dm-crypt
1. Intro
dm-crypt is an encryption module of the linux kernel’s Device Mapper. It encrypts the backing-device (the real hard disk) and provides the clear text content as a virtual block device via /dev/mapper.
The userspace utility cryptsetup is used to setup the disk encryption.
LUKS (Linux Unified Key Setup) is an extension, which adds a header for metadata and keys. So it becomes a container for a dm-crypt volume. LUKS hinders plausible deniability.
2. FAQ
-
SSDs / Flash Drives Can not reliably erase, because they just reference from sector pools.
-
Cloning / Imaging Makes a copy of the luks header and thus of the master key, which stays the same even if the passphrase is changed later.
-
Distribution Installers are DANGEROUS
-
Passphrase is not the Master Key It only decrypts the randomly selected master key If a new header is created with the same passphrase, the master key is dirrent and thus all data is lost
3. Header
Every encrypted Volume has a header section. If this header gets damaged or lost, then it is impossible to recover the data.
Check a header:
cryptsetup -v isLuks <device>
Backup a header:
cryptsetup luksHeaderBackup --header-backup-file <file> <device>
Restore a header:
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
4. Basic Setup
Install cryptsetup:
sudo aptitude install cryptsetup
Wipe file system and data:
cat /dev/zero > <target device>
Create the LUKS Container:
cryptsetup luksFormat <target device>
Print the header:
cryptsetup luksDump <target device>
Map the container:
cryptsetup luksOpen <target device> mycontainer1
Wipe the container:
cat /dev/zero > /dev/mapper/mycontainer1
Create file system:
mkfs.ext4 /dev/mapper/mycontainer1
Mount the file system:
mount /dev/mapper/mycontainer1 /mnt
Remove a Volume step 1:
umount /dev/mapper/mycontainer1
Remove a Volume step 2:
cryptsetup luksClose mycontainer1
5. Using a loop-device
Create an empty file:
head -c 100M /dev/zero > luksfile
Map the file to /dev/loop0:
losetup /dev/loop0 luksfile
Do Setup etc…:
cryptsetup luksFormat /dev/loop0