T-110.5102 Laboratory Works in Networking and Security (5-10 cr)

Lab A4: Encrypted filesystems


Description of the exercise 

In this assignment you will simulate an encryption of an external memory (such as usb memory stick) using a file as the storage media. Simulation is needed because there is no physical access to the server machines (in addition, the servers are virtual). Two different schemes will be used: encrypted loopback device with dm_crypt and encryption layer for an existing filesystem with encFS. In addition, a popular encryption software Truecrypt is used to create a hidden volume in part four.

1. Preparation

Check that you have the following packages installed (dpkg -l, apt-get install)

  • cryptsetup
  • linux-modules corresponding to the kernel version in use (hint: apt-cache search and uname -a

Load the dm_crypt and aes kernel modules (updated: 11/6/2012). Please remove cryptoloop from use, if its attached to the kernel.

For the third exercise, ensure that you have encFS installed and FUSE is available. This should be done in similar fashion as the earlier checks.

lsmod (8), modprobe (8)

2.Crypto filesystem with loopback and device mapper

Create a file with random bytes to make it harder for the attacker to recognize which parts of device are used to store data, and which are left empty. This can be done with the command:

dd if=/dev/urandom of=loop.img bs=1k count=8k

Create a loopback device for the file using losetup(8). Then using cryptsetup(8), format the loopback device and map it to a pseudodevice. Please use LUKS with aes-cbc-essiv:sha256 cipher (should be default).

Create an ext2 filesystem on the pseudodevice, created in the previous step. The filesystem can be created with mkfs.ext2(8).

Release the file by first removing the pseudodevice and then detaching the loopback device. After this, you have successfully created an encrypted filesystem into a file. The filesystem is ready, and requires a passphrase to be entered when mounting it.

Now mount your filesystem. Create some files and directories on the encrypted filesystem. Check also what happens if you try to mount the system with a wrong key.

2.1 Provide the commands you used. 2 p
2.2 Explain the concepts of the pseudodevice and loopback device. 1 p
2.3 What is LUKS? (Knowing the meaning of abbreviation won't bring you a point.) 1 p
2.4 What is this kind of encryption method good for? What strengths and weaknesses does it have? 3 p
2.5 Why did we remove cryptoloop from the assignment and replaced it with dm_crypt? Extending the question a bit, what realities must a sysadmin remember with any to-be-deployed and already deployed security-related software? 1 p 

3. encFS


Using encFS, mount an encrypted filesystem on a directory of your choice. This gives you the encryption layer. After this, create a few directories, and some files in them. Unmount encFS using Fuse's fusermount.

Check what was written on the file system.

 3.1 Provide the commands you used.  1 p
 3.2 Explain how this approach differs from the loopback one. Does this solve any problems or create more?  3 p

4. Truecrypt


Truecrypt is a popular free open-source (or at least source-available) application for disk encryption. In this exercise, we will create a hidden volume inside another encrypted volume to achieve plausible deniability

Get Truecrypt with

wget "http://www.truecrypt.org/download/truecrypt-7.1a-linux-console-x86.tar.gz"

Extract and install Truecrypt. Create a 'Normal' volume. Map the volume but don't mount it's filesystem (clarification added 7/11/12). You can view Truecrypt documentation with

truecrypt --help

and a list of your Truecrypt volumes with

truecrypt --list

Create a filesystem for the Truecrypt volume with mkfs.ext3 and unmount it. Now create a 'Hidden' volume inside the existing 'Normal' volume. Use the same encryption options as you did for the normal volume. Map the volume again (so that you will map the hidden volume). Finally create a filesystem for the hidden volume with mkfs.ext3. Mount the hidden volume with mount to /mnt/true1.

 4.1 Provide the commands you used and demonstrate that you can mount both the normal and the hidden volume.  3 p
 4.2 What is meant by deniable encryption / plausible deniability in the context of data encryption and how does Truecrypt achieve this?  1 p
 
 

5. Finishing your work (added Nov 7th 2012)

When finishing your work, please remember to backup your related files from the lab computers to a safe place (e.g. your home directory in Niksula or the Computer Center). The course does not provide any back up service for the virtual machines. If you report problems regarding your machines to the course personnel, note that they may get completely reset with all running configurations cleared.