Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Dmcrypt"

From NetSec
Jump to: navigation, search
 
(Lesson)
Line 1: Line 1:
==Lesson==
+
 
''
+
== 1.0 - Introduction
1.0 - Introduction''
+
==
  
  

Revision as of 22:35, 4 September 2011

== 1.0 - Introduction

==


DmCrypt and Luks are utilities used to encrypt storage space. This can be applied to any type of device natively understood by your kernel. Devices include anything in /dev OR you can create your own flat file and create a loopback device. This works on *ANY* linux distribution

In any case, the first utility you'll want is cryptsetup. Depending on your distribution, you'll need to use your appropriate package manager to install this: "apt-get install cryptsetup" or "emerge -q cryptsetup" whichever applies to you.

You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs).

This will tell you the names of each cipher/digest algorithm supported by your kernel. Digest algorithms are hashing algorithms. I personally prefer whirlpool, however: sha, md5, sha-512 (hmac) and ripemd160,320, are viable options. Whirlpool is picked due to collision resistance, combined with age and resistance to cryptanalysis attacks. There is no known cryptanalysis attack able to generate reliable collisions on the whirlpool 512 digest.


2.0 - Available ciphers


Usually AES is always available, my personal preference is blowfish however, aes, serpent, blowfish and twofish are all viable options. If you do not have a decent listing in /proc/crypto, see your distribution's documentation on installing cryptographic kernel modules.

To get a better selection, you should be able to search for something along the lines of "[distro name] kernel crypto module installation". If you are using a source-based installation, you can simply rebuild and specify your desired options inside of menuconfig.


3.0 - Setting up your block device


So first thing is first, setting up your block device. You'll want to create a partition OR a flat file.


3.1 - PARTITION INSTRUCTIONS:


create a partition using cfdisk or fdisk (whichever is easier for you), then run the following command : cryptsetup luksFormat -c [ciphername] -h [digestname] /dev/[partition]

For example if I wanted to use whirlpool-blowfish on /dev/sdb2. I'd do: cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2

It will then prompt you for your passphrase. Alternatively, you can provide a keyfile with --key-file. When creating a keyfile be sure that it meets the length criterium for your digest algorithm.


3.2 FLAT FILE INSTRUCTIONS:


If you'd like to create a flatfile because you do not have any unpartitioned space, first touch /path/to/flatfile. E.g. touch /mycryptimg.img. Then you'll want to use either shred or dd to create it for the appropriate size. ->USING SHRED : Assuming you want a 10 gb partition, you can simply: shred -s 10G /mycryptimg.img ->USING DD : Assuming you want a 10 GB partition: dd if=/dev/urandom bs=1024 of=/mycryptimg.img count=`echo .|awk '{print (10 * 1024^2)}'`

Now then, you've created your sized flat file. You need to set it up as a loopback device.

First, determine your available loopback devices, run (as root): losetup -a This will tell you all the loopback devices on your system. If you do not see any, you can start at loop0: losetup /mycryptimg.img /dev/loop0 In some distros, you'll need to run instead: losetup /mycryptimg.img /dev/loop/

If you get an error about loop module, modprobe it or: find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \; Will also do the trick on source based distributions.

Once you've done this, proceed with your cryptsetup luksFormat command except you'll run it on /dev/loop# instead of /dev/[device node].

4.0 - Obtaining LVM Support and Device Mapper Support

Now we've created a partition capable of handling our storage space. The next step is to obtain LVM support and Device Mapper Support. If you don't have these, running a quick search for your distro on enabling them will reveal all the answers.


5.0 - Finishing up


Once this is accomplished, using sdb2 as our example: cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdb2 mycryptdir It will prompt for the passphrase again. Successful entry of the passphrase will unlock the keyslot. Once this has been accomplished, you can go ahead and mkfs. I prefer reiserfs for performance and deletion sake. So in my case, I would run: mkfs.reiserfs /dev/mapper/mycryptdir

That last parameter on the cryptsetup luksOpen command becomes the directory in /dev/mapper you'll need to format. Additionally, crypt target support needs to be enabled in your LVM/Device Mapper support options in your kernel or the appropriate module needs to be loaded for your distro (search engines are helpful there).

Now that I've unlocked my keyslot and created my filesystem, I can go ahead and: mkdir /home/hatter/encrypted mount -o loop /dev/mapper/mycryptdir /home/hatter/encrypted

Now anything in the /home/hatter/encrypted directory is encrypted. To shut your device down: umount /home/hatter/encrypted cryptsetup luksClose /dev/mapper/mycryptdir

If you created a loopback device: losetup -d /dev/loop#

Now your data is perfectly secured in an encrypted partition and no one can read it. To re-open: cryptsetup luksOpen /dev/sdb2 mycryptdir mount -o loop -t reiserfs /dev/mapper/mycryptdir /home/hatter/encrypted

Simply umount and cryptsetup luksClose when done.