在您插入 USB 驱动盘后,如果输入 `dmesg` 命令,将会显示出所有的系统信息,包括刚插入的 USB 驱动盘的设备名字。 确保设备标识是正确的,因为后面要进行的操作会破坏驱动盘上的所有数据。您也不想一不小心就格式化掉正常的磁盘吧。(虽然不用提醒,但我还是要说,确保您的 USB 驱动盘已经没有你想保留的数据,因为这是一个破坏性的过程。)
假设,在您的系统上 USB 驱动盘是 /dev/sdb 这个设备,您需要在这个驱动上创建一个单分区。我们使用 fdisk 命令。下面是 fdisk 必须的交互操作。一般地,用 o 命令来创建一个新的空分区,然后用 w 命令来保存设置。然后重新运行 fdisk 命令,并用 n 命令来创建一个新的主分区,接下来保持默认的以使用整个设备空间:
Once the process completes, you have an encrypted partition, but it's not mounted or formatted yet. The first step is to mount the partition, which again uses the cryptsetup utility: 一但上面的操作完成,就创建好了一个加密的分区,但它还没有被挂载或格式化。
When you type in your passphrase, the device name you entered will be mounted like a virtual hard drive. Usually, it's mounted under /dev/mapper/devicename, so this example mounts a partition at /dev/mapper/my_crypto_disk.
This device is now being accessed as an unencrypted volume. As long as it stays mounted, it will act like any other unencrypted volume. That means you need to write a filesystem to it if you want to use it:
Now the drive is fully functional and can be mounted like any other disk. In fact, when you put the USB drive into your computer, if you have a modern GUI desktop, it should prompt you for a password and mount it automatically. Then you can eject it like a normal disk, and it will be encrypted until you next enter your passphrase. It's simple to unmount and, therefore, re-encrypt the drive on the command line too, using cryptsetup:
# cryptsetup luksClose my_crypto_disk
That's Only the Tip of the Iceberg
In this article, my hope is to peel back some of the mystery behind encryption. It's simple to encrypt and decrypt a file. It's not too much more difficult (especially if you use the GUI desktop tools) to encrypt an entire USB drive. With most distributions, it's possible to encrypt the entire home directory during the installation process! When encryption is set up on your entire home directory, however, there are some issues you need to address. For example, jobs that run while you're not logged in most likely will not have access to your home directory. If you have cron jobs that need access to your home directory, you should rewrite them to access data elsewhere on the system. I find a happy medium between security and convenience is to encrypt a USB drive and store my personal data on it.
Once you get the encryption bug, I must warn you, you'll want to start encrypting everything. That's not a bad thing, but like the home directory scenario, you'll run into a few snags. Cross-platform accessibility is a big one if you go between systems. For situations like that, I highly recommend [TrueCrypt][1]. I've mentioned TrueCrypt in UpFront pieces before, but it's basically an open-source, cross-platform encryption system that allows you to encrypt files, folders, partitions and more while being able to access that data on any system. Windows, Mac and Linux clients are all available, and the community has great support.
You don't have to have something to hide in order to desire encryption for your files. Just like it's wise to lock your house at night, even if you live in a good neighborhood, it's a smart move to encrypt your personal data. If you want to share your photos of Mr Whiskerton in his cute little beanie hat with everyone on the Internet, that's your right. But others don't need to see those things if they're being nosey and poking around your hard drive!
