Difference between revisions of "Dmcrypt"
(An overview of DM-Crypt, LUKS, and Encryption) |
|||
Line 1: | Line 1: | ||
− | + | '''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel. Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device. This works on ANY Linux distribution. | |
− | + | == Getting Started == | |
+ | |||
+ | First things first, the first utility needed is '''cryptsetup'''. The appropriate package manager will aid with the '''cryptsetup''' installation. | ||
+ | |||
+ | apt-get install cryptsetup | ||
+ | emerge -q cryptsetup | ||
+ | pacman -S cryptsetup | ||
+ | yum install cryptsetup | ||
+ | ...or whichever package manager applies to you | ||
+ | |||
+ | == Encryption Ciphers and Algorithms == | ||
+ | |||
+ | A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command: | ||
+ | |||
+ | cat /proc/crypto | grep name\|digest\|cipher | ||
+ | |||
+ | ''*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.'' | ||
− | |||
You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs). | You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs). |
Revision as of 23:17, 4 September 2011
DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel. Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device. This works on ANY Linux distribution.
Getting Started
First things first, the first utility needed is cryptsetup. The appropriate package manager will aid with the cryptsetup installation.
apt-get install cryptsetup emerge -q cryptsetup pacman -S cryptsetup yum install cryptsetup ...or whichever package manager applies to you
Encryption Ciphers and Algorithms
A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command:
cat /proc/crypto | grep name\|digest\|cipher
*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.
You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs).
This will tell you the names of each cipher/digest algorithm supported by your kernel. Digest algorithms are hashing algorithms. I personally prefer whirlpool, however: sha, md5, sha-512 (hmac) and ripemd160,320, are viable options. Whirlpool is picked due to collision resistance, combined with age and resistance to cryptanalysis attacks. There is no known cryptanalysis attack able to generate reliable collisions on the whirlpool 512 digest.
2.0 - Available ciphers
Usually AES is always available, my personal preference is blowfish however, aes, serpent, blowfish and twofish are all viable options. If you do not have a decent listing in /proc/crypto, see your distribution's documentation on installing cryptographic kernel modules.
To get a better selection, you should be able to search for something along the lines of "[distro name] kernel crypto module installation". If you are using a source-based installation, you can simply rebuild and specify your desired options inside of menuconfig.
3.0 - Setting up your block device
So first thing is first, setting up your block device. You'll want to create a partition OR a flat file.
3.1 - PARTITION INSTRUCTIONS:
create a partition using cfdisk or fdisk (whichever is easier for you), then run the following command :
cryptsetup luksFormat -c [ciphername] -h [digestname] /dev/[partition]
For example if I wanted to use whirlpool-blowfish on /dev/sdb2. I'd do: cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
It will then prompt you for your passphrase. Alternatively, you can provide a keyfile with --key-file. When creating a keyfile be sure that it meets the length criterium for your digest algorithm.
3.2 FLAT FILE INSTRUCTIONS:
If you'd like to create a flatfile because you do not have any unpartitioned space, first touch /path/to/flatfile. E.g. touch /mycryptimg.img. Then you'll want to use either shred or dd to create it for the appropriate size.
->USING SHRED :
Assuming you want a 10 gb partition, you can simply:
shred -s 10G /mycryptimg.img
->USING DD :
Assuming you want a 10 GB partition:
dd if=/dev/urandom bs=1024 of=/mycryptimg.img count=`echo .|awk '{print (10 * 1024^2)}'`
Now then, you've created your sized flat file. You need to set it up as a loopback device.
First, determine your available loopback devices, run (as root): losetup -a This will tell you all the loopback devices on your system. If you do not see any, you can start at loop0: losetup /mycryptimg.img /dev/loop0 In some distros, you'll need to run instead: losetup /mycryptimg.img /dev/loop/
If you get an error about loop module, modprobe it or: find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \; Will also do the trick on source based distributions.
Once you've done this, proceed with your cryptsetup luksFormat command except you'll run it on /dev/loop# instead of /dev/[device node].
4.0 - Obtaining LVM Support and Device Mapper Support
Now we've created a partition capable of handling our storage space. The next step is to obtain LVM support and Device Mapper Support. If you don't have these, running a quick search for your distro on enabling them will reveal all the answers.
5.0 - Finishing up
Once this is accomplished, using sdb2 as our example:
cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdb2 mycryptdir
It will prompt for the passphrase again. Successful entry of the passphrase will unlock the keyslot. Once this has been accomplished, you can go ahead and mkfs. I prefer reiserfs for performance and deletion sake. So in my case, I would run:
mkfs.reiserfs /dev/mapper/mycryptdir
That last parameter on the cryptsetup luksOpen command becomes the directory in /dev/mapper you'll need to format. Additionally, crypt target support needs to be enabled in your LVM/Device Mapper support options in your kernel or the appropriate module needs to be loaded for your distro (search engines are helpful there).
Now that I've unlocked my keyslot and created my filesystem, I can go ahead and: mkdir /home/hatter/encrypted mount -o loop /dev/mapper/mycryptdir /home/hatter/encrypted
Now anything in the /home/hatter/encrypted directory is encrypted. To shut your device down: umount /home/hatter/encrypted cryptsetup luksClose /dev/mapper/mycryptdir
If you created a loopback device: losetup -d /dev/loop#
Now your data is perfectly secured in an encrypted partition and no one can read it. To re-open: cryptsetup luksOpen /dev/sdb2 mycryptdir mount -o loop -t reiserfs /dev/mapper/mycryptdir /home/hatter/encrypted
Simply umount and cryptsetup luksClose when done.