Thursday, March 27, 2008

Encrypted filesystems

This one's further to my two previous posts concerning losetup
1. Virtual Drives on Linux
2. Playing with mount and loopback devices

Here we try to create encrypted file-systems using the dm_crypt modules.
These are the wikipedia links for cryptoloop and it's successor dm_crypt.

In the earlier cases, we have a file-resident filesystem. We interface it with a loopback device to access it as a device, and the mount it to access it.Now, we incorporate one more block; one which acts as our encryption layer.
Ok, that's enough of the theory; lets roll up our sleeves and get our hands dirty.
So first, we create a 100 mb file for our filesystem
dd if=/dev/zero of=testfile bs=512k count=200
Next, we attach that to a loopback device
losetup /dev/loop0 testfile
Now, we add our encryption layer
cryptsetup -c aes -y create secret /dev/loop0
Or you might use aes-cbc-essiv:sha256 for encryption layer.

Note that in the above, -y option will cause the passphrase to be asked twice for verification. The above command will result in /dev/loop0 being mapped post encryption to the device /dev/mapper/secret.

The command is the same each time you need to mount the loop device; only, the first time you give the passphrase, it becomes _the_ passphrase.

(Internally, cryptsetup doesn't seem to care if your passphrase matches what you used earlier. It just dumbly setups up the encryption layer with the passphrase you provde. So, if you give the correct passphrase second time and every subsequent times, you can access what you already have on the device. If you give a wrong passphrase, you can't. Eitherways, cryptsetup doesn't care! But then, if your passphrase is wrong on second and subsequent times, mount won't work as it can't make sense out of the superblock)

Also, to use a native partition as the encrypted filesystem, instead of a file-resident-filesystem, use the appropriate device name instead of /dev/loop0. In such a case, the previous steps can be omitted.

Next, you make a filesystem on the device; We'll use ext2. Note that you do this only the first time. Subsequent times, you can just skip this step as you already have the filesystem set up.
mkfs -t ext2 /dev/mapper/secret
Now, we mount the device
mount -t ext2 /dev/mapper/secret {mount-point}
Once mounted, you can use the device just like any other device. The encryption and decryption are transparent to you.

Once you are done, you need to clean up

Unmount the device secret
umount {mount-point}
Disassociate the crypto layer
cryptsetup remove secret
You need to atleast do the above cleanup steps to prevent the misuse of your encrypted filesystem, and to preserve its integrity. This next step of disassociating the loopback device is optional, unless you need to reuse the loopback device for something else.
losetup -d /dev/loop0
There are many other options other than "cbc" for the encryption algorithm. Please refer to the cryptsetup manpage and to various related online pages for the options and their advantages.

The dm_crypt wiki for further details:

Likewise, if you need to use a physical drive / partition rather than a flat file, you will need to know the device that linux maps it to. Use the command
dmesg | tail
to find the device corresponding to the removable drive you plugged in.

--------- --------- --------- --------- --------- --------- --------- ---------
Friday, 2008-03-28 22:59 UTC+5:30

Additional to that
1. My friend had to
modprobe dm_crypt
modprobe dm_mod
before this would work for him

2. to change password of the encrypted device (say /dev/loop0 )
# create a device mapping using the old password
# remember to use old password here
cryptsetup -c aes -y create secret-old /dev/loop0

# create another device mapping using the new password
# remember, this will be your password hereafter
cryptsetup -c aes -y create secret-new /dev/loop0

# now copy block-by-block from old mapping to new mapping
dd bs={block-size} if=/dev/mapper/secret-old of=/dev/mapper/secret-new

# cleanup
# Actually you can remove the old mapping and continue using the
# new mapping if you'd like
cryptsetup remove secret-old
cryptsetup remove secret-new


No comments: