jump to navigation

dm-crypt + LUKS on loopback file step by step (get rid of passphase) February 13, 2007

Posted by TSAI HONG-BIN in Linux.

I know there are good intro. about this encrypted filesystem solution everywhere, so this is basically a hit and run how-to.

//create key.256
#dd if=/dev/random bs=1 count=32 2> /dev/null | xxd -ps -c 256 > key.vol.256

//create a loopback device, use /dev/urandom instead of /dev/random
#dd if=/dev/urandom of=crypt.loop bs=1M count=256

//make sure you have modules dm-crypt, aes installed
//(aes-i586 is a assembly version of aes implementation)
//if you feel up to apply other crypto-algorithm, cat /proc/crypt is a list of available ones
#modprobe dm-crypt
#modprobe aes-i586

//setup the loopback file as a loopback device
#losetup /dev/loop0 crypt.loop

//encrypt the device
#cryptsetup –cipher aes-cbc-essiv:sha256 luksFormat /dev/loop0 ~/key.vol.256

//open the device (dm-crypt will create a node under /dev/mapper)
#cryptsetup –key-file ~/key.vol.256 luksOpen /dev/loop0 crypt.loop

//format the device as any kind of filesystem you like
#mke2fs /dev/mapper/crypt.loop

//mount it and start to do your read/write
#mkdir crypted
#mount /dev/mapper/crypt.loop crypted

//umount and close the device
#umount crypted
#cryptsetup luksClose crypt.loop
#losetup -d /dev/loop0

if you check the file crypt.loop with command file, it will only tell you it’s a data file. Somehow this is a good feature that no information about this file will be disclosed seemingly. One big problem I currently have no answer to that is the “luksClose” command. It requires no secret key. This implies everyone with root privilege (kindda strong assumption though) can close the device.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: