Dmcrypt
DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel. Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device. This works on ANY Linux distribution.
Contents
Getting Started
First things first, the first utility needed is cryptsetup. The appropriate package manager will aid with the cryptsetup installation.
apt-get install cryptsetup
emerge -q cryptsetup
pacman -S cryptsetup
yum install cryptsetup
...or whichever package manager applies to you
Encryption Ciphers and Algorithms
A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command:
cat /proc/crypto | grep name\|digest\|cipher
*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.
Hashing Algorithms
Digest algorithms are hashing algorithms. At Blackhat Academy, we prefer the whirlpool algorithm, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. We suggest whirlpool at Blackhat Academy due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
Ciphers
AES is almost always available. At Blackhat Academy, however, we suggest the blowfish cipher, although, AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to your distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the desired options inside of menuconfig will provide the desired results.
Setting Up a Block Device
To create a block device, first, you will want to create a partition or a flat file.
Creating a Partition
To create a partition, you can use your preferred partition editor.
cfdisk /dev/sdx
fdisk /dev/sdx
After the partitions are created, we will want to format and encrypt the partition with the command:
cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
Next, LUKS will prompt you for your passphrase. Enter a password or, alternatively, you can provide a keyfile with --key-file. * When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.
After you enter your password, you can move onto [[#LVM and the Device Mapper|the LVM and Device Mapper Section].
Creating a Flat File
If you do not have any unpartitioned space or do not want to create another partition for encryption, you can create a flat file. First, you will want to create the file with touch
touch /path/to/flatfile
Ex. touch ~/cryptoImg.img
Next, you will want to use either shred or dd to create the flat file in the appropriate size.
SHRED:
If you want a 10GB Partition:
shred -s 10G /path/to/flatfile
DD
dd if=/dev/urandom bs=1024 of=/path/to/flatfile count='echo .|awk '{print (10*1024^2)}'`
Your flat file is now created and is overwritten with random data. Next, you need to set it up as a loopback device. First, you need to determine what loopback devices are already available:
AS ROOT
losetup -a
This will list all of the loopback devices on your system. If their is nothing in the list, you can start with loop0:
losetup /path/to/flatfile /dev/loop0
In some distributions, you may need to run:
losetup /path/to/flatfile /dev/loop/
If you receive an error about loop modules, you can use modprobe to start the module or (for source-based distributions):
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
Once completed, refer to the LUKS commands and run:
cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
*Note: The luksFormat command was run on /dev/loop# and NOT /dev/sdx
LVM and the Device Mapper
Obtaining Support
Now that the partition has been created and is capable of being used for storage, the next step is to obtain LVM and Device Mapper support.
A quick Google search of "<distro name> enabling LVM Device Mapper Support" will provide the solutions you are looking for and tutorials to help you along the way.
Creating Encrypted LVM Partitions
First, you must open up the encrypted device with:
cryptsetup luksOpen /dev/sdx lvm
Then, you must create your logical partitions:
lvm pvcreate /dev/mapper/lvm
lvm vgcreate <volume group name> /dev/mapper/lvm
lvm lvcreate -L 20GB -n root <volume group name from above>
lvm lvcreate -L 4GB -n swap <volume group name from above>
lvm lvcreate -l 100%FREE -n home <volume group name from above>
*Obviously, the partition sizes can be altered
Encrypting the Flat File
After running the luksOpen command to unlock the partition,
cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdx /dev/mapper/cryptDir
*The last parameter becomes the directory in /dev/mapper that you will need to format
you can finally create a filesystem on your encrypted partition with mkfs. For example, using our preferred reiserfs:
mkfs.reiserfs /dev/mapper/cryptDir
Now, that you have unlocked your keyslot and created your filesystem, you should be able to create and mount your encrypted directory:
mkdir /home/<username>/encrypted
mount -o loop /dev/mapper/cryptDir /home/<username>/encrypted
Starting and Stopping the Service
Now, anything that is put into the /home/<username>/encrypted directory is encrypted. To shut down the encryption service:
umount /home/<username>/encrypted
cryptsetup luksClose /dev/mapper/cryptDir
*If you created a loopback device:
losetup -d /dev/loop#
Now, all of your data is secured in an encrypted partition. To re-open the partition:
cryptsetup luksOpen /dev/sdx /dev/mapper/cryptDir
mount -o loop -t reiserfs /dev/mapper/cryptDir /home/<username>/encrypted
