or 2: " CHOICE case "$CHOICE" in 1) encrypt_device; break ;; 2) wipe_device; encrypt_device; break ;; *) echo "Invalid choice. Please enter 1 or 2." ;; esac done

Code: LUKS-encrypter.sh