Difference between revisions of "Dmcrypt"
MadelaiSoliz (Talk | contribs) (→Encrypting the Flat File) |
|||
(15 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
− | '''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by | + | '''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel. Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device. This works on any Linux distribution. |
== Getting Started == | == Getting Started == | ||
− | First | + | First, the first utility needed is '''cryptsetup''' which can be installed via a package manager. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
== Encryption Ciphers and Algorithms == | == Encryption Ciphers and Algorithms == | ||
− | A list of the supported encryption ciphers and hashing algorithms | + | A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command: |
− | + | grep "name\|digest\|cipher" /proc/crypto | |
− | '' | + | {{info|''Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.''}} |
=== Hashing Algorithms === | === Hashing Algorithms === | ||
− | Digest algorithms are hashing algorithms. | + | Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest. |
=== Ciphers === | === Ciphers === | ||
− | AES is almost always available. | + | AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of '''menuconfig''' will provide the desired results. |
== Setting Up a Block Device == | == Setting Up a Block Device == | ||
− | + | {{notice|A new partition or file is necessary to create a block device.}} | |
=== Creating a Partition === | === Creating a Partition === | ||
− | To create a partition, | + | To create a partition, use a partition editor '''cfdisk''' and '''fdisk''' are two good options. |
− | + | After the partitions are created, format and encrypt the partition with the command: | |
− | + | ||
− | + | ||
− | After the partitions are created, | + | |
cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx) | cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx) | ||
Line 45: | Line 36: | ||
cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2 | cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2 | ||
− | Next, LUKS will prompt | + | Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file. '' |
− | + | * When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.'' | |
− | + | ||
+ | After entering a password, skip to [[#LVM and the Device Mapper|the LVM and Device Mapper Section]]. | ||
=== Creating a Flat File === | === Creating a Flat File === | ||
− | If | + | If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using '''touch''': |
touch /path/to/flatfile | touch /path/to/flatfile | ||
Ex. touch ~/cryptoImg.img | Ex. touch ~/cryptoImg.img | ||
− | Next, | + | Next, use either shred or dd to create the flat file in the appropriate size. |
'''SHRED:''' | '''SHRED:''' | ||
Line 64: | Line 55: | ||
'''DD''' | '''DD''' | ||
− | dd if=/dev/urandom bs=1024 of=/path/to/flatfile count= | + | dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'` |
− | + | A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available: | |
'''AS ROOT''' | '''AS ROOT''' | ||
losetup -a | losetup -a | ||
− | This will list all of the loopback devices | + | This will list all of the loopback devices. If there is nothing in the list, start with loop0: |
losetup /path/to/flatfile /dev/loop0 | losetup /path/to/flatfile /dev/loop0 | ||
− | '' | + | ''Certain distributions may require:'' |
losetup /path/to/flatfile /dev/loop/ | losetup /path/to/flatfile /dev/loop/ | ||
− | ''If | + | {{info|''If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions): |
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \; | find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \; | ||
− | + | }} | |
Once completed, refer to the LUKS commands and run: | Once completed, refer to the LUKS commands and run: | ||
cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop# | cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop# | ||
− | '' | + | {{notice|'' The luksFormat command was run on /dev/loop# and NOT /dev/sdx}} |
== LVM and the Device Mapper == | == LVM and the Device Mapper == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Creating Encrypted LVM Partitions === | === Creating Encrypted LVM Partitions === | ||
− | First, | + | First, open up the encrypted device with: |
cryptsetup luksOpen /dev/sdx lvm | cryptsetup luksOpen /dev/sdx lvm | ||
− | Then, | + | Then, create logical partitions: |
lvm pvcreate /dev/mapper/lvm | lvm pvcreate /dev/mapper/lvm | ||
Line 120: | Line 105: | ||
*''The last parameter becomes the directory in /dev/mapper that you will need to format | *''The last parameter becomes the directory in /dev/mapper that you will need to format | ||
− | + | Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs): | |
mkfs.reiserfs /dev/mapper/cryptDir | mkfs.reiserfs /dev/mapper/cryptDir | ||
− | Now, that | + | Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory: |
mkdir /home/<username>/encrypted | mkdir /home/<username>/encrypted | ||
Line 138: | Line 123: | ||
losetup -d /dev/loop# | losetup -d /dev/loop# | ||
− | Now, all of | + | Now, all of the data is secured in an encrypted partition. To re-open the partition: |
cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir | cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir | ||
mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted | mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted | ||
+ | |||
+ | ==External Links== | ||
+ | *[http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf Plaintext Passwords in Linux memory] | ||
+ | |||
+ | {{Administration}} | ||
+ | {{Countermeasures}} | ||
+ | |||
+ | {{social}} |
Latest revision as of 12:27, 20 October 2012
DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel. Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device. This works on any Linux distribution.
Contents
Getting Started
First, the first utility needed is cryptsetup which can be installed via a package manager.
Encryption Ciphers and Algorithms
A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command:
grep "name\|digest\|cipher" /proc/crypto
Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs. |
Hashing Algorithms
Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
Ciphers
AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of menuconfig will provide the desired results.
Setting Up a Block Device
Creating a Partition
To create a partition, use a partition editor cfdisk and fdisk are two good options.
After the partitions are created, format and encrypt the partition with the command:
cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
Ex. To encrypt /dev/sdb2 with whirlpool and blowfish: cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file.
- When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.
After entering a password, skip to the LVM and Device Mapper Section.
Creating a Flat File
If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using touch:
touch /path/to/flatfile Ex. touch ~/cryptoImg.img
Next, use either shred or dd to create the flat file in the appropriate size.
SHRED: If you want a 10GB Partition: shred -s 10G /path/to/flatfile
DD dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'`
A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available:
AS ROOT losetup -a
This will list all of the loopback devices. If there is nothing in the list, start with loop0:
losetup /path/to/flatfile /dev/loop0 Certain distributions may require: losetup /path/to/flatfile /dev/loop/
If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions):
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \; |
Once completed, refer to the LUKS commands and run:
cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
LVM and the Device Mapper
Creating Encrypted LVM Partitions
First, open up the encrypted device with:
cryptsetup luksOpen /dev/sdx lvm
Then, create logical partitions:
lvm pvcreate /dev/mapper/lvm lvm vgcreate <volume group name> /dev/mapper/lvm
lvm lvcreate -L 20GB -n root <volume group name from above> lvm lvcreate -L 4GB -n swap <volume group name from above> lvm lvcreate -l 100%FREE -n home <volume group name from above>
*Obviously, the partition sizes can be altered
Encrypting the Flat File
After running the luksOpen command to unlock the partition,
cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdx /dev/mapper/cryptDir *The last parameter becomes the directory in /dev/mapper that you will need to format
Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs):
mkfs.reiserfs /dev/mapper/cryptDir
Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory:
mkdir /home/<username>/encrypted mount -o loop /dev/mapper/cryptDir /home/<username>/encrypted
Starting and Stopping the Service
Now, anything that is put into the /home/<username>/encrypted directory is encrypted. To shut down the encryption service:
umount /home/<username>/encrypted cryptsetup luksClose /dev/mapper/cryptDir *If you created a loopback device: losetup -d /dev/loop#
Now, all of the data is secured in an encrypted partition. To re-open the partition:
cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted