Make a drive read only

hey
i have many flash storage pendrives and i want to make them read-only so no one no system can write on it how can i do it.
this is important in certain use case. i want to make my drives only read the data from but no one can actually write anything.

The manual pages contain such information: man mount | grep read-only

The answer is the mount option -r: e.g., if you do not need any other option, it would be sudo mount -r /dev/sdd1 mountfolder

Extract from the mount manual:

   -r, --read-only
       Mount the filesystem read-only. A synonym is -o ro.

       Note that, depending on the filesystem type, state and kernel behavior, the system may still write to the device. For example, ext3 and ext4 will replay the journal if the
       filesystem is dirty. To prevent this kind of write access, you may want to mount an ext3 or ext4 filesystem with the ro,noload mount options or set the block device itself to
       read-only mode, see the blockdev(8) command.

As far as I remember, you use GNOME. Unfortunately, I do not know if there is a GUI method in GNOME to mount read-only. In either case, if you want to ensure that there is really no write possible, you should ensure that read-only is applied on the mount level

You may want to consider buying write-once drives. Other than that, I am not sure how you could make a drive read-only unless the hardware itself supported it. Anything you could do via software, someone else could undo.

It might help to understand the specific use-case.

I am not sure how I understand how that would help the problem? That would just mount the device as read-only. As soon as you removed it and handed it to someone else they could mount it as read-write.

4 Likes

This is the way I understood the question: no one / nothing can write on the pendrive once it is mounted on a system, but it shall remain readable. However, now that you say it, the question can be also interpreted the other way.

@frankjunior do you want to achieve read-only when mounted on a system (so, read-only to everything and everyone on the system: users, daemons, tools, …), or generally that once you have written something to the drive, it can no longer be written anything more to it?

1 Like

One way to do this is to open a terminal in the top directory of the drive and run this command:

sudo chatter -R +i *

This will set the immutable bit on every file and directory on the drive, making it impossible for anybody, even root, to modify or delete anything on the drive.

1 Like

Actually i was looking for some way if i could set my drive in such a way that what ever i have written no one can edit or copy other files into the drive and i only have access or just a quick format will make it again read and writeable so somehow if it can be done and i think i need to be stick with fat exfat or ntfs as i need to hand it to may have windows systems.

I have seen older SD cards with a manual switch to make it read only. Have never seen such a thing with USB flash drives, and don’t know of any way to make a usb drive with FAT or NTFS file system as read only.

On second thought, a failing device automatically goes read only, but that is not what you are asking for.

You may need to tell us more about your use case.

One time long ago my boss took his brand new Macbook Air to a high-level meeting with a bunch of military brass. A final report was prepared and shared using a pendrive. When my boss tried to copy the document from the pendrive macOS blocked it saying malware had been detected. Faces around the table went white. The malware was a “copy.exe” program that installed a payload onto the host system when invoked.

The most direct approach is to copy the pendrives to DVD’s, and provide a USB DVD drive, but
the capacity of DVD’s is much less than many pendrives.

There have been archive formats that use asymmetric encryption with one key for read access and another for write access. That won’t stop someone from just deleting the archive, and would not prevent things like malware installing itself on the pendrive outside the archive. Public key encryption might work for some use cases.

You could store a hash of the raw image a each USB key. This would allow you to detect any change to the contents of the key, but you have to avoid filesystems that store access times, etc.