Luks-formatted file container on your harddrive or cloud storage solutions
In the year 2017, a lot of security issues surfaces, and ransomware are lurking in the cyberspace preying on the next victim. Be it the oft-quoted 'vulnerable operating system' like Windows, or other 'more secure' platforms like Linux kernel driven operating system or Macintosh operating system, once you are in the cloud, you are equally vulnerable.
Hence, we can take one small step in securing our data online. I have read this article on a security blog written by Nick Thomadakis from Cybrary, a education provider for IT security.
You can read on this website. Just be aware that you need to register to view the content or you can use chrome extension, ScriptSafe, to turn off the script giving the website to your browser.
Let's begin with the first approach (a casual approach to creating the file container) :
1st step: let's search for the module dm_crypt (to know more: click on the attached link to Archlinux documentation on dm-crypt) which is an application to create a virtual partition using embedded cryptographic capability in the Linux kernel.
Run command: lsmod | grep 'dm_crypt'
If the module is loaded the following output should appear below the command:
dm_crypt 28672 0
2nd step: If not, we can always insert the dm_crypt module with the option verbose (-v) to see the module being activated.
Run command: sudo modprobe -v dm_crypt
3rd step: We proceed to install the Ubuntu package of dm-crypt known as cryptsetup. ( You can read the man pages by running command man cryptsetup )
Run command: sudo apt-get install cryptsetup
4th step: As the package is installed, we can now do the proper setup of the file container. We create a storage size depends on our own need. For example, i going to create a 500MB file container on my Dropbox folder by navigating to the Dropbox folder and create a file container called 'crypt' using fallocate command.
Run command: cd ~/path/to/Dropbox
fallocate -l 500MB crypt
Note: Depends on your storage capacity on Dropbox or other media, you can create the file container size in multiplicative suffixes of following: KB, MB, GB, TB, PB, EB, ZB and YB. (or alternative unit suffixes : KiB, MiB, GiB, TiB, PiB, EiB, ZiB, YiB.)
A 500MB file of unknown filesystem appears in my Dropbox folder. It is time to encrypt the file container with industrial strength application.
5th step: Let's start using the cryptsetup application to encrypt 'crypt' with LUKS format, a open source industrial grade encryption which claims to require several times the world GDP to break the encryption.
Run command: sudo cryptsetup luksFormat ~/path/to/Dropbox/crypt
We answer YES (uppercase letter please) to the prompt to overwrite 'crypt' file container irrevocably. We set the password (passphrase) which we need to open the 'crypt' file container. You can create a tough but easy to enter (on your laptop keyboard) password using a password manager like KeePass2 (or KeePassX) which is recommended because it is easily available on Android smartphone and Windows too for your day to day web surfing.
6th step: Now we open the luks-formatted 'crypt' file container in a intermediate holding folder, arbitrarily called 'decrypt' or you can use a simple 2-letter name like 'SG'. The command takes the format 'sudo cryptsetup luksOpen /path/to/source /path/to/holding'. Note the option 'luksOpen' as in the previous option 'luksFormat' has the uppercase character 'O' and 'F' respectively after the 'luks' prefix.
Run command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
7th step: Before we start saving any files, we need to create a proper filesystem on 'decrypt' folder which has the following path dev/mapper/decrypted_folder. In my case, i choose Ext4, which is stable since late 2009 (October 2009 release of Ubuntu 9.10).
Run command: sudo mkfs -t ext4 /dev/mapper/decrypt
8th step: Now we create an arbitrarily named folder in $HOME with root permission. In my case i create the folder called 'secondcrypt' so that the decrypted files is not easily editable by people with no root permission.
Run command: sudo mkdir ~/secondcrypt
9th step: We can now mount the 'decrypt' folder on 'secondcrypt' folder. Once done, we can start saving files in the folder with root permission. Note: some files are not saved easily when you use a application with no root permission to edit. Hence you need to save it in a temporary location and move it into the mounted 'secondcrypt' folder with root permission. Best is you can directly edit the file permission using sudo nautilus.
Run command: sudo mount /dev/mapper/decrypt ~/secondcrypt
10th step: Once we are done with saving our precious work, we proceed to dismount the 'secondcrypt' folder. Then we close the intermediate decrypted folder 'decrypt' using the command luksClose (in format sudo cryptsetup luksClose /path/to/holding) .
Run command: sudo umount ~/secondcrypt
sudo cryptsetup luksClose decrypt
We need to only alter the 4th step in comparison with the 1st approach that is maybe less secure. A reference is here which is written by Justin Ellingwood from DigitalOcean, a cloud infrastructure service provider. The file container referred to is hosted on a Virtual Private Server(VPS).
4th step: The move away from the above approach is due to the fact that the old, deleted files may exist beneath the allocated space that is now held by ~/path/to/Dropbox/crypt or 'crypt' file container. The encrypted data may be easily distinguished from the rest of the empty hard disk drive written with zeros and random data.
One way of securely erasing the old, deleted data is using dd command. ( You can read the man pages by running command man dd ). Below are the dd commands stated by Justin Ellingwood in the DigitalOcean blog.
'Most paranoid' Run command: dd if=/dev/random of=~/path/to/Dropbox/crypt bs=1M count=512
'Secure' Run command: dd if=/dev/urandom of=~/path/to/Dropbox/crypt bs=1M count=512
'Quite Secure' Run command: dd if=/dev/zero of=~/path/to/Dropbox/crypt bs=1M count=512
The main thing in how secure is the wipe of the allocated space is dependent on the input file path (if) assigned with the 3 pseudo-devices : /dev/zero, /dev/urandom, /dev/random.
The /dev/urandom pseudo-device is good enough to mimic the encrypted data that will be written into the 'crypt' file container.
Let's summarise the steps we may need in our daily life to store our data in the 'crypt' file container.
1st command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
2nd command: sudo mount /dev/mapper/decrypt ~/secondcrypt
3rd command: sudo umount ~/secondcrypt
4th command: sudo cryptsetup luksClose decrypt
Happy encrypting our data!
Run command: lsmod | grep 'dm_crypt'
If the module is loaded the following output should appear below the command:
dm_crypt 28672 0
2nd step: If not, we can always insert the dm_crypt module with the option verbose (-v) to see the module being activated.
Run command: sudo modprobe -v dm_crypt
3rd step: We proceed to install the Ubuntu package of dm-crypt known as cryptsetup. ( You can read the man pages by running command man cryptsetup )
Run command: sudo apt-get install cryptsetup
4th step: As the package is installed, we can now do the proper setup of the file container. We create a storage size depends on our own need. For example, i going to create a 500MB file container on my Dropbox folder by navigating to the Dropbox folder and create a file container called 'crypt' using fallocate command.
Run command: cd ~/path/to/Dropbox
fallocate -l 500MB crypt
Note: Depends on your storage capacity on Dropbox or other media, you can create the file container size in multiplicative suffixes of following: KB, MB, GB, TB, PB, EB, ZB and YB. (or alternative unit suffixes : KiB, MiB, GiB, TiB, PiB, EiB, ZiB, YiB.)
A 500MB file of unknown filesystem appears in my Dropbox folder. It is time to encrypt the file container with industrial strength application.
5th step: Let's start using the cryptsetup application to encrypt 'crypt' with LUKS format, a open source industrial grade encryption which claims to require several times the world GDP to break the encryption.
Run command: sudo cryptsetup luksFormat ~/path/to/Dropbox/crypt
We answer YES (uppercase letter please) to the prompt to overwrite 'crypt' file container irrevocably. We set the password (passphrase) which we need to open the 'crypt' file container. You can create a tough but easy to enter (on your laptop keyboard) password using a password manager like KeePass2 (or KeePassX) which is recommended because it is easily available on Android smartphone and Windows too for your day to day web surfing.
6th step: Now we open the luks-formatted 'crypt' file container in a intermediate holding folder, arbitrarily called 'decrypt' or you can use a simple 2-letter name like 'SG'. The command takes the format 'sudo cryptsetup luksOpen /path/to/source /path/to/holding'. Note the option 'luksOpen' as in the previous option 'luksFormat' has the uppercase character 'O' and 'F' respectively after the 'luks' prefix.
Run command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
7th step: Before we start saving any files, we need to create a proper filesystem on 'decrypt' folder which has the following path dev/mapper/decrypted_folder. In my case, i choose Ext4, which is stable since late 2009 (October 2009 release of Ubuntu 9.10).
Run command: sudo mkfs -t ext4 /dev/mapper/decrypt
8th step: Now we create an arbitrarily named folder in $HOME with root permission. In my case i create the folder called 'secondcrypt' so that the decrypted files is not easily editable by people with no root permission.
Run command: sudo mkdir ~/secondcrypt
9th step: We can now mount the 'decrypt' folder on 'secondcrypt' folder. Once done, we can start saving files in the folder with root permission. Note: some files are not saved easily when you use a application with no root permission to edit. Hence you need to save it in a temporary location and move it into the mounted 'secondcrypt' folder with root permission. Best is you can directly edit the file permission using sudo nautilus.
Run command: sudo mount /dev/mapper/decrypt ~/secondcrypt
10th step: Once we are done with saving our precious work, we proceed to dismount the 'secondcrypt' folder. Then we close the intermediate decrypted folder 'decrypt' using the command luksClose (in format sudo cryptsetup luksClose /path/to/holding) .
Run command: sudo umount ~/secondcrypt
sudo cryptsetup luksClose decrypt
Now, the serious Second approach that is more secure:
We need to only alter the 4th step in comparison with the 1st approach that is maybe less secure. A reference is here which is written by Justin Ellingwood from DigitalOcean, a cloud infrastructure service provider. The file container referred to is hosted on a Virtual Private Server(VPS).
4th step: The move away from the above approach is due to the fact that the old, deleted files may exist beneath the allocated space that is now held by ~/path/to/Dropbox/crypt or 'crypt' file container. The encrypted data may be easily distinguished from the rest of the empty hard disk drive written with zeros and random data.
One way of securely erasing the old, deleted data is using dd command. ( You can read the man pages by running command man dd ). Below are the dd commands stated by Justin Ellingwood in the DigitalOcean blog.
'Most paranoid' Run command: dd if=/dev/random of=~/path/to/Dropbox/crypt bs=1M count=512
'Secure' Run command: dd if=/dev/urandom of=~/path/to/Dropbox/crypt bs=1M count=512
'Quite Secure' Run command: dd if=/dev/zero of=~/path/to/Dropbox/crypt bs=1M count=512
The main thing in how secure is the wipe of the allocated space is dependent on the input file path (if) assigned with the 3 pseudo-devices : /dev/zero, /dev/urandom, /dev/random.
The /dev/urandom pseudo-device is good enough to mimic the encrypted data that will be written into the 'crypt' file container.
Conclusion
Let's summarise the steps we may need in our daily life to store our data in the 'crypt' file container.
1st command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
2nd command: sudo mount /dev/mapper/decrypt ~/secondcrypt
3rd command: sudo umount ~/secondcrypt
4th command: sudo cryptsetup luksClose decrypt
Happy encrypting our data!
Follow my blog with Bloglovin
Comments
Post a Comment