Linux encrypted container
Download as PPTX, PDF0 likes181 views
This document provides instructions for creating an encrypted container on Linux using cryptsetup and LUKS encryption. It describes how to create a loopback device, format it with LUKS encryption, mount the encrypted volume, store data on it, and close the volume for secure storage. The process involves allocating space for the container, encrypting it with a passphrase, opening it to access the encrypted block device, mounting and formatting it to store data, unmounting and closing it for security.
Linux encrypted container
- 1. Linux encrypted Container Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1 Guide for Ubuntu 12.04/14.04 Quickly create an encrypted drive to store your confidential data under Linux. This guide provides the quick steps!
- 2. Preparation **Commands to be executed are in black #install cryptsetup sudo apt-get install cryptsetup #creating the file as the container (5G in this example) sudo fallocate -l 5G /root/container.bin #list all loopback device on the system and choose one free #in our example we choose /dev/loop0 sudo ls -liha /dev/loop* #bind the container to the loopback device #if we get an error using /dev/loop0 #we can use /dev/loop1 (and adjust subsequent #commands according to our choice) sudo losetup /dev/loop0 /root/container.bin Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 3. Adjust the container **Commands to be executed are in black #run fdisk to adjust the partition table sudo fdisk /dev/loop0 Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0x20ce46d0. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): n Partition type: p primary (0 primary, 0 extended, 4 free) e extended Select (default p): p Partition number (1-4, default 1): Using default value 1 First sector (2048-1023999, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-1023999, default 1023999): Using default value 1023999 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 22: Invalid argument. The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8) Syncing disks. Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 4. Encrypt the container **Commands to be executed are in black #let’s encrypt the container and create a passphrase to secure access to container cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: ********************* Command successful.. **--verbose (show visual output) --verify-passphrase (ask twice the passphrase for confirmation) Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 5. Connect block device and format **Commands to be executed are in black #mount the container to /dev/mapper/container cryptsetup luksOpen /dev/loop0 container Enter passphrase for /dev/loop0: #format the container mkfs.ext4 -j /dev/mapper/container Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 6. Mount the volume **Commands to be executed are in black #create the folder we will use to mount the volume (may automatically mount) mkdir /mnt/cryptvolume #mount the volume (may automatically mount) mount /dev/mapper/container /mnt/cryptvolume #Look at the volume we just mounted df -h Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 7. Closing the volume **Commands to be executed are in black #when finished working with the volume, it is suggested to close it cryptsetup luksClose container #look to make sure our device “container” is now closed #the control device is a device that is used to create other mapped devices #we can safely ignore this, as it is supposed to be here. ls /dev/mapper Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 8. How to use it daily? **Commands to be executed are in black #open the container and provide the passphrase sudo cryptsetup luksOpen /root/container.bin container #mount the volume (may automatically mount) sudo mount /dev/mapper/container /mnt/cryptvolume #unmount the volume when finish working with sensitive data sudo umount /dev/mapper/container #close the container to keep file secure from access sudo cryptsetup luksClose container Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1
- 9. References Encrypted Containers Without TrueCrypt, Eric Hansen, Moderator at linux.org. http://www.linux.org/threads/encrypted-containers-without-truecrypt.4478/ LUKS: Disk Encryption https://guardianproject.info/code/luks/ How To Use DM-Crypt to Create an Encrypted Volume on an Ubuntu VPS - DigitalOcean https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an- ubuntu-vps Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma 08/25/2017 / Version 1.1