Disk encryption in Linux (IV): Encrypting a full partition with LUKS

Posted by berto on November 08, 2006

LUKS is a hard disk encryption standard for Linux created by Clemens Fruhwirth. Althought the reference implementation is based on dm-crypt, it has several improvements over plain dm-crypt (as seen in the third post in this series), including support for multiple keys and passphrase revocation.

To use LUKS you’ll need a recent cryptsetup package (Debian sarge users can get it from backports.org). You will also need an empty partition to encrypt. You should fill it with random data before beginning:

$ shred -v /dev/hdaX

Now you have to initialize that partition with LUKS:

$ cryptsetup luksFormat /dev/hdaX

A random key will be generated and you will be asked a passphrase to encrypt it. Now you can decrypt your newly created LUKS partition and begin to use it:

$ cryptsetup luksOpen /dev/hdaX myname

Here, myname is the name of the device that will be created under /dev/mapper. Now it’s time to create a filesystem:

$ mke2fs /dev/mapper/myname

Now you can mount and use /dev/mapper/myname just like any other filesystem. When you’re done, unmount it and close the LUKS device so it won’t be accessible anymore until you open it again:

$ cryptsetup luksClose myname

So far so good, but how do you mount that partition automatically on boot? Just put this in your /etc/crypttab (and don’t forget to add /dev/mapper/myname to your /etc/fstab file!):

myname    /dev/hdaX    none    luks,check=ext2

myname is the encrypted device that will appear under /dev/mapper and /dev/hdaX is the original device.

The third field, none, means that the key to decrypt the filesystem is not stored anywhere, so cryptsetup will ask you during boot.

The fourth field lists misc options: luks means that the partition is encrypted with LUKS format (as opposed to plain dm-crypt format). check=ext2 will make cryptsetup look for an ext2/ext3 filesystem on the decrypted partition. That way, cryptsetup will notice whether you introduced the right passphrase and ask it again in case you typed it incorrectly. There are several partition checks (not just ext2), and you can write your own scripts. Just have a look at /lib/cryptsetup/checks/.

And that’s all for the basic usage, but there are some other nice things that you can do, such as adding more valid passphrases to a LUKS partition:

$ cryptsetup luksAddKey /dev/hdaX

You can see some information about the partition (including the number of valid passphrases available):

$ cryptsetup luksDump /dev/hdaX

And obviously you can remove any passphrase:

$ cryptsetup luksDelKey /dev/hdaX slot

Where slot is the number of the key slot you want to remove (you can see it with luksDump).

And that’s enough by now. As you can see, it’s not that hard to keep your data secure. Keep in mind, however, that encrypting a whole partition introduces some extra overhead, so your system will be slower. You don’t have to encrypt everything (i.e. under /usr you probably don’t have any confidential data). Choose wisely and enjoy!.

Disk encryption in Linux (III): Encrypting temporary filesystems

Posted by berto on November 03, 2006

So far we have mentioned some tools to easily encrypt files. Keeping files encrypted is a good way to protect your data in case someone steals them.

However, if we’re talking about serious encryption, just encrypting files is not enough to keep your data protected. There is no use in having a secured document in your hard disk if the program you use to open it stores some of its contents in /tmp. And that’s not the only risk. Maybe your program keeps passwords always in memory and it does not store them on disk, but what happens if you run out of memory and all of your passwords go to the swap partition? If someone steals your hard disk, she could easily get them with a disk editor.

There are many ways to encrypt entire partitions in Linux, and there are many kinds of partitions that should be encrypted, but swap and /tmp are two important ones and arguably the easiest to set up. Both share a common feature: they store temporary data. Once the computer is turned off, all stored data is no longer important, so it can be discarded.

In this example we’ll use dm-crypt to set up these encrypted partitions. You need to enable CONFIG_DM_CRYPT in your kernel configuration and install the cryptsetup package (if you’re using Debian sarge, it’s highly recommended to install cryptsetup 1.0.x from backports.org).

Once installed, put this in your /etc/crypttab:

cswap    /dev/hda5      /dev/random    swap
ctmp     /dev/hda6      /dev/random    tmp

The first field is the name of the device that will be created (under /dev/mapper) to access the encrypted partition.

The second field is the real partition that will be encrypted.

The third field is the file where the key to encrypt the partition is stored. In this setup, that file is /dev/random so each time the machine boots partitions will be encrypted with a different key chosen randomly. So the data will not be recoverable if you turn off the PC. But that’s what we want, isn’t it? ;-)

The fourth field list misc options for cryptsetup. Here, swap will run mkswap on the device and tmp will run mke2fs.

To mount these partitions, your /etc/fstab should contain these lines:

/dev/mapper/cswap    none    swap    sw         0   0
/dev/mapper/ctmp     /tmp    ext2    defaults   0   2

Last but not least, before using this system you should erase the contents of the partitions completely. The recommended way is to fill them with random data (but unmont them first!):

shred -v /dev/hdaX

Now each time you boot your machine you will have your partitions encrypted. That’s all folks!