Data security on Linux using cryptsetup

With the world getting overwhelmed by the data surge, we’ve seen many security issues coming with it. You might have heard of the Yahoo and Dropbox massive data breach which compromised millions of accounts. Data is becoming the new gold and criminal organizations know that really well, in recent years it literally exploded and everyone is a target. Hackers are using more sophisticated techniques and becoming cleverer, those threats aren’t going away and we will have to live with them. Which brings us to another important point, security.

News of data being stolen is almost a common thing nowadays. And if you think about it, one of the main reasons we are in that unfortunate situation today is the lack of prevention, all those breaches could have been prevented if security protocols were followed correctly when working and handling data. As we know, human beings are the weakest point of defense when it comes to security. People tend to think that it only happens to other until it happens to them. Which is why it is not recommended to download suspicious files or to click on some strange hyperlinks sent to you by email, that might end up infecting your computer or even your network !

How to protect data ?

Let’s think about it for a minute, what is the worst case ? The worst case would be that someone has full access to our system. Which is why we have to secure our data in a way that even if someone has complete access to our computer(s), the data itself stays uncompromised and out of reach from the attacker(s).

There is a relatively simple security measure that we can use, it was first used thousands of years ago during the ‘Age of the Pyramids’. We’re in 1900 BCE, carved into the wall of a tomb somewhere in Egypt, strange hieroglyphs that didn’t look like standard Egyptian hieroglyphs. Those carvings seemed to convey a secret message that was intended to be unintelligible. That was the first and earliest usage of what we now know today as cryptography, also known as encryption. Encrypting, which is the act of making information unreadable by changing its original form.

Using encryption algorithms to make information unintelligible is one the best ways we have at our disposal today to protect data. Implementing it could deter many potential attackers, it is the closest layer of protection we can add to valuable and confidential information. There are multiple tools available that does the job on the Windows operating system, from Bitlocker to Veracrypt, we’ve got a myriad of choices.

But here we won’t be focusing on the Windows operating system, we’ll take a look at what Linux has to offer in terms of encryption tools. I will also explain why it should be our system of choice to store secrets.

The Windows/Linux debate

Let’s be honest, Windows isn’t always the best choice in terms of security. With thousands of known viruses lurking the web looking for a vulnerable Windows system, it isn’t good news. On the other hand, Linux specific malware are pretty rare on the web, but they do exist. Malware targeted specifically for Linux have always had a tough time due to the lack of root-access to a Linux system.

Linux has a kernel (core) which is in itself more secure. It also has a completely different and complex file system, even the user isn’t the admin by default, no changes can be made without the “root” password, which makes a big difference. A hacker will need that password to make changes to the system that will then grant him full access to the computer. On top of that, we’ve got multiple kernel versions which makes it even harder for anyone to compromise a specific system. Linux being open-source is also a plus for security, there are thousands of developers looking into the source code and fixing issues everyday. Linux in general gets updated more frequently, unlike Windows which sometimes even delays security patches. There are many reasons why Linux is the operating system of choice when dealing with security and privacy, which we won’t be going into.

Let’s just jump right into it and start encrypting !

Cryptsetup

Cryptsetup is a known open-source tool used for bulk encryption under Linux, we’ll look into it and see what it is and how it works. We won’t be going deep into the algorithmic stuff or it’s advanced features. But we’ll have a good overview of how to use it in a relatively simple use case.

We can encrypt anything from sd cards to ssd’s, but here we’ll be encrypting a flash drive to keep it nice and simple.

Let’s first see how well my CPU (i7 3520M) performs with the different encrypting algorithms.

Let’s run, sudo cryptsetup benchmark and see what we get.

cryptsetup_bench
As we can see the test used “memory only” so there’s no storage input/output

Let’s break it down.

PBKDF2 or Password-Based Key Derivation Function 2 is a hashing function used to add entropy or randomness to a keyboard derived password. We then end up with a 256-bit key that was obtained with multiple iterations. The lower the iterations the better it is, why ? Because it took longer for our processor to derive the 256-bit key. That way we can gauge how strong is the algorithm against a brute force attack by that same CPU, but we have to keep in mind that people who brute force might be using hardware that is way more powerful than what we have.

sha1“, “sha256″,”sha512″,”ripedmd160” and “whirlpool” are cryptographic hash functions.

The “iterations per second for 256- bit key” is the amount of iterations it took to process a PBKDF2 256-bit key. Generally, the lower the better.

In the “Algorithm” column we can see the different encryption algorithms with their respective “Encryption” and “Decryption” speed. As you can see, “aes-xts” has the fastest encryption and decryption speed because the i7 3520M is optimized by Intel’s “Intel® AES New Instructions” for bulk encryption/decryption. The Advanced Encryption Standard or AES is one of the most secure encryption algorithms being used worldwide today, it is also a standard in the United States.

For our tutorial we’ll be using aes-xts with a 512-bit key.

Let’s first run, sudo fdisk -l to see our usb mount point.

lsusb
We see here that it is “/dev/sdb1”, we now know which device we will be encrypting, great !

Our command to encrypt will be, sudo cryptsetup luksFormat /dev/sdb1 -c aes-xts-plain --key-size 512 --hash sha512 --iter-time 10000 --verbose

Let’s see what each one of those arguments and options do. Bear with me !

“luksFormat” is used to format a partition into a LUKS partition, LUKS or Linux Unified Key Setup is a disk encryption specification made specially for Linux systems.

“dev/sdb1” is our device, i.e the usb

“-c” is the cipher which will be “aes-xts-plain”

“–key-size” is the size of our key, which is “512”

“–hash” is the hashing algorithm, “sha512”

“–iter-time” is the amount of time in milliseconds that PBKDF will take to derive our key, we’ll set it to “10000”. That’s a crucial part, setting it high adds more randomness to our passphrase. It will also add more load to the cpu therefor taking a longer time during decryption. Setting it high is good agains’t brute force attacks.

“–verbose”, to add a little verbosity !

Let’s run our command !

crypt_encrypt_usb
It will ask you to type “YES” in capital letters and confirm the passphrase twice

Great ! Our flash drive is now encrypted.

Let’s take a look at the header of our LUKS partition by running, sudo cryptsetup luksDump /dev/sdb1

luks_header_dump.png
This is the header, where all the information about the encrypted LUKS partition is. As you can see, there’s a lot of information stored in the header.

If we take a look with a disk utility tool we’ll see that our drive is indeed encrypted. Let’s use the Gnome Disk Utility to create a storable volume.

disk-util.png
We can see here that our volume is locked, let’s unlock it by clicking on the little lock.
gnome_disk_util.png
After unlocking it you should get a new “Unknown” volume
gnome_disk_util2.png
We will choose our “Unknown” volume and click on the dented circle button and format our partition into an “EXT4″ volume. (You can choose FAT also)
gnome_disk_util3.png
After formatting it, you’ll end up with a new LUKS encrypted storable EXT4 volume.
gnome_disk_util4.png
There you go !

That was easy, no ? We’ve just scratched the surface though.

You can explore all the great features crypsetup has to offer at: https://linux.die.net/man/8/cryptsetup

Enjoy encrypting and stay safe fellas !

Keep in mind that cryptsetup with the Linux Unified Key Setup was made to be used on Linux only.

Disclaimer: I am not liable for any data loss, use at your own risk.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s