Do you have sensitive or critical information and/or customer data on your computer that you need to protect for prolonged periods from physical attacks and unintended data disclosures? The answer to this question is encryption. Without encryption you can’t effectively protect them and they are viewable and accessible to everyone that has access to your system.
In this blog post will focus on creating a brute-force-resistant, authenticated and encrypted file container (LUKS). The purpose of this encrypted file-system (a.k.a. encrypted volume, vault) is to store your sensitive data securely, preventing malware and intruders from accessing the files stored inside. Your sensitive files can only be accessed with the right software and password (or decryption key).
Linux Unified Key Setup (LUKS)
The Linux Unified Key Setup (LUKS) is a disk encryption specification. LUKS implements a platform-independent standard on-disk format. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner. The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend. Under Microsoft Windows, LUKS-encrypted disks can be used with the now defunct FreeOTFE. LUKS is designed to conform to the TKS1 secure key setup scheme.
dm-crypt is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel’s Crypto API. Unlike its predecessor cryptoloop, dm-crypt was designed to support advanced modes of operation, such as XTS, LRW and ESSIV, in order to avoid watermarking attacks. dm-crypt is implemented as a device mapper target and may be stacked on top of other device mapper transformations. It can thus encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. It appears as a block device, which can be used to back file systems, swap or as an LVM physical volume. Some Linux distributions support the use of dm-crypt on the root file system. These distributions use initrd to prompt the user to enter a passphrase at the console, or insert a smart card prior to the normal boot process.
cryptsetup provides commands to deal with the LUKS on-disk format. This format provides additional features such as key management and key stretching (using PBKDF2), and remembers encrypted volume configuration across reboots.
sudo apt install cryptsetup
Create an empty container e.g. 1GB
fallocate -l 1GB mycontainer.img
dd if=/dev/zero of=mycontainer.img bs=1 count=0 seek=1G
Generate a random 4096 master key to unlock the container
dd if=/dev/urandom of=master.key bs=4096 count=1
Encrypt the container
sudo cryptsetup -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat mycontainer.img master.key
Unlock the container
Creates a device file at /dev/mapper/myVolume
sudo cryptsetup luksOpen mycontainer.img myVolume --key-file master.key
Format the unlocked Volume with ext4 filesystem
sudo mkfs.ext4 /dev/mapper/myVolume
Mount the unlocked volume just like a regular disk to a local directory
mkdir ~/myPrivateData sudo mount /dev/mapper/myVolume ~/myPrivateData sudo chown -R $USER:$USER ~/myPrivateData
Lock the container
sudo umount ~/myPrivateData && sudo cryptsetup luksClose myVolume
Quickly access your container
sudo cryptsetup luksOpen mycontainer.img myVolume --key-file master.key sudo mount /dev/mapper/myVolume ~/myPrivateData