Secret Messages
Total Page:16
File Type:pdf, Size:1020Kb
DM-Crypt SYSADMIN Hard disk encryption with DM-Crypt, LUKS, and cryptsetup SECRET MESSAGES If you’re serious about keeping secrets, try hard disk encryption with DM-Crypt and LUKS. BY CLEMENS FRUHWIRTH AND MARKUS SCHUSTER www.sxc.hu ile encryption is a popular means construct some of your file data – by access this block device to set up and for ensuring the security and pri- snooping through secret files, temporary mount the filesystem. This article exam- Fvacy of file-based data. An in- files, configuration data, and command ines the technology that underlies DM- truder who breaks through your firewall histories. The /var/spool/cups directory, Crypt and the new LUKS (Linux Unified won’t be able to read your private files if for example, could yield a treasure trove Key Setup) management tool. they are encrypted, right? of data about files you might have Actually, selective file encryption pro- printed in the past, and tools such as the En Route to a Crypto Setup vided by utilities such as GnuPG covers Gnome Thumbnail Factory could be DM-Crypt builds on a flexible layer some of your tracks, but it may not cover storing an unencrypted thumbnail of known as the device mapper. Device all of them. An intruder can still learn your encrypted images. mapper modules are configured via so- about your system – and maybe even re- Rather than combing through every called DM Tables – simple text files that action performed on every file to remove specify how the device mapper should Clemens Fruhwirth is the author of any trace of the data, Linux users can handle access to areas of the virtual LUKS and a white paper entitled choose to encrypt data at a deeper level disk. The dmsetup program parses these “New Methods in Hard Disk Encryp- using DM-Crypt. The dm-crypt kernel text files and uses ioctl() calls to pass the tion,” which defines the underlying module works at the block device level, details to the kernel. theories. Clemens is also the inven- tor of ESSIV and the implementor of enabling users to encrypt whole parti- The DM table format for DM-Crypt is LRW-AES and EME for Linux. tions. The process is transparent to the very clumsy for daily use. The software Markus Schuster is a system inte- application, provided the user has been expects the key to be a fixed length hexa- grator with Bits & Bytes (a Bavarian granted access to the data. DM-Crypt en- decimal string. The module uses the key IT service provider); he refers to crypts the so-called backing device (the to encrypt the block device data. How- THEAUTHORS himself as a free software all- physical disk) and uses a virtual block ever, storing the key permanently in a rounder and has been using LUKS device to provide access to the cleartext DM table file is just like leaving your ever since its inception. content below /dev/mapper. Users can door key hanging on the door knob. In- WWW.LINUX - MAGAZINE.COM ISSUE 61 DECEMBER 2005 65 SYSADMIN DM-Crypt stead, the key needs to be entered when- what to do with a set of encrypted infor- password, directly to the kernel. The ever you mount the device. mation from the encrypted information. major drawback to this approach is that Typing up to 32 hex characters from The cryptsetup parameters are mostly the software needs to re-encrypt all data memory may not be easy, but cryptsetup located in scripts or configuration files whenever the password is changed. can help. cryptsetup is a tool that gener- which, obviously, can’t be on the en- cryptsetup-LUKS introduces an addi- ates a cryptographic key from a (more crypted partitions. If you lose these files tional password management layer to re- simple) pass phrase, then passes the key or can’t remember the settings for a por- move this need. The key hierarchy in- to the kernel. Figure 1 shows you the table disk, you will lose access to your serts an extra encryption layer between cryptsetup environment. encrypted data. LUKS (Linux Unified the derived key and the key used by the Two important cryptsetup features can Key Setup) removes this segregation. kernel to protect the data on the parti- be parametrized: key generation and en- LUKS is a formal standard [3], imple- tion. Thus, the derived key only protects cryption. The former specifies how mented by the cryptsetup-LUKS tool [4] the so-called master key. which encrypts cryptsetup will generate a key from a (Figure 2). The latter is a fork of the the data on the partition (Figure 2). password supplied by a user. This de- original cryptsetup. LUKS defines a To change the password, cryptsetup- faults to a hash algorithm, which gives header for DM-Crypt partitions (Figure LUKS decrypts the master key using the the user the freedom of selecting a pass- 3); the header includes all the informa- old password, re-encrypts the key using word of any length. The hash will com- tion for safe key generation. As the the new password, and overwrites the press the information to provide a fixed header is part of the encrypted partition, copy of the old master key with the new number of bytes. Figure 1 shows crypt- the settings are always available right value. As the cleartext master key is not setup using its defaults: the Ripemd-160 where they are needed. affected by this process, the encrypted hash generates a 256-bit key. cryptsetup-LUKS and the original partition data remains valid. This can Two parameters need to be selected cryptsetup also differ with respect to the save you half a day’s work if you need for the encryption process: the algorithm way they generate a key from a pass- to decrypt 120GBytes; the key hierarchy and the mode. cryptsetup passes these phrase (Figure 2). LUKS password man- reduces the time needed to change a parameters and the derived key to the agement is based on three concepts: key password to just a few seconds. kernel, and the DM-Crypt module coor- hierarchies, PBKDF2, and anti-forensic LUKS stores the encrypted master in dinates the procedure, using the Crypto- information storage. the partition header without imposing a API to handle encryption. single copy restriction. To support multi- Secure Password ple passwords for a single partition, Use the Force, LUKS Management LUKS can store multiple, equivalent cop- Unfortunately, there is a downside to The legacy cryptsetup application passes ies of the master key and encrypt each cryptsetup. It separates the details on the key, which is generated from the one of them with a different string. Each Password Hash settings Password Encryption parameters Backing Cryptsetup-LUKS m Bit Cryptsetup Block device (User space) (User space) Partition header Hash m Bit PBKDF2 settings 256 Bit Cipher: AES Hash Modus: Mode: CBC Key Decipher IV Mode: Plain Ripemd 160 256 Bit material master key Encryption DM Table settings DM-Crypt Interface DM Table (Kernel space) DM Crypt Interface /dev/mapper/Virtual_Mapping (Kernelspace) Backing Crypt Engine Block device Backing /dev/mapper/Virtual_Mapping Crypt Engine Blockdevice Crypto API IV Generator Crypto API IV Generator AES-CBC Plain AES-CBC Plain Figure 1: cryptsetup (top) prompts the user for a password and uses a Figure 2: cryptsetup-LUKS stores the parameters for the encrypted hash to create a fixed length key, which it then passes on to the ker- partition in the backing block device partition header (top left). The nel (center). DM-Crypt (bottom) uses the key to encrypt and decrypt derived key protects the master key, which encrypts the data on the data on the hard disk (or backing block device). partition. 66 ISSUE 61 DECEMBER 2005 WWW.LINUX - MAGAZINE.COM DM-Crypt SYSADMIN domain and the the dictionary. In fact, the attacker Partition header key domain. Sim- would need the hashes for each word in LUKS version Encryption algorithm ple padding would the dictionary and for every combination Encryption mode produce a bigger of the appended string. The longer the Size of master key Master key checksum key, but it would salt, the bigger the attacker’s table UUID be no more ran- would need to be. PBKDF2 pushes the dom than the size of the table to an unimaginable password, and scale. The universe has fewer atoms thus it would be than the number of entries the universal Header Slot 1 Slot 2 ... Slot 8 Encrypted data just as easily dictionary would need to contain every guessed. single PBKDF2 combination. Let’s imagine With all hope of using tables dwin- Key Slot 1 that a user entered dling, attackers are forced back to num- Encrypted copy of master key only English ber crunching. The legacy Unix pass- PBKDF2 salt parameter PBKDF2 stretch parameter words; this would word mechanism uses a similar ap- restrict the scope proach, by the way: however, the salt is Figure 3: LUKS adds the parameters needed by cryptsetup-LUKS to of the password a lot shorter in this case (12 bits stored generate the key from a password entered by a user to the header of domain and not in the first two digits.) the encrypted partition. Each key slot contains an encrypted copy of provide enough the master key which DM-Crypt uses for data protection. entropy. An at- Shredding tacker could sim- As we mentioned earlier, data shredding of these passwords gives the user access ply run a dictionary attack instead of on magnetic storage devices is very diffi- to the cleartext content on the disk. This trying the 2128 keys that a 128-bit key cult to perform [2].