Using losetup and dd to secure sensitive data (encrypted block device)
Bash - GNU Shell, Case Study Add commentsMy previous post was made a long time ago, so here is a draft that I finally decide to post. Let’s see how to secure some of your data with an encrypted block device using losetup and dd.
Steps will be :
- Create an image with dd
- Build a new device using the image with an encrypt algorythm by using losetup
- Format the device using mkfs.ext3
- Mount the device and start using it !
Of course, when you have mounted the device, your data are readable to anyone who have access to the mounted directory.
Create an image with dd
root@vm-ubuntu-lamp:~# dd if=/dev/zero of=encrypted.img bs=4k count=1000 seek=4001 1000+0 records in 1000+0 records out 4096000 bytes (4,1 MB) copied, 0,10063 seconds, 40,7 MB/s We now have a raw image file using 4MB.root@vm-ubuntu-lamp:~# ls -l encrypted.img -rw-r--r-- 1 root root 20484096 2008-07-12 13:38 encrypted.img root@vm-ubuntu-lamp:~# du -hs encrypted.img 4,0M encrypted.img
Create the encrypted device
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
ioctl: LOOP_SET_STATUS: Invalid argument
Ooops.. Something wrong. Our losetup bin isn’t patched to use AES. On ubuntu/debian based OS, it’s is to deal.
apt-get install loop-aes-utils root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img Password: ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel
Hmm.. Still not good, we need now to patch or change our kernel for support encryption. We have to check if the “aes” and “cryptoloop” modules are loaded, if not we will load them.
root@vm-ubuntu-lamp:~# lsmod | grep aes root@vm-ubuntu-lamp:~# modprobe aes root@vm-ubuntu-lamp:~# lsmod | grep aes aes 28608 0 root@vm-ubuntu-lamp:~# lsmod | grep cryptoloop root@vm-ubuntu-lamp:~# modprobe cryptoloop root@vm-ubuntu-lamp:~# lsmod | grep crypto cryptoloop 4096 0 loop 17928 1 cryptoloop
If you don’t have the module with your current kernel, you will have to build it by activate the some kernel options.
CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_CRYPTOLOOP=m CONFIG_CRYPTO_AES=m CONFIG_CRYPTO_AES_586=m
Now we should be ok to load our encrypted image.
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
Format the device with a proper filesystem
root@vm-ubuntu-lamp:~# mkfs.ext3 /dev/loop0 mke2fs 1.40-WIP (14-Nov-2006) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 5016 inodes, 20004 blocks 1000 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=20709376 3 block groups 8192 blocks per group, 8192 fragments per group 1672 inodes per group Superblock backups stored on blocks: 8193 Writing inode tables: done Creating journal (1400 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 39 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Mount the device
Easiest step, just have to use the mount command.
root@vm-ubuntu-lamp:~# mkdir /mnt/encrypted root@vm-ubuntu-lamp:~# mount /dev/loop0 /mnt/encrypted root@vm-ubuntu-lamp:~# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 7850996 1346292 6105892 19% / varrun 63052 40 63012 1% /var/run varlock 63052 0 63052 0% /var/lock procbususb 63052 68 62984 1% /proc/bus/usb udev 63052 68 62984 1% /dev devshm 63052 0 63052 0% /dev/shm /dev/loop0 19366 1578 16788 9% /mnt/encrypted root@vm-ubuntu-lamp:~# df -H Filesystem Size Used Avail Use% Mounted on /dev/sda1 8,1G 1,4G 6,3G 19% / varrun 65M 41k 65M 1% /var/run varlock 65M 0 65M 0% /var/lock procbususb 65M 70k 65M 1% /proc/bus/usb udev 65M 70k 65M 1% /dev devshm 65M 0 65M 0% /dev/shm /dev/loop0 20M 1,7M 18M 9% /mnt/encrypted
If you want to go further on this subject : Encryption HOWTO
Recent Comments