Password write protect an external hard drive (DOK) without encryption

Question

I'm handing out a usb sticks to students and want them to return after they copied the material to their personal computers.

I want to make sure the usb's return without any damage/malware (intentionally or unintentionally, i.e. their pc's might be affected by viruses).

Is there a way to set up the usb sticks such that no write will be possible without knowing a certain key/passphrase? reading from it should be permitted. I do not care about encryption, I mean, if that solves the problem I don't mind doing so but as far as I know just encrypting the disk does not make a distinction between read and write accesses.

In any case, I'm working with Ubuntu.

Answer 1

Hardware

It is not possible to write-protect a USB device via the standard USB mass storage protocol. You would need to find a flash drive vendor that provides that as an extra feature. Make sure it is implemented in hardware, and not as some silly program that one has to run in order for the protections to be enforced. There are surely some out there, but they are likely expensive, and many of them can be easy to bypass.

Note that, even with hardware, it will not necessarily be hard for a skillful or even just clever attacker to bypass. Many flash drives can have their firmware overwritten, which will necessarily disable any write protection. I would recommend against a hardware solution for this reason.

Hash lists, stored on your computer

If your budget is low, and your threat model does not involve particularly advanced adversaries who may be able to exploit flash drive firmware or filesystem drivers, then the solution may be as simple as generating a hash list, and checking the list when the drives are returned. If any of the hashes do not match, you know that a file has been modified. A simple way to generate a hash list using Linux, using relative paths to avoid issues if the mountpoint location is different:

To generate a hash list and save it to your home:

cd /media/usb
find . -type f -exec sha1sum {} + > ~/SHA1SUMS

To verify the hash list:

cd /media/usb
sha1sum -c ~/SHA1SUMS

Signed hash lists, stored on the USB

If you do not want to store a separate file with a hash list for every USB device, you can also put a signed hash list on the drive itself. This works basically the same way, but rather than keeping the hash list on your own computer, you keep it on the USB, using a signing key so you can know if it has been modified. This is a common technique used for distributing software securely as well. You will need to create a key for signing with GPG.

To generate and sign a hash list:

cd /media/usb
find . -type f -exec sha1sum {} + > SHA1SUMS
gpg --clearsign SHA1SUMS -o SHA1SUMS.asc -b

To verify the hash list:

cd /media/usb
gpg --verify SHA1SUMS.asc
sha1sum -c SHA1SUMS

You can likely automate this all with a script.

dm-verity

Another Linux solution, far more powerful than hash trees, involves using a feature called dm-verity, originally designed for protecting the Android boot process. When a drive is used with dm-verity, a master signing key is used to sign the root hash. The root hash will change if anything on the partition with dm-verity changes, and the signing key will no longer validate it. By default, any change will result in that file not being readable. This is far more secure because it cannot be bypassed without knowing the secret signing key, and it can be used on any storage device.

This solution is more efficient than using a hash list, as files are only verified as they are accessed, negating the need to verify it all at once. The partition will however be made read-only, so adding a new file will require reformatting the drive. This is great if you have a write once, read many situation, but is not so great if you have to add new files to the flash drive and redistribute it all the time.