MySQL - Impact of multiple column indexes misuse
Jul 13

My previous post was made a long time ago, so here is a draft that I finally decide to post. Let’s see how to secure some of your data with an encrypted block device using losetup and dd.

Steps will be :

  1. Create an image with dd
  2. Build a new device using the image with an encrypt algorythm by using losetup
  3. Format the device using mkfs.ext3
  4. Mount the device and start using it !

Of course, when you have mounted the device, your data are readable to anyone who have access to the mounted directory.

Create an image with dd

root@vm-ubuntu-lamp:~# dd if=/dev/zero of=encrypted.img bs=4k count=1000 seek=4001
1000+0 records in
1000+0 records out
4096000 bytes (4,1 MB) copied, 0,10063 seconds, 40,7 MB/s

We now have a raw image file using 4MB.

root@vm-ubuntu-lamp:~# ls -l encrypted.img
-rw-r–r– 1 root root 20484096 2008-07-12 13:38 encrypted.img
root@vm-ubuntu-lamp:~# du -hs encrypted.img
4,0M    encrypted.img

Create the encrypted device

root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
ioctl: LOOP_SET_STATUS: Invalid argument

Ooops.. Something wrong. Our losetup bin isn’t patched to use AES. On ubuntu/debian based OS, it’s is to deal.

apt-get install loop-aes-utils
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel

Hmm.. Still not good, we need now to patch or change our kernel for support encryption. We have to check if the “aes” and “cryptoloop” modules are loaded, if not we will load them.

root@vm-ubuntu-lamp:~# lsmod | grep aes
root@vm-ubuntu-lamp:~# modprobe aes
root@vm-ubuntu-lamp:~# lsmod | grep aes
aes 28608 0
root@vm-ubuntu-lamp:~# lsmod | grep cryptoloop
root@vm-ubuntu-lamp:~# modprobe cryptoloop
root@vm-ubuntu-lamp:~# lsmod | grep crypto
cryptoloop 4096 0
loop 17928 1 cryptoloop

If you don’t have the module with your current kernel, you will have to build it by activate the some kernel options.

CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_CRYPTO_AES=m
CONFIG_CRYPTO_AES_586=m

Now we should be ok to load our encrypted image.
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:

Format the device with a proper filesystem

root@vm-ubuntu-lamp:~# mkfs.ext3 /dev/loop0
mke2fs 1.40-WIP (14-Nov-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
5016 inodes, 20004 blocks
1000 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=20709376
3 block groups
8192 blocks per group, 8192 fragments per group
1672 inodes per group
Superblock backups stored on blocks:
8193

Writing inode tables: done
Creating journal (1400 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount the device

Easiest step, just have to use the mount command.

root@vm-ubuntu-lamp:~# mkdir /mnt/encrypted
root@vm-ubuntu-lamp:~# mount /dev/loop0 /mnt/encrypted

root@vm-ubuntu-lamp:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 7850996 1346292 6105892 19% /
varrun 63052 40 63012 1% /var/run
varlock 63052 0 63052 0% /var/lock
procbususb 63052 68 62984 1% /proc/bus/usb
udev 63052 68 62984 1% /dev
devshm 63052 0 63052 0% /dev/shm
/dev/loop0 19366 1578 16788 9% /mnt/encrypted

root@vm-ubuntu-lamp:~# df -H
Filesystem             Size   Used  Avail Use% Mounted on
/dev/sda1              8,1G   1,4G   6,3G  19% /
varrun                  65M    41k    65M   1% /var/run
varlock                 65M      0    65M   0% /var/lock
procbususb              65M    70k    65M   1% /proc/bus/usb
udev                    65M    70k    65M   1% /dev
devshm                  65M      0    65M   0% /dev/shm
/dev/loop0              20M   1,7M    18M   9% /mnt/encrypted

If you want to go further on this subject : Encryption HOWTO

Share this post with your network :These icons link to social bookmarking sites where readers can share and discover new web pages.
  • blinkbits
  • BlinkList
  • blogmarks
  • co.mments
  • connotea
  • del.icio.us
  • De.lirio.us
  • digg
  • Fark
  • feedmelinks
  • Furl
  • LinkaGoGo
  • Ma.gnolia
  • NewsVine
  • Netvouz
  • RawSugar
  • Reddit
  • scuttle
  • Shadows
  • Simpy
  • Smarking
  • Spurl
  • TailRank
  • Wists
  • YahooMyWeb

Leave a Reply