Drucken

Linux Examples: LUKS

This section gives a series of examples of how to create Linux LUKS volumes, and then mount them using FreeOTFE.
These examples have been tested using Ubuntu Jaunty 9.04 and SuSE 10.3, 11.0 + 11.1 using cryptsetup LUKS; though they should work for all compatible Linux distributions.

Note: The executable name in the following examples is cryptsetup-luks; most systems use cryptsetup.

Initial Setup

To begin using LUKS under Linux, ensure that the various kernel modules are installed:
modprobe cryptoloop

    modprobe aes
    modprobe anubis
    modprobe arc4
    modprobe blkcipher
    modprobe blowfish
    modprobe cast5
    modprobe cast6
    modprobe cbc
    modprobe crc32c
    modprobe crypto_algapi
    modprobe crypto_hash
    modprobe cryptomgr
    modprobe crypto_null
    modprobe deflate
    modprobe des
    modprobe ecb
    modprobe gf128mul
    modprobe hmac
    modprobe khazad
    modprobe lrw
    modprobe md4
    modprobe md5
    modprobe michael_mic
    modprobe serpent
    modprobe sha1
    modprobe sha256
    modprobe sha512
    modprobe tea
    modprobe tgr192
    modprobe twofish_common
    modprobe twofish
    modprobe wp512
    modprobe xcbc

    # dm_mod should give you dm_snapshot, dm_zero and dm_mirror?
    modprobe dm_mod
    modprobe dm_crypt

At this point, typing
dmsetup targets
should give you something along the lines of:
crypt            v1.0.0
striped          v1.0.1
linear           v1.0.1
error            v1.0.1


Typing
lsmod
will show you which modules are currently installed.

Defaults: If not overridden by the user, LUKS defaults to encrypting with:

Cypher: AES
Cypher keysize: 128 bit
Cypher mode: cbc-plain
Hash: SHA-1

Check loop devices

Make sure you have enough devices available. You can check how many you have by doing:
ls -d1 /dev/loop* | wc -l

Creating extra loop device entries

An easy way to create more (for example 128), is by doing
for i in $(seq 0 127); do 
   if [ ! -f  /dev/loop$i ] ; then
      mknod -m0660 /dev/loop$i b 7 $i
      chown root.disk /dev/loop$i
   fi
done

You can have up to 256 loop devices.

Example #1: Mounting a LUKS Volume Using LUKS's Default Encryption

This example demonstrates use of a LUKS volume using the LUKS's default encryption system: AES128 with the user's password hashed with SHA1, using 32 bit sector IDs as encryption IVs

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_default.vol bs=1M count=1
losetup /dev/loop0 ./volumes/vol_default.vol
echo password1234567890ABC | cryptsetup-luks luksFormat /dev/loop0
cryptsetup-luks luksDump /dev/loop0 
echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
dmsetup ls
dmsetup table
dmsetup status
cryptsetup-luks status myMapper
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup-luks luksClose myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button

Example #2: Mounting a LUKS Volume Using 256 bit AES Encryption

This example demonstrates use of a LUKS AES256 volume.

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_aes_256.vol bs=1M count=1
losetup /dev/loop0 ./volumes/vol_aes_256.vol
echo password1234567890ABC | cryptsetup-luks -c aes -s 256 luksFormat /dev/loop0
cryptsetup-luks luksDump /dev/loop0 
echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
dmsetup ls
dmsetup table
dmsetup status
cryptsetup-luks status myMapper
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup-luks luksClose myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the losetup volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button

Example #3: Mounting a LUKS Volume Using 128 bit Twofish Encryption

This example demonstrates use of a LUKS Twofish 128 volume.

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_twofish.vol bs=1M count=1
    losetup /dev/loop0 ./volumes/vol_twofish.vol
    echo password1234567890ABC | cryptsetup-luks -c twofish luksFormat /dev/loop0
    cryptsetup-luks luksDump /dev/loop0 
    echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
    dmsetup ls
    dmsetup table
    dmsetup status
    cryptsetup-luks status myMapper
    losetup /dev/loop1 /dev/mapper/myMapper
    #cat ./test_files/2MB_Z.dat > /dev/loop1
    #cat ./test_files/2MB_0x00.dat > /dev/loop1
    mkdosfs /dev/loop1
    mkdir ./test_mountpoint
    mount /dev/loop1 ./test_mountpoint
    cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
    cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
    cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
    cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
    umount ./test_mountpoint
    losetup -d /dev/loop1
    cryptsetup-luks luksClose myMapper
    losetup -d /dev/loop0
    rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the losetup volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button