Ubuntu: Make a secure encrypted vault
From ReceptiveIT
Contents |
Overview
One of the big problems that computer users face these days is with passwords and other sensitive information. We all know that you should use strong passwords, and every website or login should use a different password. We also know that you should change passwords regularly and not write them down.
Like most people, I am guilty of reusing passwords. I do this because I don't write passwords down and I have trouble remembering the hundreds of passwords that I need to use throughout my life. Initially I though about creating files that had permissions so only I could read them, but what if your computer gets compromised?
The solution is to store your info in an encrypted form. That way all you need to do is remember one strong password to unlock the vault.
Create the Vault
I chose to create a file that would hold the encrypted information for high availability, but you could use a partition or USB flash disk if you chose.
Make the raw container
Create the file that will hold the vault. My vault is going to be 64Meg, which is enough space for me.
root@server:~# mkdir crypto root@server:~# cd crypto/ root@server:~/crypto# ls root@server:~/crypto# dd if=/dev/zero of=cryptdisk bs=1M count=64 64+0 records in 64+0 records out 67108864 bytes (67 MB) copied, 0.159196 s, 422 MB/s
Now we use the loopback device to mount the file as a block device
root@server:~/crypto# losetup /dev/loop0 cryptdisk
Install the crypt software
Install cryptsetup using your package management tool. This software uses the kernel dm-crypt device mapper target and supports LUKS, which we will be using.
root@server:~/crypto# apt-get install cryptsetup
Format the encrypted container
We now need to initialise the encrypted disk. Time to luksFormat
root@server:~/crypto# cryptsetup luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: ****** Verify passphrase: ****** Command successful.
Open the encrypted container
We now need to open the encrypted disk. Time to luksOpen
root@server:~/crypto# cryptsetup luksOpen /dev/loop0 crypto Enter LUKS passphrase: ****** key slot 0 unlocked. Command successful.
Create a filesystem
We now need to create a filesystem, just like we would on a normal hard disk.
root@server:~/crypto# mkfs.ext2 /dev/mapper/crypto
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
15872 inodes, 63484 blocks
3174 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=65011712
8 block groups
8192 blocks per group, 8192 fragments per group
1984 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 26 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Close the encrypted container
root@server:~/crypto# cryptsetup luksClose /dev/mapper/crypto
Handling multiple passwords
LUKS has the ability to store up to 8 different passwords. Each password is identified as a slot. The password that is initially created will be in slot 0. To perform any of these functions, your encrypted container must be opened
Add a password
root@server:~/crypto# cryptsetup luksAddKey /dev/loop0 Enter any LUKS passphrase: ****** key slot 0 unlocked. Enter new passphrase for key slot: ****** Verify passphrase: ****** Command successful.
Remove a password
root@server:~/crypto# cryptsetup luksKillSlot /dev/loop0 1 Enter any remaining LUKS passphrase: ****** key slot 1 verified. Command successful.
Displaying LUKS header information
root@server:~/crypto# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: ca ab 46 d5 3e 49 37 74 c4 3e 53 d7 16 1a 88 d8 48 38 a1 0e
MK salt: 02 95 33 a2 0d 69 ce 52 26 b8 06 03 4f 0b f1 62
45 51 2a 92 fa 3d bc 61 df 74 49 62 11 d7 4f 6a
MK iterations: 10
UUID: ca9d656d-1516-4b57-a127-1081c10ace61
Key Slot 0: ENABLED
Iterations: 342623
Salt: da 61 97 c0 a1 9a 53 3d 47 78 00 54 86 7f ac 5b
4e ff 10 51 d7 92 10 03 bc 41 01 1e e6 29 c6 76
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Simpify the mount and unmount procedure
If you are looking at all these commands thinking "I am not going to remember this", then why not script the mount and unmount procedure.
mount-crypt.sh
#!/bin/bash
LOOPBACK_DEVICE=/dev/loop0
CRYPT_DISK=/root/crypto/cryptdisk
CRYPT_LABEL=crypt-disk
CRYPT_MOUNTPOINT=/mnt/crypto
losetup ${LOOPBACK_DEVICE} ${CRYPT_DISK}
# Capture errors
if [ $? -ne 0 ]
then
echo "ERROR - Loopback device setup"
else
echo "OK - Loopback device mapped."
fi
cryptsetup luksOpen ${LOOPBACK_DEVICE} ${CRYPT_LABEL}
# Capture errors
if [ $? -ne 0 ]
then
echo "ERROR Opening LUKS CryptoFS. Removing the loopback device."
losetup -d ${LOOPBACK_DEVICE}
else
echo "OK - LUKS CryptoFS Opened."
fi
mount /dev/mapper/${CRYPT_LABEL} ${CRYPT_MOUNTPOINT}
# Capture errors
if [ $? -ne 0 ]
then
echo "ERROR mounting CryptoFS"
cryptsetup luksClose /dev/mapper/${CRYPT_LABEL}
losetup -d ${LOOPBACK_DEVICE}
else
echo "OK - Mounted CryptoFS"
fi
umount-crypt.sh
#!/bin/bash
LOOPBACK_DEVICE=/dev/loop0
CRYPT_DISK=/root/crypto/cryptdisk
CRYPT_LABEL=crypt-disk
CRYPT_MOUNTPOINT=/mnt/crypto
umount ${CRYPT_MOUNTPOINT}
cryptsetup luksClose /dev/mapper/${CRYPT_LABEL}
losetup -d ${LOOPBACK_DEVICE}
