Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Dmcrypt"

From NetSec
Jump to: navigation, search
(An overview of DM-Crypt, LUKS, and Encryption)
Line 19: Line 19:
 
''*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.''
 
''*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.''
  
 +
=== Hashing Algorithms ===
  
You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs).
+
Digest algorithms are hashing algorithms. At Blackhat Academy, we prefer the whirlpool algorithm, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. We suggest whirlpool at Blackhat Academy due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
  
This will tell you the names of each cipher/digest algorithm supported by your kernel. Digest algorithms are hashing algorithms. I personally prefer whirlpool, however: sha, md5, sha-512 (hmac) and ripemd160,320, are viable options. Whirlpool is picked due to collision resistance, combined with age and resistance to cryptanalysis attacks. There is no known cryptanalysis attack able to generate reliable collisions on the whirlpool 512 digest.
+
=== Ciphers ===
  
 +
AES is almost always available. At Blackhat Academy, however, we suggest the blowfish cipher, although, AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to your distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying  the desired options inside of '''menuconfig''' will provide the desired results.
  
''2.0 - Available ciphers''
+
== Setting Up a Block Device ==
  
 +
To create a block device, first, you will want to create a partition or a flat file.
  
Usually AES is always available, my personal preference is blowfish however, aes, serpent, blowfish and twofish are all viable options. If you do not have a decent listing in /proc/crypto, see your distribution's documentation on installing cryptographic kernel modules.
+
=== Creating a Partition ===
  
To get a better selection, you should be able to search for something along the lines of "[distro name] kernel crypto module installation". If you are using a source-based installation, you can simply rebuild and specify your desired options inside of menuconfig.
+
To create a partition, you can use your preferred partition editor.
  
 +
    cfdisk /dev/sdx
 +
    fdisk /dev/sdx
  
''3.0 - Setting up your block device''
+
After the partitions are created, we will want to format and encrypt the partition with the command:
  
 +
    cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
  
So first thing is first, setting up your block device. You'll want to create a partition OR a flat file.
+
    Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
 +
    cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
  
 +
Next, LUKS will prompt you for your passphrase. Enter a password or, alternatively, you can provide a keyfile with --key-file. ''* When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.''
  
''3.1 - PARTITION INSTRUCTIONS:''
+
After you enter your password, you can move onto [[#Obtaining LVM and Device Mapper Support|obtaining LVM and Device Mapper Support]].
  
  
create a partition using cfdisk or fdisk (whichever is easier for you), then run the following command :
+
=== Creating a Flat File ===
cryptsetup luksFormat -c [ciphername] -h [digestname] /dev/[partition]
+
  
For example if I wanted to use whirlpool-blowfish on /dev/sdb2. I'd do:
+
If you do not have any unpartitioned space or do not want to create another partition for encryption, you can create a flat file. First, you will want to create the file with touch
cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
+
  
It will then prompt you for your passphrase. Alternatively, you can provide a keyfile with --key-file. When creating a keyfile be sure that it meets the length criterium for your digest algorithm.
+
    touch /path/to/flatfile
 +
    Ex. touch ~/cryptoImg.img
  
 +
Next, you will want to use either shred or dd to create the flat file in the appropriate size.
  
''3.2 FLAT FILE INSTRUCTIONS:''
+
    '''SHRED:'''
 +
    If you want a 10GB Partition:
 +
    shred -s 10G /path/to/flatfile
  
 +
    '''DD'''
 +
    dd if=/dev/urandom bs=1024 of=/path/to/flatfile count='echo .|awk '{print (10*1024^2)}'`
  
If you'd like to create a flatfile because you do not have any unpartitioned space, first touch /path/to/flatfile. E.g. touch /mycryptimg.img. Then you'll want to use either shred or dd to create it for the appropriate size.
+
Your flat file is now created and is overwritten with random data. Next, you need to set it up as a loopback device. First, you need to determine what loopback devices are already available:
->USING SHRED :
+
Assuming you want a 10 gb partition, you can simply:  
+
shred -s 10G /mycryptimg.img
+
->USING DD :
+
Assuming you want a 10 GB partition:
+
dd if=/dev/urandom bs=1024 of=/mycryptimg.img count=`echo .|awk '{print (10 * 1024^2)}'`
+
  
Now then, you've created your sized flat file. You need to set it up as a loopback device.
+
    '''AS ROOT'''
 +
    losetup -a
  
First, determine your available loopback devices, run (as root):
+
This will list all of the loopback devices on your system. If their is nothing in the list, you can start with loop0:
losetup -a
+
This will tell you all the loopback devices on your system. If you do not see any, you can start at loop0:
+
losetup /mycryptimg.img /dev/loop0
+
In some distros, you'll need to run instead:
+
losetup /mycryptimg.img /dev/loop/
+
  
If you get an error about loop module, modprobe it or:
+
    losetup /path/to/flatfile /dev/loop0
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
+
    ''In some distributions, you may need to run:''
Will also do the trick on source based distributions.
+
    losetup /path/to/flatfile /dev/loop/
 +
 
 +
''If you receive an error about loop modules, you can use modprobe to start the module or (for source-based distributions):
 +
 
 +
    find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
 +
 
 +
Once completed, refer to the LUKS commands and run:
 +
 
 +
    cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
 +
 
 +
''*Note: The luksFormat command was run on /dev/loop# and NOT /dev/sdx
 +
 
 +
=== Obtaining LVM and Device Mapper Support ===
 +
 
 +
Now that the partition has been created and is capable of being used for storage, the next step is to obtain '''LVM''' and '''Device Mapper''' support.
  
Once you've done this, proceed with your cryptsetup luksFormat command except you'll run it on /dev/loop# instead of /dev/[device node].
 
  
 
''4.0 - Obtaining LVM Support and Device Mapper Support''
 
''4.0 - Obtaining LVM Support and Device Mapper Support''

Revision as of 00:18, 5 September 2011

DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel. Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device. This works on ANY Linux distribution.

Getting Started

First things first, the first utility needed is cryptsetup. The appropriate package manager will aid with the cryptsetup installation.

     apt-get install cryptsetup
     emerge -q cryptsetup
     pacman -S cryptsetup
     yum install cryptsetup
     ...or whichever package manager applies to you

Encryption Ciphers and Algorithms

A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command:

    cat /proc/crypto | grep name\|digest\|cipher

*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.

Hashing Algorithms

Digest algorithms are hashing algorithms. At Blackhat Academy, we prefer the whirlpool algorithm, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. We suggest whirlpool at Blackhat Academy due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.

Ciphers

AES is almost always available. At Blackhat Academy, however, we suggest the blowfish cipher, although, AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to your distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the desired options inside of menuconfig will provide the desired results.

Setting Up a Block Device

To create a block device, first, you will want to create a partition or a flat file.

Creating a Partition

To create a partition, you can use your preferred partition editor.

    cfdisk /dev/sdx
    fdisk /dev/sdx

After the partitions are created, we will want to format and encrypt the partition with the command:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
    Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
    cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2

Next, LUKS will prompt you for your passphrase. Enter a password or, alternatively, you can provide a keyfile with --key-file. * When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.

After you enter your password, you can move onto obtaining LVM and Device Mapper Support.


Creating a Flat File

If you do not have any unpartitioned space or do not want to create another partition for encryption, you can create a flat file. First, you will want to create the file with touch

    touch /path/to/flatfile
    Ex. touch ~/cryptoImg.img

Next, you will want to use either shred or dd to create the flat file in the appropriate size.

    SHRED:
    If you want a 10GB Partition:
    shred -s 10G /path/to/flatfile
    DD
    dd if=/dev/urandom bs=1024 of=/path/to/flatfile count='echo .|awk '{print (10*1024^2)}'`

Your flat file is now created and is overwritten with random data. Next, you need to set it up as a loopback device. First, you need to determine what loopback devices are already available:

    AS ROOT
    losetup -a

This will list all of the loopback devices on your system. If their is nothing in the list, you can start with loop0:

    losetup /path/to/flatfile /dev/loop0
    In some distributions, you may need to run:
    losetup /path/to/flatfile /dev/loop/

If you receive an error about loop modules, you can use modprobe to start the module or (for source-based distributions):

    find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;

Once completed, refer to the LUKS commands and run:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#

*Note: The luksFormat command was run on /dev/loop# and NOT /dev/sdx

Obtaining LVM and Device Mapper Support

Now that the partition has been created and is capable of being used for storage, the next step is to obtain LVM and Device Mapper support.


4.0 - Obtaining LVM Support and Device Mapper Support

Now we've created a partition capable of handling our storage space. The next step is to obtain LVM support and Device Mapper Support. If you don't have these, running a quick search for your distro on enabling them will reveal all the answers.


5.0 - Finishing up


Once this is accomplished, using sdb2 as our example: cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdb2 mycryptdir It will prompt for the passphrase again. Successful entry of the passphrase will unlock the keyslot. Once this has been accomplished, you can go ahead and mkfs. I prefer reiserfs for performance and deletion sake. So in my case, I would run: mkfs.reiserfs /dev/mapper/mycryptdir

That last parameter on the cryptsetup luksOpen command becomes the directory in /dev/mapper you'll need to format. Additionally, crypt target support needs to be enabled in your LVM/Device Mapper support options in your kernel or the appropriate module needs to be loaded for your distro (search engines are helpful there).

Now that I've unlocked my keyslot and created my filesystem, I can go ahead and: mkdir /home/hatter/encrypted mount -o loop /dev/mapper/mycryptdir /home/hatter/encrypted

Now anything in the /home/hatter/encrypted directory is encrypted. To shut your device down: umount /home/hatter/encrypted cryptsetup luksClose /dev/mapper/mycryptdir

If you created a loopback device: losetup -d /dev/loop#

Now your data is perfectly secured in an encrypted partition and no one can read it. To re-open: cryptsetup luksOpen /dev/sdb2 mycryptdir mount -o loop -t reiserfs /dev/mapper/mycryptdir /home/hatter/encrypted

Simply umount and cryptsetup luksClose when done.