User Tools

Site Tools


security:enccont

Using DM-CRYPT for on-the-fly encrypted containers

19 Aug 2008

If you want to keep some secret documents well guarded on your hard disk, you can encrypt them using for example, GPG suite. But if you don't want to type a password every 5 minutes, you can use an encrypted container to store your sensitive materials in a very secure way. Why a container and not a partition? Maybe just because you have already a partition full of information and we don't have the possibility to move around the info and then work to encrypt a partition. An encrypted container is an easier way to do it, even that in some cases it's much better to have the whole partition encrypted. But this is how it works…

Some background infos:

Device Mapper and DM-Crypt

Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.

Cryptsetup

Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.

Linux Unified Key Setup (LUKS)

LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.

STEP 1: Prepare your kernel

In your kernel you must enable (this is a 2.6.23 one):

Code maturity level options
        Prompt for development or/and incomplete code/drivers
Device Drivers -> Multiple devices driver support (RAID and LVM)
        (*) Device mapper support
        (M) Crypt target support
Cryptographic API
        (M) AES cipher algorithms
        (M) SHA256 digest algorithm

Compile and install the new kernel if it's the case.

STEP 2: Install required software

Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)

STEP 3: Create the container you need

Create a container (wherever you have enough room) and shred it to the needed size:

cd /mnt
touch container_enc
shred -n1 -s20G container_enc

STEP 4: Setup a loopback device

First find the name of the first unused loop device :

losetup -f

NOTE If the command above doesn't work, update the util-linux package (losetup is included in it). It seems that 2.13 and after, is a good choice ;)

Another choice is to try losetup /dev/loopX where X is 0, 1, … until you get an error message as:

loop: cannot get info on device /dev/loop0: No such device or address

which indicates the availability for that loop.

Use this loop device to set a loopback (in this case /dev/loop0 is available)

losetup /dev/loop0 /mnt/container_enc

STEP 5: create an encrypted device mapper

cryptsetup -y create containercrypt /dev/loop0

Check if it worked:

dmsetup ls

STEP 6: Create a filesystem on the encrypted container

mkfs.ext3 /dev/mapper/containercrypt

STEP 7: Mount the encrypted container and use it (finally)

mkdir /mnt/container_protected_mp
mount /dev/mapper/containercrypt /mnt/container_protected_mp

STEP 8: Unmount the encrypted container

umount /mnt/container_protected_mp
cryptsetup remove containercrypt
losetup -d /dev/loop0

After that, no one can read that partition without knowing the right passphrase! Great news, huh?

To make the whole process easy to digest (mount-umount stuff) you can create two simple scripts like:

#!/bin/bash
 
losetup /dev/loop0 /mnt/container_enc
sleep 1
cryptsetup create containercrypt /dev/loop0
sleep 1
mount /dev/mapper/containercrypt /mnt/container_protected_mp

and

#!/bin/bash
 
umount /mnt/container_protected_mp
cryptsetup remove containercrypt

Save them to a folder; than create two shortcuts on your Desktop to these scripts. Don't forget to alter options for “Run in terminal” (to be able to enter the password) and “Run as a different user” (as root - to be able to mount the encrypted filesystem).

security/enccont.txt · Last modified: 2013/03/16 17:41 (external edit)