Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Dmcrypt"

From NetSec
Jump to: navigation, search
 
(19 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== Introduction ==
+
'''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel.  Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device.  This works on any Linux distribution.
  
DmCrypt and Luks are utilities used to encrypt storage space. This can be applied to any type of device natively understood by your kernel. Devices include anything in /dev OR you can create your own flat file and create a loopback device. This works on *ANY* linux distribution
+
== Getting Started ==
  
In any case, the first utility you'll want is cryptsetup. Depending on your distribution, you'll need to use your appropriate package manager to install this: "apt-get install cryptsetup" or "emerge -q cryptsetup" whichever applies to you.  
+
First, the first utility needed is '''cryptsetup''' which can be installed via a package manager.
  
You can get a list of supported kernel encryption ciphers and hashing algorithms by using grep on /proc/crypto like so: grep "digest\|cipher\|name" /proc/crypto nearly every distribution supports this (some lfs and other MINIX variants will not support crypto or crypttab in procfs).
+
== Encryption Ciphers and Algorithms ==
  
This will tell you the names of each cipher/digest algorithm supported by your kernel. Digest algorithms are hashing algorithms. I personally prefer whirlpool, however: sha, md5, sha-512 (hmac) and ripemd160,320, are viable options. Whirlpool is picked due to collision resistance, combined with age and resistance to cryptanalysis attacks. There is no known cryptanalysis attack able to generate reliable collisions on the whirlpool 512 digest.
+
A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command:  
  
 +
    grep "name\|digest\|cipher" /proc/crypto
  
''2.0 - Available ciphers''
+
{{info|''Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.''}}
  
 +
=== Hashing Algorithms ===
  
Usually AES is always available, my personal preference is blowfish however, aes, serpent, blowfish and twofish are all viable options. If you do not have a decent listing in /proc/crypto, see your distribution's documentation on installing cryptographic kernel modules.
+
Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
  
To get a better selection, you should be able to search for something along the lines of "[distro name] kernel crypto module installation". If you are using a source-based installation, you can simply rebuild and specify your desired options inside of menuconfig.
+
=== Ciphers ===
  
 +
AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of '''menuconfig''' will provide the desired results.
  
''3.0 - Setting up your block device''
+
== Setting Up a Block Device ==
  
 +
{{notice|A new partition or file is necessary to create a block device.}}
  
So first thing is first, setting up your block device. You'll want to create a partition OR a flat file.
+
=== Creating a Partition ===
  
 +
To create a partition, use a partition editor '''cfdisk''' and '''fdisk''' are two good options.
  
''3.1 - PARTITION INSTRUCTIONS:''
+
After the partitions are created, format and encrypt the partition with the command:
  
 +
    cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
  
create a partition using cfdisk or fdisk (whichever is easier for you), then run the following command :
+
    Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
cryptsetup luksFormat -c [ciphername] -h [digestname] /dev/[partition]
+
    cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
  
For example if I wanted to use whirlpool-blowfish on /dev/sdb2. I'd do:
+
Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file. ''
cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
+
* When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.''
  
It will then prompt you for your passphrase. Alternatively, you can provide a keyfile with --key-file. When creating a keyfile be sure that it meets the length criterium for your digest algorithm.
+
After entering a password, skip to [[#LVM and the Device Mapper|the LVM and Device Mapper Section]].
  
 +
=== Creating a Flat File ===
  
''3.2 FLAT FILE INSTRUCTIONS:''
+
If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using '''touch''':
  
 +
    touch /path/to/flatfile
 +
    Ex. touch ~/cryptoImg.img
  
If you'd like to create a flatfile because you do not have any unpartitioned space, first touch /path/to/flatfile. E.g. touch /mycryptimg.img. Then you'll want to use either shred or dd to create it for the appropriate size.
+
Next, use either shred or dd to create the flat file in the appropriate size.
->USING SHRED :
+
Assuming you want a 10 gb partition, you can simply:
+
shred -s 10G /mycryptimg.img
+
->USING DD :
+
Assuming you want a 10 GB partition:
+
dd if=/dev/urandom bs=1024 of=/mycryptimg.img count=`echo .|awk '{print (10 * 1024^2)}'`
+
  
Now then, you've created your sized flat file. You need to set it up as a loopback device.
+
    '''SHRED:'''
 +
    If you want a 10GB Partition:
 +
    shred -s 10G /path/to/flatfile
  
First, determine your available loopback devices, run (as root):
+
    '''DD'''
losetup -a
+
    dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'`
This will tell you all the loopback devices on your system. If you do not see any, you can start at loop0:
+
losetup /mycryptimg.img /dev/loop0
+
In some distros, you'll need to run instead:
+
losetup /mycryptimg.img /dev/loop/
+
  
If you get an error about loop module, modprobe it or:
+
A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available:
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
+
Will also do the trick on source based distributions.
+
  
Once you've done this, proceed with your cryptsetup luksFormat command except you'll run it on /dev/loop# instead of /dev/[device node].
+
    '''AS ROOT'''
 +
    losetup -a
  
''4.0 - Obtaining LVM Support and Device Mapper Support''
+
This will list all of the loopback devices. If there is nothing in the list, start with loop0:
  
Now we've created a partition capable of handling our storage space. The next step is to obtain LVM support and Device Mapper Support. If you don't have these, running a quick search for your distro on enabling them will reveal all the answers.
+
    losetup /path/to/flatfile /dev/loop0
 +
    ''Certain distributions may require:''
 +
    losetup /path/to/flatfile /dev/loop/
  
 +
{{info|''If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions):
  
''5.0 - Finishing up''
+
    find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
 +
}}
 +
Once completed, refer to the LUKS commands and run:
  
 +
    cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
  
Once this is accomplished, using sdb2 as our example:
+
{{notice|'' The luksFormat command was run on /dev/loop# and NOT /dev/sdx}}
cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdb2 mycryptdir
+
It will prompt for the passphrase again. Successful entry of the passphrase will unlock the keyslot. Once this has been accomplished, you can go ahead and mkfs. I prefer reiserfs for performance and deletion sake. So in my case, I would run:
+
mkfs.reiserfs /dev/mapper/mycryptdir
+
  
That last parameter on the cryptsetup luksOpen command becomes the directory in /dev/mapper you'll need to format. Additionally, crypt target support needs to be enabled in your LVM/Device Mapper support options in your kernel or the appropriate module needs to be loaded for your distro (search engines are helpful there).
+
== LVM and the Device Mapper ==
  
Now that I've unlocked my keyslot and created my filesystem, I can go ahead and:
+
=== Creating Encrypted LVM Partitions ===
mkdir /home/hatter/encrypted
+
mount -o loop /dev/mapper/mycryptdir /home/hatter/encrypted
+
  
Now anything in the /home/hatter/encrypted directory is encrypted. To shut your device down:
+
First, open up the encrypted device with:
umount /home/hatter/encrypted
+
cryptsetup luksClose /dev/mapper/mycryptdir
+
  
If you created a loopback device:
+
    cryptsetup luksOpen /dev/sdx lvm
losetup -d /dev/loop#
+
  
Now your data is perfectly secured in an encrypted partition and no one can read it. To re-open:
+
Then, create logical partitions:
cryptsetup luksOpen /dev/sdb2 mycryptdir
+
 
mount -o loop -t reiserfs /dev/mapper/mycryptdir /home/hatter/encrypted
+
    lvm pvcreate /dev/mapper/lvm
+
    lvm vgcreate <volume group name> /dev/mapper/lvm
Simply umount and cryptsetup luksClose when done.
+
 
 +
    lvm lvcreate -L 20GB -n root <volume group name from above>
 +
    lvm lvcreate -L 4GB -n swap <volume group name from above>
 +
    lvm lvcreate -l 100%FREE -n home <volume group name from above>
 +
 
 +
    ''*Obviously, the partition sizes can be altered''
 +
 
 +
 
 +
== Encrypting the Flat File ==
 +
 
 +
After running the luksOpen command to unlock the partition,
 +
 
 +
    cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdx /dev/mapper/cryptDir
 +
    *''The last parameter becomes the directory in /dev/mapper that you will need to format
 +
 
 +
Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs):
 +
 
 +
    mkfs.reiserfs /dev/mapper/cryptDir
 +
 
 +
Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory:
 +
 
 +
    mkdir /home/<username>/encrypted
 +
    mount -o loop /dev/mapper/cryptDir /home/<username>/encrypted
 +
 
 +
== Starting and Stopping the Service ==
 +
 
 +
Now, anything that is put into the /home/<username>/encrypted directory is encrypted. To shut down the encryption service:
 +
 
 +
    umount /home/<username>/encrypted
 +
    cryptsetup luksClose /dev/mapper/cryptDir
 +
    *''If you created a loopback device:
 +
    losetup -d /dev/loop#
 +
 
 +
Now, all of the data is secured in an encrypted partition. To re-open the partition:
 +
 
 +
    cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
 +
    mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted
 +
 
 +
==External Links==
 +
*[http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf Plaintext Passwords in Linux memory]
 +
 
 +
{{Administration}}
 +
{{Countermeasures}}
 +
 
 +
{{social}}

Latest revision as of 12:27, 20 October 2012

DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel. Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device. This works on any Linux distribution.

Getting Started

First, the first utility needed is cryptsetup which can be installed via a package manager.

Encryption Ciphers and Algorithms

A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command:

    grep "name\|digest\|cipher" /proc/crypto
c3el4.png Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.

Hashing Algorithms

Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.

Ciphers

AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of menuconfig will provide the desired results.

Setting Up a Block Device

Notice: A new partition or file is necessary to create a block device.

Creating a Partition

To create a partition, use a partition editor cfdisk and fdisk are two good options.

After the partitions are created, format and encrypt the partition with the command:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
    Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
    cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2

Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file.

  • When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.

After entering a password, skip to the LVM and Device Mapper Section.

Creating a Flat File

If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using touch:

    touch /path/to/flatfile
    Ex. touch ~/cryptoImg.img

Next, use either shred or dd to create the flat file in the appropriate size.

    SHRED:
    If you want a 10GB Partition:
    shred -s 10G /path/to/flatfile
    DD
    dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'`

A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available:

    AS ROOT
    losetup -a

This will list all of the loopback devices. If there is nothing in the list, start with loop0:

    losetup /path/to/flatfile /dev/loop0
    Certain distributions may require:
    losetup /path/to/flatfile /dev/loop/
c3el4.png If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions):
    find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;

Once completed, refer to the LUKS commands and run:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
Notice: The luksFormat command was run on /dev/loop# and NOT /dev/sdx

LVM and the Device Mapper

Creating Encrypted LVM Partitions

First, open up the encrypted device with:

    cryptsetup luksOpen /dev/sdx lvm

Then, create logical partitions:

    lvm pvcreate /dev/mapper/lvm
    lvm vgcreate <volume group name> /dev/mapper/lvm
    lvm lvcreate -L 20GB -n root <volume group name from above>
    lvm lvcreate -L 4GB -n swap <volume group name from above>
    lvm lvcreate -l 100%FREE -n home <volume group name from above>
    *Obviously, the partition sizes can be altered


Encrypting the Flat File

After running the luksOpen command to unlock the partition,

    cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdx /dev/mapper/cryptDir
    *The last parameter becomes the directory in /dev/mapper that you will need to format

Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs):

    mkfs.reiserfs /dev/mapper/cryptDir

Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory:

    mkdir /home/<username>/encrypted
    mount -o loop /dev/mapper/cryptDir /home/<username>/encrypted

Starting and Stopping the Service

Now, anything that is put into the /home/<username>/encrypted directory is encrypted. To shut down the encryption service:

    umount /home/<username>/encrypted
    cryptsetup luksClose /dev/mapper/cryptDir
    *If you created a loopback device:
    losetup -d /dev/loop#

Now, all of the data is secured in an encrypted partition. To re-open the partition:

    cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
    mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted

External Links

Dmcrypt is part of a series on administration.

<center>

Dmcrypt is part of a series on countermeasures.
<center>
</center>