SUSE Conversations


File System Encryption



By: DamianMyerscough

April 11, 2008 6:17 am

Reads:339

Comments:0

Rating:0

In this article we are going to look at how to encrypt a partition during the installation of SUSE Linux Enterprise and after the installation, we will also look at creating encrypted disk containers. The reason for disk encryption is to protect against malicious users from viewing/stealing your private data.

Encrypting Partitions during Installation

The first method we are going to look at is encrypting a partition during the installation process, this is probably the easiest method of encrypting a partition. Once the installation of SUSE Linux Enterprise has begun you will come to the “Installation Settings” screen, you should click on the blue text saying “Partitioning“. Once you have click on the “Partitioning” link you will be presented with a new screen “Partitioning Suggestions” as shown in Figure 1.

Click to view.

Figure 1: Partitioning Screen.

The option you should select from Figure 1 is “Create Custom Partition Setup“, once you have selected this option you should click on the next button which will bring you to a new screen “Preparing Hard Disk: Step 1“. The option you should choose from this screen is “Custom Partitioning (for experts)“.

Now that you are in the partitioning screen you should click on the create button to create a new partition. When you have clicked on the “Create” button you will be prompt with a new window asking if you would like to format the partition, how big the partition should be and where you would like to mount this partition. Figure 1.1 shows a screenshot of this window.

Click to view.

Figure 1.1: Partition Creation.

As you can see in Figure 1.1 the “Encrypt file system” option has been selected, this option will encrypt the file system making it hard for malicious users to view/steal your private data. Once you have finished and clicked on the “OK” you will be prompt for a password as shown in Figure 1.2. The password you enter will be used to decrypt the partition.

Click to view.

Figure 1.2: Encryption password.

Encrypting Partitions

In this section of the article we are going to look at encrypting a partition manually, the partition that we will be working with is “/dev/sda3″. The first step we need to do is get a list of all the encryption modules that are available, this can be done using the “modinfo” command as shown in Figure 2.

linux-yqu3:~ #  modinfo /lib/modules/$( uname -r )/kernel/crypto/*

Figure 2: Viewing the available encryption modules.

The command from Figure 2 will create output similar to the output shown in Figure 2.1, this can be tided up by using the “grep” utility as shown in Figure 2.2.

...
filename:       /lib/modules/2.6.16.46-0.12-bigsmp/kernel/crypto/aes.ko
license:        Dual BSD/GPL
description:    Rijndael (AES) Cipher Algorithm
srcversion:     E5F667DEE42B64C4C18D04A
depends:        
supported:      yes
vermagic:       2.6.16.46-0.12-bigsmp SMP 586 REGPARM gcc-4.1
filename:       /lib/modules/2.6.16.46-0.12-bigsmp/kernel/crypto/anubis.ko
description:    Anubis Cryptographic Algorithm
...

Figure 2.1: “modinfo” output.

linux-yqu3:~ # modinfo /lib/modules/$( uname -r )/kernel/crypto/* | grep -i description
description:    Rijndael (AES) Cipher Algorithm
description:    Anubis Cryptographic Algorithm
description:    ARC4 Cipher Algorithm
description:    Blowfish Cipher Algorithm
description:    Cast5 Cipher Algorithm
description:    Cast6 Cipher Algorithm
description:    CRC32c (Castagnoli) calculations wrapper for lib/crc32c
...

Figure 2.2: “modinfo” output tided up.

Once you know what modules are available you can begin setting up the encrypted partition, the second step you will need to do is load the cryptoloop using the “modprobe” command shown in Figure 2.3.

linux-yqu3:~ # modprobe cryptoloop

Figure 2.3: Loading the cryptoloop.

Once you have the cryptoloop loaded you will need to load a encryption module which we got with the “modinfo” command. In this article we will load the “Rijndael” module as shown in Figure 2.4.

linux-yqu3:~ # modprobe aes

Figure 2.4: Loading the Rijndael encryption module

If you are wondering where the “aes” value came from and why the word “Rijndael” was not used, simply look at Figure 2.1 and you will notice that there is a field called: “filename” this is the file that needs to be loaded.

Once you have loaded the encryption module you can begin with the partition preparation as mention earlier. The third step is to fill the partition with random junk, this can be done using the “shred” command as shown in Figure 2.5.

linux-yqu3:~ # shred -v -n 1 /dev/sda3
shred: /dev/sda3: pass 1/1 (random)...
shred: /dev/sda3: pass 1/1 (random)...237MiB/2,1GiB 11%
shred: /dev/sda3: pass 1/1 (random)...501MiB/2,1GiB 24%
shred: /dev/sda3: pass 1/1 (random)...761MiB/2,1GiB 37%
shred: /dev/sda3: pass 1/1 (random)...1020MiB/2,1GiB 49%
shred: /dev/sda3: pass 1/1 (random)...1,2GiB/2,1GiB 62%
shred: /dev/sda3: pass 1/1 (random)...2,1GiB/2,1GiB 100%

Figure 2.5: Filling the “/dev/sda3″ partition with junk.

The reason for filling the partition with random junk first is to stop pattern matching attacks.

Once you have filled the partition with junk you can mount the partition to a loop device as shown in Figure 2.6.

linux-yqu3:~ # losetup -e aes /dev/loop0 /dev/sda3
Password:

Figure 2.6: Mounting /dev/sda3 partition to a loop device.

As you can see in Figure 2.6 you are prompt for a password, this password will be used in the future to decrypt the encrypted partition so do not forget this password otherwise you will loose your important data.

Once you have successfully mounted the /dev/sda3 partition you can install a file system onto that partition as shown in Figure 2.7.

linux-yqu3:~ # mkfs.reiserfs /dev/loop0 
mkfs.reiserfs 3.6.19 (2003 www.namesys.com)

A pair of credits:
Many persons came to www.namesys.com/support.html,  and got a question answered
for $25, or just gave us a small donation there.

Alexander  Lyamin  keeps our hardware  running,  and was very  generous  to our
project in many little ways.

Guessing about desired format.. Kernel 2.6.16.46-0.12-bigsmp is running.

Format 3.6 with standard journal
Count of blocks on the device: 526128
Number of blocks consumed by mkreiserfs formatting process: 8228
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: ed74b631-2fbb-4bed-8b58-64827000ca05
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
        ALL DATA WILL BE LOST ON '/dev/loop0'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..ok
ReiserFS is successfully created on /dev/loop0.

Figure 2.7: Installing a file system onto the /dev/sda3 partition.

Once you have formatted the partition you can now mount the partition for use as shown in Figure 2.8.

linux-yqu3:~ # mount -t reiserfs /dev/loop0 /media/private/

Figure 2.8: Mounting the encrypted partition.

Once you have successfully mounted the encrypted partition you can use it as you normally would use a partition, to unmount the encrypted partition you will need to use two commands “umount” and “losetup” as shown in Figure 2.9.

linux-yqu3:/media # umount /media/private/
linux-yqu3:/media # losetup -d /dev/loop0

Figure 2.9: unmounting the encrypted partition.

Now that you have successfully unmounted the encrypted partition and maybe rebooted your machine you can mount the encrypted partition again using the similar command shown previously except for formatting the partition as shown in Figure 3.

linux-yqu3:/media # modprobe cryptoloop
linux-yqu3:/media # modprobe aes
linux-yqu3:/media # losetup -e aes /dev/loop0 /dev/sda3
Password: 
linux-yqu3:/media # mount -t reiserfs /dev/loop0 /media/private/

Figure 3: Remounting the encrypted partition.

As you can see the partition did not need to be formatted or filled with junk again, you also might want to put the commands in a bash script to mount the partition even faster.

Encryption Containers

In this section of the article we are going to look at encrypted disk containers, the difference between a encrypted disk container and an encrypted partition is the an encrypted container is a file and not a partition. Setting up encrypted disk containers is very similar to setting up encrypted partitions.

The first step to setting up an encrypted disk container is to see what modules are available, this is identical to what we did previously as shown in Figure 2. The next step is to load the cryptoloop module and the aes module as shown in Figures2.3 and 2.4, once you have loaded the modules you will need to use the “dd” command to create a disk container as shown in Figure 4.

linux-yqu3:~ # dd if=/dev/zero of=/root/private bs=1024M count=1

Figure 4: Creating disk container.

Once you have created the disk container I would strongly recommend you shred the file using the “shred” command to prevent pattern matching attacks. The reason I didn’t use the “/dev/urandom” device is because I find the “shred” command to be much faster.

linux-yqu3:~ # shred -v -n 1 /root/private 
shred: /root/private: pass 1/1 (random)...
shred: /root/private: pass 1/1 (random)...12KiB/1,0GiB 0%
shred: /root/private: pass 1/1 (random)...179MiB/1,0GiB 17%
shred: /root/private: pass 1/1 (random)...333MiB/1,0GiB 32%
shred: /root/private: pass 1/1 (random)...505MiB/1,0GiB 49%
shred: /root/private: pass 1/1 (random)...660MiB/1,0GiB 64%
shred: /root/private: pass 1/1 (random)...811MiB/1,0GiB 79%
shred: /root/private: pass 1/1 (random)...956MiB/1,0GiB 93%
shred: /root/private: pass 1/1 (random)...1,0GiB/1,0GiB 100%

Figure 4.1: Writing random junk to the disk container.

Once the “shred” command has finished you can mount the disk container to a loop device and format it with a file system of your choice as shown in Figure 4.2.

linux-yqu3:~ # losetup -e aes /dev/loop1 /root/private 
Passwort: 
linux-yqu3:~ # mkfs.reiserfs /dev/loop1 
mkfs.reiserfs 3.6.19 (2003 www.namesys.com)

A pair of credits:
Chris Mason wrote the journaling code for V3,  which was enormously more useful
to users than just waiting until  we could create a wandering log filesystem as
Hans would have unwisely done without him.
Jeff Mahoney optimized the bitmap  scanning code for V3,  and performed the big
endian cleanups. 

Edward Shushkin wrote the encryption and compression  file plugins,  and the V3
journal relocation code.

Guessing about desired format.. Kernel 2.6.16.46-0.12-bigsmp is running.
Format 3.6 with standard journal
Count of blocks on the device: 262144
Number of blocks consumed by mkreiserfs formatting process: 8219
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: dfdddcf3-def1-450d-9c9f-22164229a819
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
        ALL DATA WILL BE LOST ON '/dev/loop1'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..ok
ReiserFS is successfully created on /dev/loop1.

Figure 4.2: Mounting and formating the disk container.

Once you have installed a file system onto the encrypted disk container you can mount it and use it as normal. Figure 4.3 shows the commands used to mount the encrypted disk container.

linux-yqu3:~ # mount -t reiserfs /dev/loop1 /media/private2/

Figure 4.3: Mounting the encrypted disk container.

Once again if you need to unmount the partition you will need to use the “umount” command and the “losetup” command as shown in Figure 4.4.

linux-yqu3:/media # umount /media/private2/
linux-yqu3:/media # losetup -d /dev/loop1

Figure 4.4: unmounting the encrypted disk container.

Mounting the encrypted disk container is identical to Figure 3, you will however, need to replace /dev/sda3 with /root/private and /dev/loop0 with a free loop device.

Final Thoughts

In this article we looked at setting up encryption during the installation process which shown to be the simplest method of setting up encryption, we also looked at manually encrypting partitions along with encrypted disk containers. I hope that you choose implement one of the methods above to protect you private data against malicious users otherwise you may face the possibility of someone stealing your private data.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS