I have created a guide on how to encrypt removable media. I used the Full Disk Encryption (FDE) wiki and AI to do this. Please review this guide for accuracy.
Here are the instruction:
Open a terminal
In the Terminal, enter: sudo fdisk -l
We check if our flash drive is /dev/sda
In the Terminal, enter: sudo dd if=/dev/random of=/dev/sda
We take out and put the flash drive back into the computer
In the Terminal, enter: sudo fdisk /dev/sda <<< $(printf “n\np\n\n\n\nw”)
In the Terminal, enter: sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat /dev/sda1
We type Yes
Enter the password
Enter the password again
Type sudo cryptsetup luksOpen /dev/sda1 my_usb
Type sudo mkfs.ext4 -L persistence /dev/mapper/my_usb
Type sudo cryptsetup luksClose /dev/mapper/my_usb
You may want to mount the newly created filesystem and then do a chmod 777 /path/to/mount so that you can write to the USB without needing root access (which is unavailable when booted in user mode if you have user-sysmaint-split installed).
This is the modern default for LUKS2 on recent cryptsetup versions. It uses argon2id instead of the old PBKDF2 and gives much stronger memory-hard protection against GPU brute-force attacks.
–pbkdf-memory 1048576 #1 GB
Offers a good balance between security and usability. Going higher (for example 2 GB or 4 GB) makes offline attacks even harder — as long as your system has enough free RAM when entering the passphrase. On Qubes dom0 you usually have enough headroom for 2–4 GB.
–pbkdf-memory 1048576 # 1 GiB (default, safe on most systems)
–pbkdf-memory 2097152 # 2 GiB (better against offline attacks if you have enough RAM)
–pbkdf-memory 4194304 # 4 GiB (maximum allowed, very strong but needs plenty of free RAM during unlock)