Ubuntu: Make a secure encrypted vault

From ReceptiveIT
Jump to: navigation, search

Overview

One of the big problems that computer users face these days is with passwords and other sensitive information. We all know that you should use strong passwords, and every website or login should use a different password. We also know that you should change passwords regularly and not write them down.

Like most people, I am guilty of reusing passwords. I do this because I don't write passwords down and I have trouble remembering the hundreds of passwords that I need to use throughout my life. Initially I though about creating files that had permissions so only I could read them, but what if your computer gets compromised?

The solution is to store your info in an encrypted form. That way all you need to do is remember one strong password to unlock the vault.

Create the Vault

I chose to create a file that would hold the encrypted information for high availability, but you could use a partition or USB flash disk if you chose.

Make the raw container

Create the file that will hold the vault. My vault is going to be 64Meg, which is enough space for me.

root@server:~# mkdir crypto
root@server:~# cd crypto/
root@server:~/crypto# ls
root@server:~/crypto# dd if=/dev/zero of=cryptdisk bs=1M count=64
64+0 records in
64+0 records out
67108864 bytes (67 MB) copied, 0.159196 s, 422 MB/s

Now we use the loopback device to mount the file as a block device

root@server:~/crypto# losetup /dev/loop0 cryptdisk

Install the crypt software

Install cryptsetup using your package management tool. This software uses the kernel dm-crypt device mapper target and supports LUKS, which we will be using.

 root@server:~/crypto# apt-get install cryptsetup

Format the encrypted container

We now need to initialise the encrypted disk. Time to luksFormat

root@server:~/crypto# cryptsetup luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ******
Verify passphrase: ******
Command successful.

Open the encrypted container

We now need to open the encrypted disk. Time to luksOpen

root@server:~/crypto# cryptsetup luksOpen /dev/loop0 crypto
Enter LUKS passphrase: ******
key slot 0 unlocked.
Command successful.

Create a filesystem

We now need to create a filesystem, just like we would on a normal hard disk.

root@server:~/crypto# mkfs.ext2 /dev/mapper/crypto
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
15872 inodes, 63484 blocks
3174 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=65011712
8 block groups
8192 blocks per group, 8192 fragments per group
1984 inodes per group
Superblock backups stored on blocks: 
       8193, 24577, 40961, 57345

Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 26 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Close the encrypted container

root@server:~/crypto# cryptsetup luksClose /dev/mapper/crypto

Handling multiple passwords

LUKS has the ability to store up to 8 different passwords. Each password is identified as a slot. The password that is initially created will be in slot 0. To perform any of these functions, your encrypted container must be opened

Add a password

root@server:~/crypto# cryptsetup luksAddKey /dev/loop0
Enter any LUKS passphrase: ******
key slot 0 unlocked.
Enter new passphrase for key slot: ******
Verify passphrase: ******
Command successful.

Remove a password

root@server:~/crypto# cryptsetup luksKillSlot /dev/loop0 1
Enter any remaining LUKS passphrase: ******
key slot 1 verified.
Command successful.

Displaying LUKS header information

root@server:~/crypto# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      ca ab 46 d5 3e 49 37 74 c4 3e 53 d7 16 1a 88 d8 48 38 a1 0e 
MK salt:        02 95 33 a2 0d 69 ce 52 26 b8 06 03 4f 0b f1 62 
               45 51 2a 92 fa 3d bc 61 df 74 49 62 11 d7 4f 6a 
MK iterations:  10
UUID:           ca9d656d-1516-4b57-a127-1081c10ace61

Key Slot 0: ENABLED
       Iterations:             342623
       Salt:                   da 61 97 c0 a1 9a 53 3d 47 78 00 54 86 7f ac 5b 
                               4e ff 10 51 d7 92 10 03 bc 41 01 1e e6 29 c6 76 
       Key material offset:    8
       AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Simpify the mount and unmount procedure

If you are looking at all these commands thinking "I am not going to remember this", then why not script the mount and unmount procedure.

mount-crypt.sh

#!/bin/bash

LOOPBACK_DEVICE=/dev/loop0
CRYPT_DISK=/root/crypto/cryptdisk
CRYPT_LABEL=crypt-disk
CRYPT_MOUNTPOINT=/mnt/crypto

losetup ${LOOPBACK_DEVICE} ${CRYPT_DISK}

# Capture errors
if [ $? -ne 0 ]
then
       echo "ERROR - Loopback device setup"
else
       echo "OK - Loopback device mapped."
fi

cryptsetup luksOpen ${LOOPBACK_DEVICE} ${CRYPT_LABEL}

# Capture errors
if [ $? -ne 0 ]
then
       echo "ERROR Opening LUKS CryptoFS. Removing the loopback device."
       losetup -d ${LOOPBACK_DEVICE}
else
       echo "OK - LUKS CryptoFS Opened."
fi

mount /dev/mapper/${CRYPT_LABEL} ${CRYPT_MOUNTPOINT}

# Capture errors
if [ $? -ne 0 ]
then
       echo "ERROR mounting CryptoFS"
       cryptsetup luksClose /dev/mapper/${CRYPT_LABEL}
       losetup -d ${LOOPBACK_DEVICE}
else
       echo "OK - Mounted CryptoFS"
fi

umount-crypt.sh

#!/bin/bash

LOOPBACK_DEVICE=/dev/loop0
CRYPT_DISK=/root/crypto/cryptdisk
CRYPT_LABEL=crypt-disk
CRYPT_MOUNTPOINT=/mnt/crypto

umount ${CRYPT_MOUNTPOINT}
cryptsetup luksClose /dev/mapper/${CRYPT_LABEL}
losetup -d ${LOOPBACK_DEVICE}