Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Dmcrypt"

From NetSec
Jump to: navigation, search
(External Links)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel.  Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device.  This works on ANY Linux distribution.
+
'''DMCrypt''' and '''LUKS''' are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel.  Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device.  This works on any Linux distribution.
  
 
== Getting Started ==  
 
== Getting Started ==  
  
First things first, the first utility needed is '''cryptsetup'''. The appropriate package manager will aid with the '''cryptsetup''' installation.
+
First, the first utility needed is '''cryptsetup''' which can be installed via a package manager.
 
+
      apt-get install cryptsetup
+
      emerge -q cryptsetup
+
      pacman -S cryptsetup
+
      yum install cryptsetup
+
      ...or whichever package manager applies to you
+
  
 
== Encryption Ciphers and Algorithms ==
 
== Encryption Ciphers and Algorithms ==
  
A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command:  
+
A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command:  
  
 
     grep "name\|digest\|cipher" /proc/crypto
 
     grep "name\|digest\|cipher" /proc/crypto
Line 21: Line 15:
 
=== Hashing Algorithms ===
 
=== Hashing Algorithms ===
  
Digest algorithms are hashing algorithms. At Blackhat Academy, we prefer the whirlpool algorithm, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. We suggest whirlpool at Blackhat Academy due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
+
Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
  
 
=== Ciphers ===
 
=== Ciphers ===
  
AES is almost always available. At Blackhat Academy, however, we suggest the blowfish cipher, although, AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to your distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the desired options inside of '''menuconfig''' will provide the desired results.
+
AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of '''menuconfig''' will provide the desired results.
  
 
== Setting Up a Block Device ==
 
== Setting Up a Block Device ==
  
{{notice|To create a block device, first, you will want to create a partition or a flat file.}}
+
{{notice|A new partition or file is necessary to create a block device.}}
  
 
=== Creating a Partition ===  
 
=== Creating a Partition ===  
  
To create a partition, you can use your preferred partition editor.
+
To create a partition, use a partition editor '''cfdisk''' and '''fdisk''' are two good options.
  
    cfdisk /dev/sdx
+
After the partitions are created, format and encrypt the partition with the command:
    fdisk /dev/sdx
+
 
+
After the partitions are created, we will want to format and encrypt the partition with the command:
+
  
 
     cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
 
     cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
Line 45: Line 36:
 
     cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
 
     cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
  
Next, LUKS will prompt you for your passphrase. Enter a password or, alternatively, you can provide a keyfile with --key-file. ''* When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.''
+
Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file. ''
 +
* When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.''
  
After you enter your password, you can move onto [[#LVM and the Device Mapper|the LVM and Device Mapper Section]].
+
After entering a password, skip to [[#LVM and the Device Mapper|the LVM and Device Mapper Section]].
  
 
=== Creating a Flat File ===
 
=== Creating a Flat File ===
  
If you do not have any unpartitioned space or do not want to create another partition for encryption, you can create a flat file. First, you will want to create the file with touch
+
If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using '''touch''':
  
 
     touch /path/to/flatfile
 
     touch /path/to/flatfile
 
     Ex. touch ~/cryptoImg.img
 
     Ex. touch ~/cryptoImg.img
  
Next, you will want to use either shred or dd to create the flat file in the appropriate size.
+
Next, use either shred or dd to create the flat file in the appropriate size.
  
 
     '''SHRED:'''
 
     '''SHRED:'''
Line 63: Line 55:
  
 
     '''DD'''
 
     '''DD'''
     dd if=/dev/urandom bs=1024 of=/path/to/flatfile count='echo .|awk '{print (10*1024^2)}'`
+
     dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'`
  
Your flat file is now created and is overwritten with random data. Next, you need to set it up as a loopback device. First, you need to determine what loopback devices are already available:
+
A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available:
  
 
     '''AS ROOT'''
 
     '''AS ROOT'''
 
     losetup -a
 
     losetup -a
  
This will list all of the loopback devices on your system. If their is nothing in the list, you can start with loop0:
+
This will list all of the loopback devices. If there is nothing in the list, start with loop0:
  
 
     losetup /path/to/flatfile /dev/loop0
 
     losetup /path/to/flatfile /dev/loop0
     ''In some distributions, you may need to run:''
+
     ''Certain distributions may require:''
 
     losetup /path/to/flatfile /dev/loop/
 
     losetup /path/to/flatfile /dev/loop/
  
{{info|''If you receive an error about loop modules, you can use modprobe to start the module or (for source-based distributions):
+
{{info|''If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions):
  
 
     find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
 
     find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
Line 87: Line 79:
  
 
== LVM and the Device Mapper ==
 
== LVM and the Device Mapper ==
 
=== Obtaining Support ===
 
 
Now that the partition has been created and is capable of being used for storage, the next step is to obtain '''LVM''' and '''Device Mapper''' support.
 
 
A quick Google search of "<distro name> enabling LVM Device Mapper Support" will provide the solutions you are looking for and tutorials to help you along the way.
 
  
 
=== Creating Encrypted LVM Partitions ===
 
=== Creating Encrypted LVM Partitions ===
  
First, you must open up the encrypted device with:
+
First, open up the encrypted device with:
  
 
     cryptsetup luksOpen /dev/sdx lvm
 
     cryptsetup luksOpen /dev/sdx lvm
  
Then, you must create your logical partitions:
+
Then, create logical partitions:
  
 
     lvm pvcreate /dev/mapper/lvm
 
     lvm pvcreate /dev/mapper/lvm
Line 119: Line 105:
 
     *''The last parameter becomes the directory in /dev/mapper that you will need to format
 
     *''The last parameter becomes the directory in /dev/mapper that you will need to format
  
you can finally create a filesystem on your encrypted partition with mkfs. For example, using our preferred reiserfs:
+
Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs):
  
 
     mkfs.reiserfs /dev/mapper/cryptDir
 
     mkfs.reiserfs /dev/mapper/cryptDir
  
Now, that you have unlocked your keyslot and created your filesystem, you should be able to create and mount your encrypted directory:
+
Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory:
  
 
     mkdir /home/<username>/encrypted
 
     mkdir /home/<username>/encrypted
Line 137: Line 123:
 
     losetup -d /dev/loop#
 
     losetup -d /dev/loop#
  
Now, all of your data is secured in an encrypted partition.  To re-open the partition:
+
Now, all of the data is secured in an encrypted partition.  To re-open the partition:
  
 
     cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
 
     cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
 
     mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted
 
     mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted
 +
 
==External Links==
 
==External Links==
 
*[http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf Plaintext Passwords in Linux memory]
 
*[http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf Plaintext Passwords in Linux memory]

Latest revision as of 12:27, 20 October 2012

DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by a kernel. Devices include anything in the /dev/ directory, however, a user can also create his own flat file and create a loopback device. This works on any Linux distribution.

Getting Started

First, the first utility needed is cryptsetup which can be installed via a package manager.

Encryption Ciphers and Algorithms

A list of the supported encryption ciphers and hashing algorithms is located in /proc/crypto . To list, run the command:

    grep "name\|digest\|cipher" /proc/crypto
c3el4.png Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.

Hashing Algorithms

Digest algorithms are hashing algorithms. The whirlpool algorithm is preferred, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. Whirlpool is suggested due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.

Ciphers

AES is almost always available. The blowfish is recommended, however AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to the distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the options inside of menuconfig will provide the desired results.

Setting Up a Block Device

Notice: A new partition or file is necessary to create a block device.

Creating a Partition

To create a partition, use a partition editor cfdisk and fdisk are two good options.

After the partitions are created, format and encrypt the partition with the command:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
    Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
    cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2

Next, LUKS will prompt for a passphrase. Enter a password or, alternatively, provide a keyfile with --key-file.

  • When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.

After entering a password, skip to the LVM and Device Mapper Section.

Creating a Flat File

If no unpartitioned space is available or a new partition for encryption is undesired, a flat file can be created. First, create a blank file using touch:

    touch /path/to/flatfile
    Ex. touch ~/cryptoImg.img

Next, use either shred or dd to create the flat file in the appropriate size.

    SHRED:
    If you want a 10GB Partition:
    shred -s 10G /path/to/flatfile
    DD
    dd if=/dev/urandom bs=1024 of=/path/to/flatfile count=`echo .|awk '{print (10*1024^2)}'`

A flat file is now created and is overwritten with random data. Next, set it up as a loopback device. First, determine what loopback devices are already available:

    AS ROOT
    losetup -a

This will list all of the loopback devices. If there is nothing in the list, start with loop0:

    losetup /path/to/flatfile /dev/loop0
    Certain distributions may require:
    losetup /path/to/flatfile /dev/loop/
c3el4.png If an error about loop modules occurs, use modprobe to start the module or (for source-based distributions):
    find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;

Once completed, refer to the LUKS commands and run:

    cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
Notice: The luksFormat command was run on /dev/loop# and NOT /dev/sdx

LVM and the Device Mapper

Creating Encrypted LVM Partitions

First, open up the encrypted device with:

    cryptsetup luksOpen /dev/sdx lvm

Then, create logical partitions:

    lvm pvcreate /dev/mapper/lvm
    lvm vgcreate <volume group name> /dev/mapper/lvm
    lvm lvcreate -L 20GB -n root <volume group name from above>
    lvm lvcreate -L 4GB -n swap <volume group name from above>
    lvm lvcreate -l 100%FREE -n home <volume group name from above>
    *Obviously, the partition sizes can be altered


Encrypting the Flat File

After running the luksOpen command to unlock the partition,

    cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdx /dev/mapper/cryptDir
    *The last parameter becomes the directory in /dev/mapper that you will need to format

Finally, create a filesystem on the encrypted partition with mkfs. For example, (using reiserfs):

    mkfs.reiserfs /dev/mapper/cryptDir

Now, that the keyslot is unlocked and the filesystem created, create and mount the encrypted directory:

    mkdir /home/<username>/encrypted
    mount -o loop /dev/mapper/cryptDir /home/<username>/encrypted

Starting and Stopping the Service

Now, anything that is put into the /home/<username>/encrypted directory is encrypted. To shut down the encryption service:

    umount /home/<username>/encrypted
    cryptsetup luksClose /dev/mapper/cryptDir
    *If you created a loopback device:
    losetup -d /dev/loop#

Now, all of the data is secured in an encrypted partition. To re-open the partition:

    cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
    mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted

External Links

Dmcrypt is part of a series on administration.

<center>

Dmcrypt is part of a series on countermeasures.
<center>
</center>