A simple way to keep sensitive data safe in Linux

Encrypting Linux’s home directory is usually the first thing people worried about their personal data do. However, this approach comes at the cost of: (i) slower booting, (ii) problems when rebooting remotely and ssh-ing the machine straightway (more about this in the post), and (iii) the necessity to place all sensitive information in the home directory. In this post I will show another way to keep sensitive information encrypted, which – in my view -, is simpler and more secure.

In Linux, there are two general ways of encrypting data:

  • Encryption at a filesystem level
    This means that crypto primitives are implemented at the file system level. Examples include:

    • EncFS – a user space cryptographic file system available for a variety of commodity OSs, though it is mainly supported in Linux-based OSs. It uses the FUSE library and requires the installation of a kernel module. From a security perspective EncFS is grounded on the assumption that an attacker cannot gain root access to the system.
    • eCryptfs [1] – is a cryptographic stacked Linux filesystem. It implements encryption at a page level and stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. eCryptfs is widely used: in Ubuntu’s Encrypted Home Directory, in Google’s ChromeOS, and in embedded in several network attached storage (NAS) devices.
  • Encryption at a block device level
    This means that crypto primitives are implemented below the FS, encrypting everything that is written to a certain block device. Examples include:

    • dm-crypt – dm-crypt is the standard device mapper encryption mechanism in the Linux kernel. It has two modes: plain dm-crypt and LUKS. Plain dm-crypt is the basic functionality as provided by the kernel. LUKS adds an additional convenience layer to dm-crypt which adds to functionalities: (i) it stores setup information for dm-crypt on disk, and (ii) it abstracts partition and key management. This simplifies dm-crypt usage and increases security.
    • CipherShed – a fork of the discontinued TrueCrypt,  CipherShed promises a cross-platform disk encryption software.
    • Loop-AES – a descendant of crypto loop, Loop-AES is a solution to system encryption. The main drawback is that it requires non-standard kernel support.

For a wider overview of encryption alternatives, including academic work, read section 3.2 Data Protection in [2].

In this post I will cover how to encrypt a partition in Linux using dm-crypt-LUKS.  The motivation is to present a simple workflow to encrypt and decrypt volumes in your Linux box. Please refer to the ArchLinux dm-crypt/Device encryption (link) for more information about how  dm-crypt works.

To install in Debian-based distros (e.g., Ubuntu)

$ sudo apt-get install cryptsetup

In RHEL / CentOS and other distros using yum

$ sudo yum install cryptsetup-luks

Once this is set up mounting and unmounting the encrypted partition can simply be done using the cryptsetup command. To make things easier, you can put a couple of scripts accessible from your $PATH (I always have a ~/utils directory in my home with useful scripts) to encrypt and decrypt the partitions you are placing sensitive data in.

data_mount1.sh:

#!/bin/sh

sudo cryptsetup luksOpen /dev/sdaX $ENCRYPTED_PARTITION_NAME
if [ ! -d "/mnt/data" ]; then
 sudo mkdir /mnt/data
fi

sudo mount /dev/mapper/$ENCRYPTED_PARTITION_NAME /mnt/data

data_umount1.sh:

#!/bin/sh

sudo umount /mnt/data
sudo cryptsetup luksClose $ENCRYPTED_PARTITION_NAME

Choose the $ENCRYPTED_PARTITION_NAME of your choked, and you are good to go.

Finally, cryptsetup can be configured to work with a external card, which adds an extra security layer to the presented password-based encryption. I will address smart card configuration in Linux in a future post.

Enjoy! 🙂

– Javier

[1] M. A. Halcrow. ecryptfs: An enterprise-class encrypted filesystem for linux. In Proceedings of the 2005 Linux Symposium, volume 1, pages 201–218, 2005

[2] J. González. Operating system support for run-time security with a trusted execution environment. Ph.D Thesis, 2015.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s