Encrypted USB Flash Drive
How to prepare an encrypted USB flash drive for data storage.
First insert the flash drive and, in a root terminal, verify that you know for certain the correct device designation with
# fdisk -lu
Now use (as root) gparted and choose Device > New Partition Table to make a new partition table on the USB stick, ms-dos type. Right-click on the unallocated partition and choose "New". In the new partition dialog, leave all items but "filesystem" default, and for filesystem choose "unformatted", and then click "Add" and then the green check mark and "Apply". It will show an unformatted partition with a yellow warning symbol on it. Close gparted.
Next, in a root terminal or with "sudo", (I do these things as root) fill the partition with random data:
# dd bs=4K if=/dev/urandom of=/dev/sdx1
Where "x" is of course your device ID, here and as applicable in the following commands. A 4G stick took about 15 minutes to complete.
Now load the dm_crypt kernel module:
# modprobe dm_crypt
To make this a permanent part of your system configuration, add dm-crypt to /etc/modules.
If you haven't previously installed the cryptsetup package, do it now.
Now set the partition as a LUKS encrypted partition, and set the user password (twice):
# cryptsetup luksFormat /dev/sdx1
Next, open and map the device with a name that you choose (your password will be requested):
# cryptsetup luksOpen /dev/sdx1 my_encrypted_stick
After you enter your password, the block device will be mapped to /dev/mapper/my_encrypted_stick (or whatever name you gave it).
Next, create the filesystem of your choice on the block device.
# mkfs.ext4 /dev/mapper/my_encrypted_stick
But we don't want the ext4 journalling feature to wear out the flash memory prematurely, so
# tune2fs -O ^has_journal /dev/mapper/my_encrypted_stick
Since we never at any time mounted the filesystem on the USB stick, it remains unmounted. Remove it and reboot your system, and when the desktop is up, (a) use lsmod to verify that the dm_crypt module is loaded, and (b) insert your encrypted USB stick.
On a plasma5 KDE desktop, the "device notifier" pops up and offers to open the device with the dolphin file manager. Accept the offer, and the password window opens for the password. Upon first entering the password, the notifier may or may not respond with a "you are not authorized" error, but the device is nevertheless mounted at /media/username/uuid, where the uuid is a conventional device uuid like 448459a8-3c87-41a9-a8e6-d0896be07d8c. You will note the only existing folder, "Lost&Found", has a lock symbol on it indicating the user cannot access it.
Now close the file manager and open a root terminal and cd to /media/username/uuid. Issue
# mkdir -p DATA
# chown username:username *
Now the user is the owner of the Lost&Found and DATA folders, even though root remains the owner of the device itself.
Exit the terminal, and then use your device notifier to eject the USB stick. Test your encrypted stick by inserting it, giving the password, and opening it with your file manager. (The notifier may or may not again claim you are not authorized -- ignore it.) You cannot save anything in the filesystem root, but the DATA folder as well as Lost&Found are yours to use as in any other user-accessible filesystem. When the encrypted stick is inserted in a running system but the correct password is not given, it is detected (i.e. fdisk can see it in /dev) but the filesystem is not mounted.