Mark Eschbach

Software Developer && System Analyst

Encrypting a Vritual Volume using cryptsetup

If you are using the cloud you shouldn’t trust your hosting provider with the disposal of confidential data. Additionally, especially on SSDs you have no control over when you information is actually destroyed even when you attempt to overwrite a sector it could assign it to another sector.

CryptSetup is a wrapper around dm-crypt with many sane defaults and additional features increasing the degree of security. The pointy hatted people have figured out a lot of problems we don’t need to reinvent, however they emphasize don’t forget your passwords because you will lose all data on the volume.

Recipe

  1. Dependencies

    cryptsetup should be installed. If you are running Ubuntu this will be available via the primary repositories.

  2. Allocating File Space

    The virtual file system will be contained under a file on an existing partition. This file will be become a virtual loopback disk containing the encrypted data. Depending on your operating system and hosting file system, I have found the following two methods for producing an crypted partiion.

    1. Method 1: fallocate(2)

      This is an option for newer file systems such as ext4 under Linux which will preallocate a file of a give size quickly by assigning the blocks. There is a posix_fallocate (3), however implementation is currently unknown. 

      fallocate -l 1G /root/example
    2. Method 2: dd(2)

      If you get a cryptic error stating fallocate(2) is not supported then your file system does not support fallocate. This is the case under some installs of Ubuntu 12.04LTS running with ext3.

      Depending on the size you are targeting, your entropy pool, and disk speed, this may take a long period of time. The following example will pull data from urandom which may not secure enough for your purposes. The command is intended to provide some protection against determining which blocks contain cryptographic data. 

      dd if=/dev/urandom of=/root/vault bs=1M count=512

  3. Setup the container

    cryptsetup luksFormat /root/vault

    This will ask a series of questions. Don’t lose the passwords, otherwise the data on the partitions are lost forever.

  4. Map the drive and format

    			cryptesetup luksOpen /root/vault vault
			mkfs.ext4 -j /dev/mapper/vault

    If your goal is to store many smaller files you are better off using btrfs if your installation supports it.

  5. Mount the file system

    mount -t ext4 /dev/mapper/vault /vault