En­crypt your Linux setup

Nate Drake ex­plores how to use the tools al­ready built into your Linux in­stal­la­tion to en­crypt your files and shield your de­vices.

APC Australia - - Contents -

Any griz­zled yet pri­va­cy­con­scious Ubuntu users may re­mem­ber that, back in the day, keep­ing your data safe was far from easy. The steps in­volved ei­ther supreme mas­tery of the com­mand line or us­ing an al­ter­nate in­stal­la­tion CD to en­crypt your Ubuntu in­stal­la­tion.

Things have changed. When you in­sert a DVD of Ubuntu and its vari­ants, the graph­i­cal in­staller now of­fers you the op­tion to en­crypt your sys­tem us­ing LVM (Log­i­cal Vol­ume Man­ager), which man­ages disk drives on LUKS (Linux Uni­fied Key Setup), the stan­dard for Linux Hard Drive en­cryp­tion.

For most users, this is a great way to save time, pro­tect your sys­tem and avoid hav­ing to learn var­i­ous con­fus­ing acronyms. Once the sys­tem in­stal­la­tion is com­plete, your drive with the ex­cep­tion of the / boot par­ti­tion is en­crypted and can only be un­locked with a passphrase. Once you log in, most of the built-in disk man­agers even en­able you to en­crypt ex­ter­nal drive us­ing LUKS, so that a pass­word is re­quired each time you in­sert it. The same pro­grams will of­ten of­fer you the op­tion to change the pass­words for drives that are al­ready en­crypted.

On the face of it, it would seem that LUKS is purring away mer­rily un­der your com­puter’s prover­bial hood and there’s noth­ing fur­ther to be done. This guide is de­signed for more cu­ri­ous read­ers. We’ll ex­plore the built-in en­cryp­tion pro­grams in Linux and you can mod­ify them to suit your re­quire­ments, such as choos­ing your own en­cryp­tion ci­pher or adding mul­ti­ple pass­words to a vol­ume.

This tu­to­rial fo­cuses on Crypt­setup, a com­mand line ap­pli­ca­tion which comes pre-in­stalled in most Linux dis­tri­bu­tions. It func­tions as an in­ter­face for the ‘dm-crypt’ mod­ule, to en­able you to quickly and eas­ily en­crypt drives. At its sim­plest level, you can use Crypt­setup to cre­ate plain vol­umes that are pro­tected by a pass­word only (see box­out, op­po­site) but you need to spec­ify all the en­cryp­tion op­tions each time you ac­cess the de­vice and, an­noy­ingly, there’s no easy way to change the pass­word.

Luck­ily, Crypt­setup con­tains use­ful tools for creat­ing and mod­i­fy­ing LUKS en­crypted vol­umes. Aside from defin­ing a universal stan­dard for hard drive en­cryp­tion, LUKS vol­umes con­tain head­ers that de­tail the ci­pher and hash used, as well as a unique 256-bit salt, which is added to your pass­word for fur­ther se­cu­rity. The header also con­tains an en­crypted mas­ter key that’s used to un­lock the con­tainer. This means you can change the pass­word used to ac­cess the mas­ter key or add fur­ther pass­words.

To get started with your voy­age of dis­cov­ery with LUKS, we strongly rec­om­mend you set up a vir­tual ma­chine, or at the very least back up your data be­fore pro­ceed­ing. Once this is done, open your disk man­age­ment pro­gram to view any LUKS-en­crypted de­vice, such as the sys­tem hard drive. You’ll see the en­crypted LUKS vol­ume ap­pears as a sep­a­rate de­vice, for ex­am­ple /dev/sda5. You can delve fur­ther into this us­ing the ‘Luk­sDump’ com­mand in Ter­mi­nal: sudo crypt­setup luk­sDump /dev/sda5


Af­ter run­ning the ‘Luk­sDump’ com­mand to bare open your LUKS vol­ume header, the first thing you can see are the de­fault en­cryp­tion op­tions used when you in­struct Ubuntu to en­crypt a drive for you us­ing the in­staller or the disk util­ity. In the case of sys­tem en­cryp­tion, Ubuntu uses 256-bit AES with the XTS Block Ci­pher mode.

The MK (Mas­ter Key) salt is also listed, which hugely in­creases the se­cu­rity of your LUKS vol­ume. With­out it, there’s no way to re­trieve your data, even with the cor­rect pass­word. For this rea­son, Crypt­setup en­ables you to make back­ups of your LUKS vol­ume head­ers and re­store them, be­cause if the header is dam­aged, there’s no way to re­trieve your en­crypted data.

To make a backup of your LUKS header, open Ter­mi­nal and run the com­mand: crypt­setup luk­sHead­erBackup <de­vice> --header-backup-file <file>

sudo crypt­setup luk­sHead­erBackup /dev/sdb1 --header-backup-file /home/ nate/Desk­top/backup1

To re­store the header, sim­ply run the same com­mand but sub­sti­tute ‘luk­sHead­erBackup’ with luk­sHead­erRe­store . Once you’ve safely backed up your header, run the ‘Luk­sDump’ com­mand above again and scroll down to the Key Slots sec­tion. By de­fault, there are eight key slots, num­bered 0 to 7. The first keyslot (0) is en­abled with the pass­word you chose when you orig­i­nally en­crypted the vol­ume. If you want to give some­one else ac­cess to your LUKS vol­ume, you can add

an­other pass­word or key file us­ing Crypsetup’s ‘luk­sAd­dKey’ com­mand, for ex­am­ple: sudo crypt­setup luk­sAd­dKey /dev/sda5

You’ll need to en­ter an ex­ist­ing pass­word. Crypt­setup will then ask you to en­ter the new pass­word twice.

To re­move a pass­word from a LUKS vol­ume, use the ‘luk­sRe­moveKey’ op­tion, sudo crypt­setup luk­sRe­moveKey /dev/sda5 . Crypt­setup will ask you to en­ter the pass­word you wish to re­move. Be care­ful with this fea­ture be­cause, if you delete all the key slots for a LUKS con­tainer, you won’t be able to ac­cess it again.

Kali Linux ac­tu­ally puts this fea­ture to very good use through a nuke patch for Crypt­setup, whereby if a cer­tain pass­word is en­tered, all the key slots in the sys­tem’s LUKS header are erased (More on this at www.kali.org/tu­to­ri­als/ nuke-kali-linux-luks). This is done to pro­tect your de­vice’s data from theft or seizure but re­mem­ber to back your vol­ume header if you make use of it, or else you won’t be able to ac­cess your ma­chine ei­ther!


While Crypt­setup has some ex­cel­lent de­fault op­tions to get started, you may pre­fer to have more con­trol over your data. In the first in­stance, if you don’t wish to en­crypt an en­tire vol­ume or drive you can cre­ate a LUKS file con­tainer, which can only be un­locked with a pass­word. See the walk­through over the page for a step-by-step guide on how to do this.

If you use the luk­sFor­mat op­tion on its own when creat­ing your con­tainer, then Crypt­setup will use the de­fault en­cryp­tion op­tions. How­ever, if you pre­fer you can spec­ify these your­self.

sudo crypt­setup -y --ci­pher ser­pent-cbc-plain --key-size 256 --hash sha512 luk­sFor­mat test1

In the above ex­am­ple, the mas­ter key for con­tainer test1 will be en­crypted with the Ser­pent ci­pher al­go­rithm, which was a fi­nal­ist in the AES (Ad­vanced En­cryp­tion Stan­dard) con­test. The SHA512 hash is used in place of the de­fault SHA256, too.

Crypt­setup also sup­ports us­ing key files in­stead of pass­words. These are par­tic­u­larly help­ful when us­ing plain mode, be­cause files will most prob­a­bly have a higher de­gree of en­tropy than pass­words. For LUKS con­tain­ers, you can add a key file by sim­ply spec­i­fy­ing the file lo­ca­tion af­ter

luk­sAd­dKey , for ex­am­ple:

sudo crypt­setup luk­sAd­dKey / dev/sdb1 /home/nate/Pic­tures/ kit­ten.jpg

En­ter any ex­ist­ing pass­word to add the file to the key slot. To open a LUKS con­tainer us­ing a key file sim­ply spec­ify the path us­ing the --key­file op­tion, for in­stance:

sudo crypt­setup luk­sOpen / dev/sdb1 vol1 --key-file / home/nate/Pic­tures/kit­ten.jpg


In the above ex­am­ple, an ex­ist­ing bi­nary file was used of a kit­ten taken from Wiki­me­dia. In re­al­ity, this would of­fer very poor se­cu­rity be­cause any­one with a copy of the file could open your LUKS Con­tainer. Ei­ther cre­ate an ar­bi­trary key­file from ran­dom data us­ing or use a file to which only you have ac­cess, such as a photo you took your­self.

If you used sudo to cre­ate a mount point or for­mat drives, you may find you can­not mod­ify files in your en­crypted con­tain­ers at first as they are as­signed to the root user. Run sudo chmod -R 777 / mnt/<your mount point> in Ter­mi­nal to fix this.

Un­like third-party pro­grams such as Ver­acrypt, Crypsetup can’t en­crypt vol­umes us­ing ci­pher cas­cades like AES-Twofish-Ser­pent. Us­ing any one of these al­go­rithms on their own will of­fer ad­e­quate se­cu­rity, but for the ul­tra-para­noid, you can cre­ate LUKS con­tain­ers in­side one an­other if you wish. Sim­ply re­peat the steps in the tu­to­rial us­ing dif­fer­ent en­cryp­tion op­tions for each con­tainer.

Re­mem­ber that the strength of your con­tainer will rest largely on the amount of en­tropy your pass­word has. If you have a good mem­ory, try us­ing DiceWare to gen­er­ate a passphrase ( world.std.com/~rein­hold/diceware.html). We rec­om­mend the al­ter­na­tive Beale word list be­cause it uses UK spell­ing and avoids Amer­i­can­isms.

If you like the con­ve­nience of us­ing LUKS for chang­ing pass­words but still aren’t happy with every­one know­ing you’re en­crypt­ing data, you can cre­ate a LUKS con­tainer with a de­tached header. The ad­van­tage of do­ing it this way is that, by it­self, the con­tainer just looks like ran­dom data, giv­ing you some de­gree of plau­si­ble de­ni­a­bil­ity. To do this, use the --header op­tion when creat­ing a LUKS vol­ume to spec­ify where to save the header. For ex­am­ple:

sudo crypt­setup luk­sFor­mat / dev/sda --header /dev/sdb --align-pay­load= 0

When mount­ing LUKS vol­umes, spec­ify the header lo­ca­tion in the same way, for ex­am­ple:

sudo crypt­setup luk­sOpen / dev/sda --header /dev/sdb Luks

When do­ing this make sure you en­crypt an en­tire drive or par­ti­tion, be­cause there’s no plau­si­ble rea­son for you to have large files of seem­ingly ran­dom data on your sys­tem!

Ubuntu’s Disk Util­ity can for­mat drive as LUKS vol­umes: just type your passphrase and click For­mat.

Use the luk­sDump for header in­for­ma­tion. This uses 256-bit AES en­cryp­tion that un­locks with a sin­gle pass­word.

En­ter any valid pass­word to use a key­file to open your LUKS vol­umes. Make sure that the file is one you’ve cre­ated your­self.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.