Encrypting Linux’s home directory is usually the first thing people worried about their personal data do. However, this approach comes at the cost of: (i) slower booting, (ii) problems when rebooting remotely and ssh-ing the machine straightway (more about this in the post), and (iii) the necessity to place all sensitive information in the home directory. In this post I will show another way to keep sensitive information encrypted, which – in my view -, is simpler and more secure.
In Linux, there are two general ways of encrypting data:
- Encryption at a filesystem level
This means that crypto primitives are implemented at the file system level. Examples include:- EncFS – a user space cryptographic file system available for a variety of commodity OSs, though it is mainly supported in Linux-based OSs. It uses the FUSE library and requires the installation of a kernel module. From a security perspective EncFS is grounded on the assumption that an attacker cannot gain root access to the system.
- eCryptfs [1] – is a cryptographic stacked Linux filesystem. It implements encryption at a page level and stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. eCryptfs is widely used: in Ubuntu’s Encrypted Home Directory, in Google’s ChromeOS, and in embedded in several network attached storage (NAS) devices.
- Encryption at a block device level
This means that crypto primitives are implemented below the FS, encrypting everything that is written to a certain block device. Examples include:- dm-crypt – dm-crypt is the standard device mapper encryption mechanism in the Linux kernel. It has two modes: plain dm-crypt and LUKS. Plain dm-crypt is the basic functionality as provided by the kernel. LUKS adds an additional convenience layer to dm-crypt which adds to functionalities: (i) it stores setup information for dm-crypt on disk, and (ii) it abstracts partition and key management. This simplifies dm-crypt usage and increases security.
- CipherShed – a fork of the discontinued TrueCrypt, CipherShed promises a cross-platform disk encryption software.
- Loop-AES – a descendant of crypto loop, Loop-AES is a solution to system encryption. The main drawback is that it requires non-standard kernel support.
For a wider overview of encryption alternatives, including academic work, read section 3.2 Data Protection in [2].
In this post I will cover how to encrypt a partition in Linux using dm-crypt-LUKS. The motivation is to present a simple workflow to encrypt and decrypt volumes in your Linux box. Please refer to the ArchLinux dm-crypt/Device encryption (link) for more information about how dm-crypt works.
To install in Debian-based distros (e.g., Ubuntu)
$ sudo apt-get install cryptsetup
In RHEL / CentOS and other distros using yum
$ sudo yum install cryptsetup-luks
Once this is set up mounting and unmounting the encrypted partition can simply be done using the cryptsetup command. To make things easier, you can put a couple of scripts accessible from your $PATH (I always have a ~/utils directory in my home with useful scripts) to encrypt and decrypt the partitions you are placing sensitive data in.
data_mount1.sh:
#!/bin/sh sudo cryptsetup luksOpen /dev/sdaX $ENCRYPTED_PARTITION_NAME if [ ! -d "/mnt/data" ]; then sudo mkdir /mnt/data fi sudo mount /dev/mapper/$ENCRYPTED_PARTITION_NAME /mnt/data
data_umount1.sh:
#!/bin/sh sudo umount /mnt/data sudo cryptsetup luksClose $ENCRYPTED_PARTITION_NAME
Choose the $ENCRYPTED_PARTITION_NAME of your choked, and you are good to go.
Finally, cryptsetup can be configured to work with a external card, which adds an extra security layer to the presented password-based encryption. I will address smart card configuration in Linux in a future post.
Enjoy! 🙂
– Javier
[1] M. A. Halcrow. ecryptfs: An enterprise-class encrypted filesystem for linux. In Proceedings of the 2005 Linux Symposium, volume 1, pages 201–218, 2005
[2] J. González. Operating system support for run-time security with a trusted execution environment. Ph.D Thesis, 2015.
Cool!