Linux Encrypted Filesystems

In the age of mobile devices that contain private information, whether it’s personal or business information, encrypting your devices is a good idea. Filesystem encryption allows you to encrypt a single partition or even an entire hard drive. When configuring correctly, this will help mitigate privacy issues from stolen devices.

One of the solutions for encrypting a file system in Linux is to use LUKS. LUKS stands for “Linux Unified Key Setup”. 

I created a logical volume to use as a test bed for the encrypted file system:

As you can see, I have a new 1 GB logical volume called “lv_crypto”. Now it’s time to get into the nitty gritty of setting up LUKS. The first thing that we need to do is encrypt the ‘lv_crypto’ volume with the ‘luksFormat’ extension.

Now that we have the lv_crypto logical volume encrypted, we need to use the ‘luksOpen’ extension to create a device mapper to crypt_dev_mapper. The device mapper acts as an interface between dm-crypt and the device. From there, we can create the file system and mount it.

As you can see, there is now a device mapper called ‘crypt_dev_mapper’, which is the device mapper that dm-crypt created to interact with the data in the encrypted volume. There is also ‘vg_sgnhv-lv_crypto’, which is the encrypted logical volume. From here on out, we’ll be interacting with ‘crypt_dev_mapper’. If you create your file system directly on the ‘lv_crypto’ logical volume, you will over-write the encryption, rendering it a normal everyday logical volume.

As mentioned, we’ll create the file system on the dm-crypt created device mapper. In this case, I’m using the ext4 file system.

By issuing the ‘blkid’ command, you can see that the ‘lv_crypto’ logical volume is labeled a a ‘crytpo_LUKS’ file system type and the ‘crypt_dev_mapper’ is labeled as a ext4 file system type.

Once the filesystem has been created, you can now mount the drive and start writing data to it, as seen below.

Once you’ve accessed the data that you needed, you can umount and close the dm-crypt device mapper, which will remove the ‘crypt_dev_mapper’ device. The ‘luksClose’ extension closes the interface with the device mapper.

Now accessing the encrypted device using the ‘luksOpen’ and ‘luksClose’ extension is fine. In fact, a simple bash or perl script could be written to help facilitate the process. Every time you use the ‘luksOpen’ extension, LUKS will ask you for the passphrase that you used initially set up.

However, if you want your system to initialize the encrypted file system and even mount it at boot, you will need to follow a few extra steps.

The first option is simply adding the dm-crypt device mapper name and the logical volume path to the /etc/crypttab file. This will create the dm-crypt mapper on boot. This will also require that you be present at the console when the computer boots up, as the computer will ask you for the LUKS passphrase before it maps the dm-crypt mapper. If you’re not available at the console, then the boot will hang until you enter the passphrase.

There is however, an option of using a key file. To make a key file, you must create a file with some random data. Then you can use the ‘luksAddKey’ extension to create the key.

Once the key has been created, you can add the key path in the /etc/crypttab file in the third column. In the crypttab man page, it states the third column is for adding a password. This is incorrect and it will not work if you enter the passphrase there.

Also, be sure to make the key file only readable to root, otherwise when when init_crypt function initializes and looks at the permissions of the file, it will give you a warning about it being insecure. In some instances, it will refuse to read the file, thus failing to mount the encrypted file system.

Once that is setup, you can modify your /etc/fstab to have the file system mounted at boot.

You can test the functionality out, without rebooting by doing the following:

As you can see, the encrypted file system was mounted without asking for a passphrase. This configuration will be persistent across reboots.

Now for a public service announcement. It’s actually more food for thought. If you are having your computer mount your encrypted file system on boot without any kind of interaction to authenticate the process, what good does it do to encrypt the file system in the first place?

For my personal preference, encrypting a notebooks entire filesystem or even a tablet or smart phone should be the course of action. In Linux, that can be done during the install. Otherwise, I’d propose something like TruCrypt. Other than that, encrypting thumb drives would be handy.

September 30, 2012

Posted In: Encryption, Filesystems, Linux, Security