Wael Nasreddine

LUKS

This is my favorite encryption tool/algorithm, I actually encrypt my whole Hard Disk, it might slow your computer a little bit but at least you are safe, LUKS works a bit like GPG, without a password the partition ( or the loop device which you will be happy to know about ) becomes useless…. I will try to cover as much ground as I can in both cases you could use LUKS, a partition and a loop device, but please note that I will not cover your distribution settings or the encryption of the root partition in this article, those subjects can be very wide and can vary from distribution to another…

The difference between GnuPG and Luks is that Luks is actually a whole filesystem, you see, GnuPG can only encrypt one file, whatever the file is ( it can be an archive of files… ), but it still a file.. Luks is a filesystem, just like your partitions…

Partition
WARNING: This step require partitions manipulations hence it is very dangerous, so please be careful.

Before starting to put commands and explain them, I will try explaining it using a different approach, a logic aproarch… As you already know, an operating system reside on a partition, one or more partition can co-exist. The partitions can be accessed using the special block devices that resides in /dev, for IDE hard disks, it’s /dev/hda1, /dev/hda2 etc.. for SCSI/SATA it’s /dev/sda1, /dev/sda2 etc… For the sake of this article, I will assume the partition is /dev/sda4..

When you create an unencrypted partition, it’ll be created over the physical partition directly, which means the filesystem will be directly over /dev/sda4 using a command similar to this:

# mke2fs -j /dev/sda4

When you create an encrypted partition it’s slightly different, between the filesystem and the physical partition, a layer will be added, the encrypted volume… First we have to create an encrypted volume over /dev/sda4, Open the encrypted partition which will create another block device but this time under /dev/mapper not /dev, and finally we will create the filesystem over /dev/mapper/encrypted device…

Now let’s talk commands eh ?

# cryptsetup luksFormat /dev/sda4

enter your password, and please make sure you do remember this password, if lost the whole partition will become useless…

# cryptsetup luksOpen /dev/sda4 encrypted

After you enter the parition’s password, the device /dev/mapper/encrypted will be created… NOTE: This device does not yet have a filesystem.

# mke2fs -j -m 0 -L EncryptedDevice /dev/mapper/encrypted

We create the filesystem over /dev/mapper/encrypted NOT /dev/sda4

# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

And of course we mount /dev/mapper/encrypted and not /dev/sda4, I shouldn’t have to tell you to create the folder /mnt/encrypted.

Now you have an encrypted partition, anything you put inside that partition is encrypted, without a password no information can be read from it !!

Loop Device

What is a loop device
In Unix-like operating systems, a loop device, loopback device, vnd (vnode disk), or lofi (loopback file interface) is a pseudo-device that makes a file accessible as a pseudo-device. A loop device may allow some kind of data elaboration during this redirection; for example, the device may be the unencrypted version of an encrypted file. Source: Wikipedia

How to create a loop device
To create a loop device you have to create a file with the desired size, the appropriate way to do that is to use /dev/null ( or for more security ) /dev/urandom, then we use cryptsetup and mke2fs just like if we’re dealing with a normal partition…

# dd if=/dev/urandom of=/path/to/encrypted-file bs=10M count=10

This will create a loop file of the size 100M, it’s easy to know the size, we actually told dd to copy 10M 10 times, 10M x 10 = 100M easy

Now that we have the loop file, we will plug it in, create the encrypted layer and finally create the filesystem..

First we need to find out which loop devices are free

# losetup -f

You should get something like `/dev/loop/0` or `/dev/loop0`, just write down whatever you get… for the sake of this article I will assume it is `/dev/loop/0`

Let’s plug it in

# losetup /dev/loop/0 /path/to/encrypted-file

Encrypt and mount the loop device

We can create the encrypted layer as well as the filesystem now

# cryptsetup luksFormat /dev/loop/0

Enter the password you would like to assign to the file, then open it

# cryptsetup luksOpen /dev/loop/0 encrypted

Create the filesystem

# mke2fs -j /dev/mapper/encrypted

and mount it

# mkdir /mnt/encrypted
# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

Umount and deactivate the loop device

To umount and deactivate the loop device, there are 3 steps to follow, first umount the partition, close the luks device and unplug the lo device…

# umount /mnt/encrypted
# cryptsetup luksClose /dev/mapper/encrypted
# losetup -d /dev/loop/0

Comments are appreciated

Pages: 1 2 3

This entry was posted on Thursday, July 3rd, 2008 at 00:42 and is filed under Linux Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.