Drive Encryption With Linux

May 5th, 2007 at 3:04 am (Security)

After picking up another USB thumbdrive last week, I decided to dig into some methods for device encryption under linux. I was pleasantly surprised to find out how easy it was to get a transparent AES encrypted disk up and running…

Thanks to kernel 2.6’s device mapper, you can now create virtual devices on top of your underlying hard drive which perform “man in the middle” style operations on the data. In particular, dm-crypt provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. This may sound kewl, but inaccessable to all but the trained few. However, following the simple steps below will have it working in no time:

* First grab and build cryptsetup

[syncomm@chapterhouse ~]$ cvs -d:pserver:cvs@cvs.saout.de:/cvsroot/saout login
Logging in to :pserver:cvs@cvs.saout.de:2401/cvsroot/saout
CVS password: cvs
[syncomm@chapterhouse ~]$ cvs -z3 -d:pserver:cvs@cvs.saout.de:/cvsroot/saout co cryptsetup

U cryptsetup/src/cryptsetup.c
U cryptsetup/src/cryptsetup.h
[syncomm@chapterhouse ~]$ cd cryptsetup/
[syncomm@chapterhouse cryptsetup]$ ./autogen.sh

config.status: creating po/Makefile
Now type `make’ to compile the package.
[syncomm@chapterhouse cryptsetup]$ make
make all-recursive

[syncomm@chapterhouse cryptsetup]$ sudo make install
Password: (root password)

* Attach your device and make sure it is unmounted. As root, check “dmesg” for the device name then run:

cryptsetup create cryptodrive /dev/mydevice
(where /dev/mydevice is your device name, for example /dev/sdc1)

You will be prompted for a passphrase which will be hashed to produce your key. The defaults for cryptsetup are AES256 (using ripemd160 to hash.) These can be overridden from the commandline (see cryptsetup --help)

* Now you have a new device called /dev/mapper/cryptodrive which will need to be formated:

[root@chapterhouse mnt]# mke2fs /dev/mapper/cryptodrive

* Finally mount it using the dm-device /dev/mapper/cryptodrive:

[root@chapterhouse /]# cd /mnt
[root@chapterhouse mnt]# mkdir cipher
[root@chapterhouse mnt]# mount -text2 /dev/mapper/cryptodrive /mnt/cipher

BAM! You are all done! Each time you reboot (or the device changes mountpoints) you will need to run cryptosetup again. For reboots, this can be automated in your /etc/rc.local file.

del.icio.us | Digg | Facebook | StumbleUpon

Post a Comment

You must bee logged in to post a comment.