Ubuntu: Make a secure encrypted vault
Contents
Overview
One of the big problems that computer users face these days is with passwords and other sensitive information. We all know that you should use strong passwords, and every website or login should use a different password. We also know that you should change passwords regularly and not write them down.
Like most people, I am guilty of reusing passwords. I do this because I don't write passwords down and I have trouble remembering the hundreds of passwords that I need to use throughout my life. Initially I though about creating files that had permissions so only I could read them, but what if your computer gets compromised?
The solution is to store your info in an encrypted form. That way all you need to do is remember one strong password to unlock the vault.
Create the Vault
I chose to create a file that would hold the encrypted information for high availability, but you could use a partition or USB flash disk if you chose.
Make the raw container
Create the file that will hold the vault. My vault is going to be 64Meg, which is enough space for me.
[email protected]:~# mkdir crypto [email protected]:~# cd crypto/ [email protected]:~/crypto# ls [email protected]:~/crypto# dd if=/dev/zero of=cryptdisk bs=1M count=64 64+0 records in 64+0 records out 67108864 bytes (67 MB) copied, 0.159196 s, 422 MB/s
Now we use the loopback device to mount the file as a block device
[email protected]:~/crypto# losetup /dev/loop0 cryptdisk
Install the crypt software
Install cryptsetup using your package management tool. This software uses the kernel dm-crypt device mapper target and supports LUKS, which we will be using.
[email protected]:~/crypto# apt-get install cryptsetup
Format the encrypted container
We now need to initialise the encrypted disk. Time to luksFormat
[email protected]:~/crypto# cryptsetup luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: ****** Verify passphrase: ****** Command successful.
Open the encrypted container
We now need to open the encrypted disk. Time to luksOpen
[email protected]:~/crypto# cryptsetup luksOpen /dev/loop0 crypto Enter LUKS passphrase: ****** key slot 0 unlocked. Command successful.
Create a filesystem
We now need to create a filesystem, just like we would on a normal hard disk.
[email protected]:~/crypto# mkfs.ext2 /dev/mapper/crypto mke2fs 1.41.3 (12-Oct-2008) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 15872 inodes, 63484 blocks 3174 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=65011712 8 block groups 8192 blocks per group, 8192 fragments per group 1984 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Close the encrypted container
[email protected]:~/crypto# cryptsetup luksClose /dev/mapper/crypto
Handling multiple passwords
LUKS has the ability to store up to 8 different passwords. Each password is identified as a slot. The password that is initially created will be in slot 0. To perform any of these functions, your encrypted container must be opened
Add a password
[email protected]:~/crypto# cryptsetup luksAddKey /dev/loop0 Enter any LUKS passphrase: ****** key slot 0 unlocked. Enter new passphrase for key slot: ****** Verify passphrase: ****** Command successful.
Remove a password
[email protected]:~/crypto# cryptsetup luksKillSlot /dev/loop0 1 Enter any remaining LUKS passphrase: ****** key slot 1 verified. Command successful.
Displaying LUKS header information
[email protected]:~/crypto# cryptsetup luksDump /dev/loop0 LUKS header information for /dev/loop0 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 1032 MK bits: 128 MK digest: ca ab 46 d5 3e 49 37 74 c4 3e 53 d7 16 1a 88 d8 48 38 a1 0e MK salt: 02 95 33 a2 0d 69 ce 52 26 b8 06 03 4f 0b f1 62 45 51 2a 92 fa 3d bc 61 df 74 49 62 11 d7 4f 6a MK iterations: 10 UUID: ca9d656d-1516-4b57-a127-1081c10ace61 Key Slot 0: ENABLED Iterations: 342623 Salt: da 61 97 c0 a1 9a 53 3d 47 78 00 54 86 7f ac 5b 4e ff 10 51 d7 92 10 03 bc 41 01 1e e6 29 c6 76 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Simpify the mount and unmount procedure
If you are looking at all these commands thinking "I am not going to remember this", then why not script the mount and unmount procedure.
mount-crypt.sh
#!/bin/bash LOOPBACK_DEVICE=/dev/loop0 CRYPT_DISK=/root/crypto/cryptdisk CRYPT_LABEL=crypt-disk CRYPT_MOUNTPOINT=/mnt/crypto losetup ${LOOPBACK_DEVICE} ${CRYPT_DISK} # Capture errors if [ $? -ne 0 ] then echo "ERROR - Loopback device setup" else echo "OK - Loopback device mapped." fi cryptsetup luksOpen ${LOOPBACK_DEVICE} ${CRYPT_LABEL} # Capture errors if [ $? -ne 0 ] then echo "ERROR Opening LUKS CryptoFS. Removing the loopback device." losetup -d ${LOOPBACK_DEVICE} else echo "OK - LUKS CryptoFS Opened." fi mount /dev/mapper/${CRYPT_LABEL} ${CRYPT_MOUNTPOINT} # Capture errors if [ $? -ne 0 ] then echo "ERROR mounting CryptoFS" cryptsetup luksClose /dev/mapper/${CRYPT_LABEL} losetup -d ${LOOPBACK_DEVICE} else echo "OK - Mounted CryptoFS" fi
umount-crypt.sh
#!/bin/bash LOOPBACK_DEVICE=/dev/loop0 CRYPT_DISK=/root/crypto/cryptdisk CRYPT_LABEL=crypt-disk CRYPT_MOUNTPOINT=/mnt/crypto umount ${CRYPT_MOUNTPOINT} cryptsetup luksClose /dev/mapper/${CRYPT_LABEL} losetup -d ${LOOPBACK_DEVICE}