Securing your Contents

Security is the most important thing in our lives, to this end, a lot of tools and algorithms has been created, tools allowing you to encrypt your data. In this article I will provide details on the 2 most commonly used tools/algorithm for data protection, GnuPG and LUKS. In this article, I will teach you how to use both tools in a different situations, exploring many useful situations… Once you’re done, you will be able to protect and keep your data safe and secured…

GnuPG

GnuPG or GPG is a tool to digitally sign and encrypt your data and your emails. In this article I will not provide information on how to integrate it with mail clients, or using it with e-mails for that matter, What I will give you is a brief yet detailed instructions on how to take advantage of GPG to encrypt your data on your hard disk. NOTE: This whole article depends on the command line, I don’t do graphical tools and you shouldn’t either, if you are not used to command line, maybe this might help. First of all, you need to create your GPG key, if you already have a key please proceed to the next section

$ gpg --gen-key

And follow the instructions, if you feel lost this article might help you with that.. At the end you will get your key in Hex format, Mine is 0xC8DD18A2 After your key has been created, you have to send it to a server so people can verify e-mails signed by you or encrypt emails for you…

$ gpg --keyserver hkp://subkeys.pgp.net --send-key C8DD18A2

Replace C8DD18A2 with your key, that you got from the above step. Now you need to backup your key, Please note that this step is very sensitive and the files that you are going to create are very secret and must be kept this way.. To backup it’s simple:

$ gpg -a --export-secret-keys C8DD18A2 > secret.key
$ gpg -a --export C8DD18A2 > public.key

Replace C8DD18A2 with your key. Now that you have a key, you can start encrypting data, encrypting data is easy but you have to be careful with it, if you ever lose your Private key, all the encrypted data will be useless, so please backup your key… Now let’s start encrypting shall we ?

$ echo "I am a sensitive data, I should not be seen by anyone..." > sensitive-file.txt
$ cat sensitive-file.txt

I am a sensitive data, I should not be seen by anyone… At this point the data you have are plain text, which is insecure, we have to encrypt it, so let’s do that…

$ gpg -a --encrypt -r C8DD18A2 -o sensitive-file.pgp sensitive-file.txt
$ cat sensitive-file.pgp
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.9 (GNU/Linux)

hQQOAxlIs9305Pq0EBAAomElrMOkqxoJavBAVC3miiltOmFSgj82Y6it3viEQEGo
NkoaSTY5LPZzs6rVqTLKo+jcIyFDBxtADCiLU2iww7yEdJ6E8HqT6unNhxNGwdgH
LPXoz3izUL57uuBy3WJMcd/dcWnLIPY4NLfvqJcdM4wAJrBjITy3Ym8o/ua/X+v7
9+TuuQtJQiRo08r6nzc7ibFCXaX/PakEyyflc5dkiGcotF84O0QFQ5aYcFxp0mRw
pvgrHlVRZ/a4fEaIjfo0l36qekMdavyymodMWxbbmuuPzzeaibMoT3GiZ85xGbk1
RZoskNYCI3H2c/KfX/1mO0rrW8ID6xXVuRE5sMqbFhLtUbTeFPeY7zxzWbRuD339
WJNwtTWc88HO2EDQ4wyop0owva9/xSx9pDttU0sI+jfGaHRVNJ432dYPiFSPGRQg
ux1u26tF5tj6ARI7vrvopmc1K94VWeVWetiv5SjOVJoby2m8qjSV8kEHhIABEKGe
85B2Gg2jEbbAWrtxQ85ePNf75fLX0EI0f8984aQt1HDw0UCZjRRzAK83qsPJxIbo
KOf9R4sG5L8Ug6+3zd+Sek+YuxuQBjC1BHEkcWjJZStLfDAnj18fvEa+Nb5Q/A6O
/+PJa5C8Nmt+mMqLA/6PQvKFCzHhNS3JzSjI2+SB0xFrLSc3YNfl/7qLs8KLCMYQ
AKCzgbkt3B5aY0s5aKlHODhI2LIg8mCZuVIKtDon8Z2mQECbKEnzp8VwD/qEue7m
WdWtYZZB2/0FMBuoqL/8efies1ZiKEWZJebMsfFxWVHKQUjmClYv2l9zw8sf6ytY
ET0kWPeeaEDP/hjZlloqDJK6f9vQd6EXiW0DyuW97H/rDnkBZq7hovDXhOO/HqBg


QMNh99/YnDo8HXsDGskt7Vg+9e7g8WOBzrq4oCzvVDXq0OkxUOU6U2rFMVc1MIRT
axkSb8dUScfukajdNd/YGGDzKX7LtILjxJ0WE9KrGORz7/Tlz+3JK+WPAf2SrWGq
FH0WdwSp0vthEabnzjKuc0O67BWKn0Px9zIEDidlQld3ajuXssQPCCdeIITWFmdT
JEMefPvI9fjz5pxANLSjGH6B0FGtZCsQRdCiDttB/Uj71PDltmgsr2Rprllg9cLB
sRkK7LZokYCEGrmxGHVPt9vZTM80l5llZkfmhgrtdXdd2tupBd8XnEkKVwBeYkRu
dNS2MSBIojE9/2o95wFo88C6ZKWxO+9UzBmoVnEURpfOPr+MIMstHMiFBV7u0LtN
QLuftdPsy1z5fAP08ELgxhkOpwhKRXd9SfLfmxf7yDIQsSTBMrvaCf7XB0MLLLYJ
omQMRI84XV1kW7Cgc2IKp/gVSm7ANdtejFnq8VbDVabN0n4BIlzmrSy55ewxamRy
Gk6Jozi6uw01zFycvf40jMV9BcgPSoW+6wLj75h0CGS4ifY6/rQmt3Mwh5Kpcs7w
hXGijsGp70Wz7jWLaVcEmpwkY/I1l5CAfDoHr4JarkyqgeWK/lycTNDLGhIVLsjJ
GbTZ+5I/J8xfHw9bGRYUIFM=
=Uc7A
-----END PGP MESSAGE-----

Ha, that’s much better isn’t it? The file cannot be viewed by any means except if it has been decrypted… But wait the file sensitive-file.txt still exists, You have to securely remove it so

$ shred -f sensitive-file.txt
$ rm -f sensitive-file.txt

What good are the encrypted files if you do not know how to decrypt them right? Let’s learn how to that shall we ? :)

$ gpg --decrypt sensitive-file.pgp

This command will decrypt the file but to stdin, if you want it in a file you either can redirect the output using ‘> file’ or you can specify -o option, here’s the 2 commands:

$ gpg --decrypt sensitive-file.pgp > sensitive-file.txt
$ gpg -o sensitive-file.txt --decrypt sensitive-file.pgp

One of the above commands is to be used and don’t forget to shred the file after you are done with it, just like we have done in the previous step.

LUKS

This is my favorite encryption tool/algorithm, I actually encrypt my whole Hard Disk, it might slow your computer a little bit but at least you are safe, LUKS works a bit like GPG, without a password the partition ( or the loop device which you will be happy to know about :) ) becomes useless…. I will try to cover as much ground as I can in both cases you could use LUKS, a partition and a loop device, but please note that I will not cover your distribution settings or the encryption of the root partition in this article, those subjects can be very wide and can vary from distribution to another… The difference between GnuPG and Luks is that Luks is actually a whole filesystem, you see, GnuPG can only encrypt one file, whatever the file is ( it can be an archive of files… ), but it still a file.. Luks is a filesystem, just like your partitions… Partition WARNING: This step require partitions manipulations hence it is very dangerous, so please be careful. Before starting to put commands and explain them, I will try explaining it using a different approach, a logic aproarch… As you already know, an operating system reside on a partition, one or more partition can co-exist. The partitions can be accessed using the special block devices that resides in /dev, for IDE hard disks, it’s /dev/hda1, /dev/hda2 etc.. for SCSI/SATA it’s /dev/sda1, /dev/sda2 etc… For the sake of this article, I will assume the partition is /dev/sda4.. When you create an unencrypted partition, it’ll be created over the physical partition directly, which means the filesystem will be directly over /dev/sda4 using a command similar to this:

# mke2fs -j /dev/sda4

When you create an encrypted partition it’s slightly different, between the filesystem and the physical partition, a layer will be added, the encrypted volume… First we have to create an encrypted volume over /dev/sda4, Open the encrypted partition which will create another block device but this time under /dev/mapper not /dev, and finally we will create the filesystem over /dev/mapper/encrypted device… Now let’s talk commands

eh ?

# cryptsetup luksFormat /dev/sda4

enter your password, and please make sure you do remember this password, if lost the whole partition will become useless…

# cryptsetup luksOpen /dev/sda4 encrypted

After you enter the parition’s password, the device /dev/mapper/encrypted will be created… NOTE: This device does not yet have a filesystem.

# mke2fs -j -m 0 -L EncryptedDevice /dev/mapper/encrypted

We create the filesystem over /dev/mapper/encrypted NOT /dev/sda4

# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

And of course we mount /dev/mapper/encrypted and not /dev/sda4, I shouldn’t have to tell you to create the folder /mnt/encrypted. Now you have an encrypted partition, anything you put inside that partition is encrypted, without a password no information can be read from it !! Loop Device What is a loop device In Unix-like operating systems, a loop device, loopback device, vnd (vnode disk), or lofi (loopback file interface) is a pseudo-device that makes a file accessible as a pseudo-device. A loop device may allow some kind of data elaboration during this redirection; for example, the device may be the unencrypted version of an encrypted file. Source: Wikipedia How to create a loop device To create a loop device you have to create a file with the desired size, the appropriate way to do that is to use /dev/null ( or for more security ) /dev/urandom, then we use cryptsetup and mke2fs just like if we’re dealing with a normal partition…

# dd if=/dev/urandom of=/path/to/encrypted-file bs=10M count=10

This will create a loop file of the size 100M, it’s easy to know the size, we actually told dd to copy 10M 10 times, 10M x 10 = 100M easy :) Now that we have the loop file, we will plug it in, create the encrypted layer and finally create the filesystem.. First we need to find out which loop devices are free

# losetup -f

You should get something like `/dev/loop/0` or `/dev/loop0`, just write down whatever you get… for the sake of this article I will assume it is `/dev/loop/0` Let’s plug it in :)

# losetup /dev/loop/0 /path/to/encrypted-file

Encrypt and mount the loop device We can create the encrypted layer as well as the filesystem now

# cryptsetup luksFormat /dev/loop/0

Enter the password you would like to assign to the file, then open it

# cryptsetup luksOpen /dev/loop/0 encrypted

Create the filesystem

# mke2fs -j /dev/mapper/encrypted

and mount it :)

# mkdir /mnt/encrypted
# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

Umount and deactivate the loop device To umount and deactivate the loop device, there are 3 steps to follow, first umount the partition, close the luks device and unplug the lo device…

# umount /mnt/encrypted
# cryptsetup luksClose /dev/mapper/encrypted
# losetup -d /dev/loop/0

Comments are appreciated :)

25 September 2010 ·

• Tags
• gpg
• luks
• security