How to Use DM-Crypt to encrypt a Linux File System?

How to Use DM-Crypt to encrypt a Linux File System?

Readers often ask us how to implement a file system encryption method for Linux. Before discussing this topic in depth, I would like to clarify two points:

First, it is difficult to find enough information on the Internet. So I will introduce you to a few really great resources that are hard to find (actually several tutorials ).

Second, it is important to understand the technical details of this issue. This is what I will discuss in this article. I will introduce how to implement encryption and other resources.

People often say they want to encrypt data, but they often ignore a fundamental aspect: What do they want to encrypt? They want to encrypt the data from the software package and then store the data to a single file on the hard drive? For example, they want LibreOffice to create the entire. odt text processing document, encrypt it, and then write the encrypted result to the file system as a single file, just like that? Or do they want Linux to handle encryption on its own at the file system level?

One way is to encrypt the data from the software package and store the data to a single file on the hard drive. Or Linux will process encryption on its own at the file system level.

Taking Linux as an example, LibreOffice does nothing except reading and writing files, just as it currently does. Linux encrypts the file, writes the file to the disk, decrypts the file, and returns to read the file. This is the method I have taken here, but you have to raise many other questions. To ask a proper question, you must understand how Block Storage works. Let's take a look at Block Storage.

Analysis of dm-crypt for Linux block device Encryption

How to Use dm-crypt to encrypt Ubuntu system files

Block-level storage

When the operating system processes the local drive, the operating system uses filesystem software to format the drive, and then reads and writes a single sector. When saving the file, the filesystem software figured out the sector to be written. When reading a file, filesystem will find out which sectors the data is on, and then read those sectors to reconstruct the file for you. To manage files, filesystem uses different types of indexes, which also store these indexes on disks. Different filesystems use different methods to organize data, including different security mechanisms. The final result is different file systems, such as ext4 and NTFS.

Underlying details

We have already explained the reason for working on block-level devices. Consider this: the operating system uses its filesystem software to write data sectors to the drive. The filesystem Software determines where data sectors are written and how they are organized, including metadata that creates information such as the description file name and organization method. However, in order to perform the actual read and write operations to the drive, filesystem requires a device driver to actually control the device itself, as shown on the left (the driver already exists in the file system hierarchy in the/dev directory ).

The filesystem software can encrypt data before writing data. Alternatively, a software located between the filesystem software and the device driver can be encrypted.

Just between the filesystem software and the device driver, you need to make a choice for encryption: Do you want the filesystem software to encrypt and then write data? Or do we actually embed a software into the filesystem software and the device driver? In this way, filesystem runs as usual, but when it tries to access the device, its call is changed and processed by the encryption software, as shown on the right. We will use this method in this article. But let's talk about several other issues first.

By the way, if you want to see how the device driver exists in the/dev directory of the Linux system, see this article: http://www.linuxdevcenter.com/pub/a/linux/2007/07/05/devhelloworld-a-simple-introduction-to-device-drivers-under-linux.html? Page = 1. It includes programming, but if you are not a programmer, click Page 2nd and scroll down to find the icon "Hello, World! Using/dev/hello_world. Read the first section, which provides detailed explanations .)

If you want to encrypt the entire partition, consider encrypting the entire drive. However, there is a small problem. If the computer starts from the drive, the drive requires a Small Partition dedicated to storing startup code. The startup code is the machine code. The computer can be started only after it is read and executed. If the entire hard drive is encrypted, including this part of the data, the computer needs some way to interpret the data. But the computer has not been mounted to a file system, so it cannot read and decrypt its program. Have you seen the problem? The decryption code must be in the BIOS. But most computers do not have this code. This means that the startup record cannot be encrypted. But people have discussed ways to solve this problem (see: http://www.linuxquestions.org/questions/linux-security-4/full-disk-encryption-on-boot-partition-626270/), such as placing the startup code on a removable USB drive.

Remote Drive

If your drive is a remote drive, there are several ways to access data; this is important for you to understand which type of encryption can be used. The two methods are as follows:

• Block-level storage is like using a local drive, so your filesystem software can read and write directly to the sectors on the remote disk.

• File-level storage: your operating system sends files to a remote server. The remote server has its own operating system and filesystem software. The remote server then writes the files to its disk.

For file-level storage, you have no choice in encryption. If you want to encrypt data, you need to encrypt it in your application, and then send the data to the remote server for storage.

However, there are several solutions for block-level remote storage. For example, if you use a cloud hosting service, you can connect different volumes to the allocated server. You can usually use block-level storage. Volumes may not be physically connected to your hosting server; however, servers can access them as if they are local volumes and format the volumes, read and write data to a single sector, it seems that the drive is mounted locally. This means that for block-level remote storage, you can perform encryption at the file system level, as if it were performed on a local computer and on a local drive.

Software

Now we know the task we want to complete. The question is, how do you implement it? In fact, Linux has a built-in software package that uses the method I introduced earlier to embed the software into the filesystem software and the device driver. The software name is dm-crypt. While dm-crypt can encrypt data, and then use a storage format named LUKS to write data to the storage device (through the device driver.

LUKS (Linux unified key settings) is the format used on the drive itself, which is actually used to replace file systems such as ext4. The dm-crypt system is located between the filesystem software and the device driver. The filesystem Software reads and writes ext4, while the ext4 data is pushed through dm-crypt, dm-crypt then stores the data in LUKS format on the drive. Therefore, ext4, NTFS, and other file systems are in the encrypted LUKS format ".

Note: dm-crypt is the name of the subsystem. You can use many tools to process it. There is no single command named dm-crypt. You can use some programs to manage dm-crypt:

• Cryptsetup: This command line program provides you with underlying access to manage the task of creating devices managed by dm-crypt.

• Cryptmount: This program provides more features and makes it easier to use. See this article a few years ago: http://www.enterprisenetworkingplanet.com/netsecur/article.php/3742191/Create-Encrypted-Volumes-With-Cryptmount-and-Linux.htm.

Other features

One advantage of the dm-crypt system is that it does not need to directly process the disk driver. Instead, it can save all data to a single file, instead of using LUKS and the entire disk partition. This means that you can have dm-crypt create a single file, and then you can create the entire file system in a single file. Then, you can mount a single file as a separate drive and access it from any software, just as you treat any other drive.

Cloud Drive

Some cloud service providers (such as Amazon Network Services) provide you with full root access and access to block devices connected to your server. You can make full use of dm-crypt; you can format a block device in LUKS format and use it to prepare your dm-crypt system. After that, you can use the ext4 File System to format it. The final result is that the fully encrypted drive resides on the cloud and you can manage it on your own. Do you want to give it a try? This tutorial describes how to use the cryptsetup program to encrypt: http://silvexis.com/2011/11/26/encrypting-your-data-on-amazon-ec2.

Other cloud service providers do not allow you to directly access Block devices as AWS does. For example, Digital Ocean does not allow direct access. However, you can still create a file, install dm-crypt to use the file, and create a so-called "Container" in the file ", it represents the file system. In fact, this process is exactly the same as creating an encrypted container file on your local machine. Here is a tutorial from the Digital Ocean Website: https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu-vps that describes creating a dm-crypt LUKS container file. In this tutorial, you should note that, just like using block devices, you can create an entire file system (such as ext4). However, the file system resides in the container file.

Local drive

This leads to the topic of how we can implement it locally. The steps involved in the above tutorial for creating an encrypted drive on Amazon are similar to creating an encrypted drive locally on your own hard drive. But another tutorial (https://www.howtoforge.com/tutorial/how-to-encrypt-a-linux-partition-with-dm-crypt-luks/) provides step-by-step instructions to create locally on your own hard drive, which also uses cryptsetup.

If you want to create a local container drive that contains the entire encrypted file system, follow the steps in the Digital Ocean tutorial above.

Alternatively, if you want to use another program cryptmount to encrypt the entire partition or create a container file, follow this tutorial: http://www.enterprisenetworkingplanet.com/netsecur/article.php/3742191/Create-Encrypted-Volumes-With-Cryptmount-and-Linux.htm. The author Carla Schroder provides several clear steps.

Conclusion

That's it. To learn how to encrypt data, you must first fully understand what tasks you are trying to accomplish: encrypt and decrypt data by applications, or encrypt data by operating systems; encrypt the entire partition, or encrypt individual files. Do you want to create a container that saves the encrypted files. Then, you can follow the steps mentioned in the links in this article to complete encryption.

This article permanently updates the link address: