Pages: Welcome | Projects

Encrypted disk on a file

Tags: [ GNU/Linux ] [ security ]

GNU/Linux distributions already provide encrypted filesystems, handled transparently and reasonably wrapped into convenient user interfaces. However it can be funny to play a bit with it, and to learn how to do it yourself.

The disk encryption specification is called luks. As for anything else, there's plenty of tutorials on the web on this subject, so here I'll just dump my shell session and share some quick comments.

Disks are files, files can be disks. So let's pretend we've got a 4 Megabytes disk.

root@lando# dd if=/dev/zero of=./disk bs=4096 count=1024
1024+0 records in
1024+0 records out
4194304 bytes (4.2 MB) copied, 0.00379004 s, 1.1 GB/s
root@lando# ls
root@lando# du -sh *
4.0M    disk

Instead of a passphrase with the usual trade-offs (restricted symbols set, boring/error-prone to type, etc) let's use a 4 Kilobytes random sequence. Hint: this key could be created on a USB flash device.

root@lando# dd if=/dev/urandom of=./key1 bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000783094 s, 5.2 MB/s

I'll build my luks device with the key

root@lando# cryptsetup luksFormat ./disk key1

This will overwrite data on ./disk irrevocably.

Are you sure? (Type uppercase yes): YES

And now I can ask the system to map it. The kernel will provide a device abstraction and transparently handle the encryption.

root@lando# cryptsetup open --type luks --key-file=key1 ./disk test
root@lando# file /dev/mapper/test
/dev/mapper/test: symbolic link to ../dm-9
root@lando# file /dev/dm-9
/dev/dm-9: block special (253/9)

It works like a raw disk, on which we have to create some filesystem. All of it, meta-data included, is going to be encrypted. I'll be arbitrarily go for ext4.

root@lando# mkfs.ext4 /dev/mapper/test
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 2048 1k blocks and 256 inodes

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Mount and check

root@lando# mkdir mnt
root@lando# mount -t ext4 /dev/mapper/test ./mnt/
root@lando# ls mnt/

Unmount and drop the encryption handling abstraction

root@lando# umount mnt/
root@lando# cryptsetup close /dev/mapper/test
root@lando# ls /dev/mapper/test
ls: cannot access /dev/mapper/test: No such file or directory

Also, we can have multiple keys for the same encrypted disk. There are 8 key slots (0 to 7). It could be a good idea to have a backup key, just in case the USB flash drive is lost. On the other hand, this also means there's another way to open your disk.

root@lando# dd if=/dev/urandom of=./key2 bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000716935 s, 5.7 MB/s

To add the second key we need of course the first one.

root@lando# cryptsetup luksAddKey ./disk --key-slot 1 --key-file=key1 key2

Once this is done, we can use also the second key:

root@lando# cryptsetup open --type luks --key-slot 1 --key-file=key2 ./disk test
root@lando# mount -t ext4 /dev/mapper/test ./mnt/
root@lando# ls mnt/
root@lando# umount mnt/
root@lando# cryptsetup close /dev/mapper/test