Dmcrypt
DMCrypt and LUKS are Linux utilities used to encrypt storage space. These utilities can be applied to any type of device that is natively understood by your kernel. Devices include anything in the /dev/ directory, however, a user can also create their own flat file and create a loopback device. This works on ANY Linux distribution.
Contents
Getting Started
First things first, the first utility needed is cryptsetup. The appropriate package manager will aid with the cryptsetup installation.
apt-get install cryptsetup
emerge -q cryptsetup
pacman -S cryptsetup
yum install cryptsetup
...or whichever package manager applies to you
Encryption Ciphers and Algorithms
A list of the supported encryption ciphers and hashing algorithms for your specific kernel are located in /proc/crypto . To list, run the command:
cat /proc/crypto | grep name\|digest\|cipher
*Nearly every Linux distribution supports this, however, some LFS and other MINIX variants will not support crypto or crypttab in procfs.
Hashing Algorithms
Digest algorithms are hashing algorithms. At Blackhat Academy, we prefer the whirlpool algorithm, however, sha, md5, sha512 (mac), and ripemd160/320 are viable options. We suggest whirlpool at Blackhat Academy due to the collision resistance, age, and resistance to cryptanalysis attacks. There are no known cryptanalysis attacks that are able to generate reliable collisions on the whirlpool 512 digest.
Ciphers
AES is almost always available. At Blackhat Academy, however, we suggest the blowfish cipher, although, AES, serpent, and twofish are viable options. If /proc/crypto does not produce a favorable list of hashing algorithms and ciphers, refer to your distribution's documentation on installing cryptographic kernel modules. A simple search for "<distro name> kernel crypto module installation" will produce a better selection of algorithms and ciphers. If the distriution is a source-based distribution, simply rebuilding and specifying the desired options inside of menuconfig will provide the desired results.
Setting Up a Block Device
To create a block device, first, you will want to create a partition or a flat file.
Creating a Partition
To create a partition, you can use your preferred partition editor.
cfdisk /dev/sdx
fdisk /dev/sdx
After the partitions are created, we will want to format and encrypt the partition with the command:
cryptsetup luksFormat -c <cipher name> -h <digest name> /path/to/partition (/dev/sdx)
Ex. To encrypt /dev/sdb2 with whirlpool and blowfish:
cryptsetup luksFormat -c blowfish -h whirlpool /dev/sdb2
Next, LUKS will prompt you for your passphrase. Enter a password or, alternatively, you can provide a keyfile with --key-file. * When creating a keyfile, be sure that it meets the length criteria for the selected digest algorithm.
After you enter your password, you can move onto obtaining LVM and Device Mapper Support.
Creating a Flat File
If you do not have any unpartitioned space or do not want to create another partition for encryption, you can create a flat file. First, you will want to create the file with touch
touch /path/to/flatfile
Ex. touch ~/cryptoImg.img
Next, you will want to use either shred or dd to create the flat file in the appropriate size.
SHRED:
If you want a 10GB Partition:
shred -s 10G /path/to/flatfile
DD
dd if=/dev/urandom bs=1024 of=/path/to/flatfile count='echo .|awk '{print (10*1024^2)}'`
Your flat file is now created and is overwritten with random data. Next, you need to set it up as a loopback device. First, you need to determine what loopback devices are already available:
AS ROOT
losetup -a
This will list all of the loopback devices on your system. If their is nothing in the list, you can start with loop0:
losetup /path/to/flatfile /dev/loop0
In some distributions, you may need to run:
losetup /path/to/flatfile /dev/loop/
If you receive an error about loop modules, you can use modprobe to start the module or (for source-based distributions):
find /usr/src/linux -name \*loop\*.ko -exec insmod '{}' \;
Once completed, refer to the LUKS commands and run:
cryptsetup luksFormat -c <cipher name> -h <digest name> /dev/loop#
*Note: The luksFormat command was run on /dev/loop# and NOT /dev/sdx
Obtaining LVM and Device Mapper Support
Now that the partition has been created and is capable of being used for storage, the next step is to obtain LVM and Device Mapper support.
4.0 - Obtaining LVM Support and Device Mapper Support
Now we've created a partition capable of handling our storage space. The next step is to obtain LVM support and Device Mapper Support. If you don't have these, running a quick search for your distro on enabling them will reveal all the answers.
5.0 - Finishing up
Once this is accomplished, using sdb2 as our example:
cryptsetup luksOpen -c blowfish -h whirlpool /dev/sdb2 mycryptdir
It will prompt for the passphrase again. Successful entry of the passphrase will unlock the keyslot. Once this has been accomplished, you can go ahead and mkfs. I prefer reiserfs for performance and deletion sake. So in my case, I would run:
mkfs.reiserfs /dev/mapper/mycryptdir
That last parameter on the cryptsetup luksOpen command becomes the directory in /dev/mapper you'll need to format. Additionally, crypt target support needs to be enabled in your LVM/Device Mapper support options in your kernel or the appropriate module needs to be loaded for your distro (search engines are helpful there).
Now that I've unlocked my keyslot and created my filesystem, I can go ahead and: mkdir /home/hatter/encrypted mount -o loop /dev/mapper/mycryptdir /home/hatter/encrypted
Now anything in the /home/hatter/encrypted directory is encrypted. To shut your device down: umount /home/hatter/encrypted cryptsetup luksClose /dev/mapper/mycryptdir
If you created a loopback device: losetup -d /dev/loop#
Now your data is perfectly secured in an encrypted partition and no one can read it. To re-open: cryptsetup luksOpen /dev/sdb2 mycryptdir mount -o loop -t reiserfs /dev/mapper/mycryptdir /home/hatter/encrypted
Simply umount and cryptsetup luksClose when done.
