Linux Encrypted Filesystem with dm-crypt

An encrypted filesystem will protect against bare-metal attacks against a hard drive. Anyone getting their hands on the drive would have to use brute force to guess the encryption key, a substantial hindrance to getting at your data.

Windows and Mac OS X each provide its own standard cryptofs tools while Linux, of course, provides many tools to accomplish the task. The tool of choice these days, it seems, is dm-crypt. Invoked with the userspace cryptsetup utility, dm-crypt provides a fairly clean and easy-to-use cryptofs tool for Linux.

Additionally, CentOS 5 includes an improved version of dm-crypt that supports LUKS. LUKS is an upcoming standard for an on-disk representation of information about encrypted volumes. Meta-data about encrypted data is stored in the partition header, and allows for compatiblity between different systems and support for multiple user passwords. Besides that, GNOME and HAL have support for handling LUKS volumes, and can automatically prompt for a password if a removable medium with a LUKS volume is attached. If you do not require compatiblity with older CentOS versions or systems that do not support LUKS, it is advised to use the LUKS scheme. The commands for setting up encrypted LUKS volumes are also described in the examples in this article.

Here are Scripts to automate creation, un-mounting, and remounting of LUKS encrypted filesystems following the method described below.

Required Packages

Before getting started, make sure all the requisite packages are installed:

It's likely, however, that they're already present on your system, unless you performed a very minimal installation.

Initial FS Creation

I typically encrypt files, not whole partitions, so I combine dm-crypt with the losetup loopback device maintenance tool. In the bare language of the Unix shell, here are the steps to create and mount an encrypted filesystem.

# Create an empty file sized to suit your needs. The one created
# in this example will be a sparse file of 8GB, meaning that no
# real blocks are written. Since we will force block allocation
# lateron, it would not make much sense to do this now, since
# the blocks will be rewritten anyway.
dd of=/path/to/secretfs bs=1G count=0 seek=8
# Lock down normal access to the file
chmod 600 /path/to/secretfs
# Associate a loopback device with the file
losetup /dev/loop0 /path/to/secretfs
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/secretfs.
# The -y option specifies that you'll be prompted to type the
# passphrase twice (once for verification).
cryptsetup -y create secretfs /dev/loop0
# Or, if you want to use LUKS, you should use the following two
# commands (optionally with additional) parameters. The first
# command initializes the volume, and sets an initial key. The
# second command opens the partition, and creates a mapping
# (in this case /dev/mapper/secretfs).
cryptsetup -y luksFormat /dev/loop0
cryptsetup luksOpen /dev/loop0 secretfs
# Check its status (optional)
cryptsetup status secretfs
# Now, we will write zeros to the new encrypted device. This
# will force the allocation of data blocks. And since the zeros
# are encrypted, this will look like random data to the outside
# world, making it nearly impossible to track down encrypted
# data blocks if someone gains access to the file that holds
# the encrypted filesystem.
dd if=/dev/zero of=/dev/mapper/secretfs
# Create a filesystem and verify its status
mke2fs -j -O dir_index /dev/mapper/secretfs
tune2fs -l /dev/mapper/secretfs
# Mount the new filesystem in a convenient location
mkdir /mnt/cryptofs/secretfs
mount /dev/mapper/secretfs /mnt/cryptofs/secretfs

Unmount and Secure Filesystem

To unmount and secure the encrypted filesystem manually, you essentially do the last part of the set instructions in reverse.

# Unmount the filesystem
umount /mnt/cryptofs/secretfs
# Remove device mapping
cryptsetup remove secretfs
# Or, for a LUKS volume
cryptsetup luksClose secretfs
# Disassociate file from loopback device
losetup -d /dev/loop0

Remount Encrypted Filesystem

Once you've created an encrypted filesystem, remounting it is a relatively short process:

# Associate a loopback device with the file
losetup /dev/loop0 /path/to/secretfs
# Encrypt mapped device; you'll be prompted for the password
cryptsetup create secretfs /dev/loop0
# Or, for a LUKS volume
cryptsetup luksOpen /dev/loop0 secretfs
# Mount the filesystem
mount /dev/mapper/secretfs /mnt/cryptofs/secretfs

Note that cryptsetup will not provide a useful error message if you mistype the passphrase. All you'll get is a somewhat unhelpful message from mount:

If that happens, then recycle cryptsetup and try mounting the filesystem again:

cryptsetup remove secretfs
cryptsetup create secretfs /dev/loop0
mount /dev/mapper/secretfs /mnt/cryptofs/secretfs

This does not apply to LUKS volumes, where cryptsetup will provide a useful error message during the luksOpen step.

Adding additional keys to a LUKS volume

As mentioned earlier, the LUKS format allows for the use of multiple keys. This means that you can add more than one key that can be used to open the encrypted device. Adding a key can simply be done with:

cryptsetup luksAddKey <device>

For instance, if you use the /dev/loop0 loopback device, you could execute:

cryptsetup luksAddKey /dev/loop0

cryptsetup will ask you to enter one of the existing passphrases twice. After that you will be asked to enter the additional key twice. When this step is also succesfully completed, you can use the existing key(s), and the new key to open the volume.

Setting up encrypted volumes during system boot

Sometimes you may want to set up encrypted volumes during the system boot, for instance, to set up an encrypted home partition for a laptop. This can be done easily on CentOS 5 through /etc/crypttab. /etc/crypttab describes encrypted volumes and partitions for which a mapping should be set up during the system boot. Entries are separated by a newline, and contain the following fields:

mappingname        devicename        password_file_path        options

Though, normally you don't need all four fields:

So, if you are using a LUKS volume and would like to prompt the system for a password, only the first two fields are required. Let's look at a short example:

cryptedHome        /dev/sdc5

This creates a mapping named cryptedHome for an encrypted volume that was previously created on /dev/sdc5 with crypsetup luksFormat /dev/sdc5. If you have also created a filesystem on the encrypted volume, you can also add an /etc/fstab entry to mount the filesystem during the system boot:

/dev/mapper/cryptedHome       /home        ext3    defaults        1 2

There are two options that are not ignored for LUKS partitions:

Both options require that there are entries for using the mapping in /etc/fstab, and both options are destructive. An entry for an encrypted swap partition could look like this:

cryptedSwap        /dev/sda2        none        swap

Or if you do not want to type a password for the swap partition during every boot:

cryptedSwap        /dev/sda2        /dev/urandom        swap

Note that this will not work if /dev/sda2 already is a LUKS partition, because LUKS partitions require a non-random key.

HowTos/EncryptedFilesystem (last edited 2008-10-17 10:35:08 by RalphAngenendt)