Storing Confidential Data in GNU/Linux


This tutorial is a supplement to the Storing confidential data on GNU/Linux (Hakin9 01/2005) article. We assume that all the following examples will be carried out using the Hakin9 Live CD which came with the magazine.

Be careful! We don't recommend encrypting any valuable information in the Hakin9 Live system – they may be lost after the reboot.

Goal: After studying the examples, the reader:

  • will be able to encrypt single files (symmetrically and asymmetrically) using the GnuPG package,
  • will be able to create and use encrypted directories using the EncFS tool,
  • will be able to create and mount encrypted partitions (real or virtual) using the cryptoloop tool.

    Symmetric file encryption – GnuPG

    In the first example we will encrypt a single file using the gpg package. Here we will work on the file HK1204.pdf.

    [01] In this tutorial the AES algorithm will be used (since it has the best performance to quality ratio). First we need to load the kernel module which will be responsible for handling it:

    $ su -
    # modprobe aes
    # exit

    [02] We create the /home/haking/encrypted directory, in which we will store our encrypted data:

    $ mkdir ~/encrypted

    We save the HK1204.pdf file in it.

    [03] Time for encryption. As we selected the file HK2104.pdf, we issue the following command:

    $ gpg --output ~/encrypted/cyph1 --symmetric --cipher-algo AES192 ~/encrypted/HK2104.pdf

    This command starts symmetric encryption of HK2104.pdf to the output file ~/encrypted/cyph1 using the AES algorithm with a 192-bit key.

    [04] A password to the file needs to be set. We should think about a sentence which would be rather devoid of any sense, but easy to remember – for example, Big baboon sat at noon, mourning morning as it passed. What a ghast. It will be used it as a password.

    [05] The file has been encrypted. Now the original file needs to be safely wiped:

    $ shred -n 35 -z -u ~/encrypted/HK2104.pdf

    [06] To decrypt the file and recover the data, we will use the following command:

    $ gpg --output HK2104.pdf --decrypt ~/encrypted/cyph1

    Encrypted directories – EncFS

    [07] Before using the EncFS tool, two directories need to be created. The first one (here: ~/.crypto) will store our files in the encrypted form (we will not use it directly), while the second one (~/secret) will be used to mount and decrypt them on-the-fly every time they need to be accessed. Mounting can be done only after entering the correct password.

    $ mkdir ~/.crypto

    $ mkdir ~/secret

    [08] In the next step the EncFS mechanism must be activated.

    $ su -; insmod fuse; exit

    $ encfs ~/.crypto ~/secret

    After pressing the [Enter] key we will be asked to choose the configuration type. We decide to select the pre-configured paranoia mode.

    Now it's time to enter the password for our archive. After we enter and confirm it, our file system is ready to use.

    [09] We copy several files to it (echo, ls, telnet):

    $ cp /bin/echo /bin/ls /bin/telnet ~/secret/

    Then we check what's inside~/secret and ~/.crypto directories:

    $ ls ~/secret

    $ ls ~/.crypto

    It looks like our files are in the first directory and their encrypted version are in the second one. To hide their contents from everyone else, we can unmount the virtual file system by issuing this command:

    $fusermount -u ~/crypto

    We made it! Our data is secure now.

    [10] Let's now try to mount them again – this time with additional safeguard. The directory will be automatically unmounted after the specified period (10 minutes) of idle time:

    $ encfs --idle=10 ~/.crypto ~/secret

    Our files are available again in the ~/secret directory. After 10 minutes of waiting we will see that it is automatically unmounted.

    Encrypted file system – cryptoloop


    We still have one more tool which will help us to secure our files &ndash a cryptoloop, which is included in the Linux kernel.

    [11] Let's assume that we don't have a free partition (which is the case with Hakin9 Live). Therefore we will use the very handy feature of the loopback mechanism, which allows us to use a single file as a filesystem. So now, let's prepare this file:

    $ dd if=/dev/urandom of=~/crypto.raw bs=1k count=10000

    This will create a 10 megabyte file filled with absolutely random content (i.e. junk).

    [12] The next step is to bind the created file with a free loop device and to encrypt it with a algorithm of choice:

    $ su -

    # insmod cryptoloop

    # losetup -e aes-192 /dev/loop1 /home/haking/crypto.raw

    The program will ask us for a password, which is a minimum of 20 characters long.

    [13] After we have prepared some space, it's time to tidy it up a little bit. We need to set up a filesystem there, which can be, for example, ext2:

    # mkfs.ext2 /dev/loop1

    [14]When it's done, we can free-up (-d option) the loop1 device:

    # losetup -d /dev/loop1

    # exit

    [15] Our encrypted filesystem is now ready to use, in exactly the same manner as any other filesystem would be. Let's mount it and see how it works:

    $ mkdir ~/encrypted_disk

    $ mount -t ext2 ~/crypto.raw ~/encrypted_disk -oencryption=aes-192

    After we enter the correct password, mount will bind the specified file with the first free loop device.

    [16] Let's now copy our files to the safe container:

    $ cp /bin/echo /bin/ls /bin/telnet ~/encrypted_disk

    That's all – our new encrypted disk can be mounted and unmounted at will. Anyone who doesn't know the password will be unable to access it.