This is a guide on using cryptsetup for Linux to encrypt partitions with luks from the command line. This guide will also cover some funny things that can be done with dd and GPG to essentially create a GPG encrypted headerless luks partition. Not practical really, but funny.
For the readers who don't know, LUKS stands for Linux Unified Key Setup. It is a way to encrypt partitions on Linux to thwart anyone from just hitting the:
sudo dd if=/dev/your_drive of=/home/hackaroo/your_drive.img
special secret move on your drive and getting all your data if your machine is ever stolen. Keep in mind that just because you're using LUKS, you're not 100% safe to just leave that USB in the open. If someone knows that there is an encrypted partition there, they might come back for the keys (if you catch my drift) or might try to brute-force it with hashcat, which I will show how to do in the digital forensics course I'm cobbling together at the slowest rate possible.
If this is the first time you're using cryptsetup, dd, or gpg. It may be wise to spin up a virtual machine using vmware, virtualbox, or qemu-kvm and pass whatever external media you want through it to prevent you from accidentally deleting sensitive files on your host computer like passwords or photos. These tools can be dangerous to data when a lack of user understanding is present. Be smart and careful until you become smart and confident!
Also, Don't just copy-paste the commands on this page, learn what they do, then run them, don't run what you can't understand.
And obviously, I'm not responsible if you wipe out your entire drive with your cat photos on it. With that out of the way, we can begin.
If you're using apt, you can just run:
sudo apt install cryptsetup
Pretty simple, right?
First, you would run the command:
lsblk
to identify the Empty USB you want to encrypt. Take the time to unplug the USB then run lsblk again to completely verify which drive the USB is.
The procedure for setting up a LUKS drive is fairly simple, according to the manual, all you need to run is a single command, which is:
sudo cryptsetup luksFormat /dev/<drive>
but there's a little more to it than just running the command and being done with it if you want a more secure solution.
What that command is doing under the hood is not as good as you think, because the defaults for cryptsetup are not maximally secure. By default, cryptsetup will create a type1 luks partition which includes the header on the actual partition. (so it can be conventionally decrypted)
If you are doing forensics on an encrypted partition, the only option you might have aside from slapping the suspect around or hitting that partition with a lot of compute power, is to analyze the "metadata" of the partition. This really only is one option, the size of the drive.
When looking at the partition in a hex editor, if the drive was not set up properly, it could be possible to gain some valuable information about the partition too.
If the start and end offset of the partition can be detected, then it can determine what is potentially on that partition. So how do we get around this?
A better procedure is to start by first deleting any existing partitions using fdisk, let's first check out the structure of our drive. To do this run the following:
lsblk
you'll then see the name of each device, the size of each device and the size of each partition. If you're using a sata USB for example it should show up as /dev/sd<letter>. Once you identify your drive, run the following command:
sudo fdisk /dev/sd<letter>
you should now be thrown into the fdisk user menu, if you want a list of the useful fdisk commands, just press the "m" key! If you have any partitions on your drive, you can delete them by pressing the "d" key and then selecting the partition number that you want to delete, if you have multiple partitions, repeat this process until they're all gone. When you want to write your final changes, press the "w" key. If you ever want to quit, just press "q" and you'll be booted back to the normal bash prompt.
Because we haven't made a partition and put a filesystem on it, we will interface with the drive directly using /dev. With this part of the guide, it's honestly up to you as to how you want to wipe your drive and what tool you want to use, the two options I like are using dd or shred.
sudo dd if=/dev/urandom of=/dev/sd[your_driveletter]
or
sudo shred -vn <N.O. Drive Passes> /dev/sd<letter>
This should sufficiently wipe your drive contents enough to stop a forensic investigator from scraping anything off of a drive image which hasn't been deleted and should additionally mask the size of the luks disk.
Hopefully at this point everything is working and we're "all systems go!" to encrypt this silly drive. To encrypt the drive, run the luksformat command that I mentioned before.
sudo cryptsetup luksFormat --type luks2 /dev/sd[your_driveletter]
This command will include the LUKS header (type 2 or 1) within the partition, so anyone who gets the USB can see that it is password protected, this can be bad if you really don't want anyone to know that the drive is encrypted.
the "--type 2" flag specifies that we are using luks type 2, which is used with newer devices and manages the LUKS header a little differently. There's also some improvements to Key Derivation functions but it was a little confusing to understand, if you want to read about it some pages I found are below:
https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup - (Wiki References Are Good) https://www.e2encrypted.com/posts/luks-vs-luks2/ - (Some L and L2 Differences) https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf - (LUKS On Disk Format Spec Sheet) https://cdimage.debian.org/pub/debian-meetings/2019/miniconf-hamburg/slides/luks.pdf - (Another Sort-of Spec Sheet)
To encrypt the drive but without including the header on the partition, you can use the --header <path/to/header.head> flag when using cryptsetup luksFormat, the full command looks like this:
sudo cryptsetup luksFormat --type luks2 --header </path/to/header.head> /dev/<letter>
You'll now notice that there is a file at the path you specified for --header. You should back this up, because it is needed to be specified every time you will decrypt the device. If you try to decrypt the device without this header cryptsetup will say something like "Partition is not LUKS" or something, but once you specify the header, it will prompt for the drive password like normal.
To open the LUKS partition run the following command. If you set up the partition with the --header option, make sure you specify it.
sudo cryptsetup open /dev<letter> <name_of_mapper_location>
or
sudo cryptsetup --header /dev/<path/to/header.head> open /dev/<letter> <name_of_mapper_location>
upon running this command, the LUKS header should be mapped to /dev/mapper/<name_of_mapper_location>
Since we need to use the mapper device, we will run the following command like this:
sudo mkdir -p /mnt/luks_decrypted
In this case, I named the mountpoint something unique. Change it to a name that suits your needs. Then to mount, we run:
sudo mount /dev/mapper/<name_of_mapper_location> /mnt/luks_decrypted
This command will likely throw out a bad superblock error because there's no filesystem present on it. Let's add it now.
Before we can put data on our partition, we need to make a filesystem for it so that it can store our data. There are many different filesystems that you can choose from. I'd personally use ext4 because I don't know if btrfs would work for this, but I haven't bothered to actually try out btrfs. I know there's something potentially cool going on there though.
If you want to make an ext4 partition in the terminal, just go to the mount point and type the following command to make an ext4 filesystem on the encrypted partition:
sudo mkfs.ext4 /dev/mapper/<name_of_mapper_location>
now that the filesystem in created, you can use sudo to make directories on the partition, copy files, add new files, remove files, and read files. Lower in the blog, I explain how to change this so you don't need sudo to make changes to the drive.
Something very useful for the GUI people is if you want to be able to modify your encrypted partition with something like thunar, you can mount it to /media/<Your_Host_name>/ and hopefully the drive should appear now, but keep in mind that if you haven't made the necessary changes to modify the decrypted drive without sudo, you'll need to use the GUI file manager with sudo permissions.
To Close the LUKS partition, begin by unmounting the mountpoint that was created earlier using the following command:
sudo umount /mnt/<Your_mount_point>
Then running:
sudo cryptsetup close <Name_of_drive_from /dev/mapper>
You can finally check if the parition is re-encrypted to your system's view by running lsblk again. Keep in mind that the drive will stay encrypted the entire time on the physical media and is only decrypted on the Linux Desktop's view, so if you need to yank the USB if your media is removable, as long as you're not writing to it, you're good.
I found that you can make the directory writable by your normal user if you want to not have to use sudo to write to it. The link is:
https://security.stackexchange.com/questions/115326/access-to-mounted-luks-partition-by-non-root-user
The short and sweet of this is to run the following command:
sudo chmod 770 /Your/Folder/Path sudo chown <USER>:<GROUP> /Your/Folder/Path
This sets the root and user permissions to be able to read write and execute files on the mount and the owner needs to be set to your current user. With this you should be able to transfer files like is normally done. This same thing can be applied to the /media folder for access with a GUI file manager. If the whole permission thing doesn't work, try to mount the partition in your home folder, it might change things.
If you followed all of the steps, you should now have an encrypted drive that you can store you're awesome hacker cat pictures, link lists, and passwords on without the fear that any random person can mug you for your USB and ruin your life! Congrats! You'll still have to worry about the whole mugging part, but that's a problem for another day, right?
For all intents and purposes, the blog ends here if all you wanted to do was encrypt a USB. I will now be going completely off the rails and show how to do more experimental things with dd, GPG, and losetup, after I'll shout out an experimental piece of software that I learned about which mimics VeraCrypt and you should experiment with yourself.
Remember how I said the forensic investigator could hit the dd special on an improperly configured drive? If you didn't know, you can actually mount .dd image files as physical partitions using a loopback device. So let's try to reverse the dd special on the investigator. If the .dd image is encrypted with a block-based encryption tool like let's say... LUKS! Then we can also employ the standard file-based encryption like ECC or RSA encryption using GPG on top of the .dd file for double encryption and then manually stripping out the GPG header, why do this? Practically, I have no clue other than for the pursuit of learning and because I can use it as an excuse for practice when I make the GPG blog post. It is important to note that plausibly deniable options are not the best for security of your data when given the current options available.
for the purposes of this post, I'm just going to stick with symmetric encryption. It's the easiest way to demonstrate this!
I have basically already shown this command off before, but to copy every byte from your drive to a file that can be moved around, you can run the following command:
sudo dd if=/dev/<your_drive_or_partition> of=</path/to/where/you/want.dd>
If you want to see the progress of the transfer, you can append the "status=progress" without the quotes to the end of the previous command to show the status of the transfer!
Now you can put this .dd file anywhere you want! This method can additionally be used to serve as a way to do cloud backups on random services now that I think about it (I do not recommend this, LUKS may one day be broken conventionally by the public, keep your backups of sensitive data offline!), if you don't have a service that can be used to store these files in their original size, you can always use the split command and specify the size you need, small tangent.
So you just got a .dd image, either it's from someone else or you just made it yourself. Let's try to mount it.
there is a handy command which allows you to mount a .dd image as a loopback device. The program to do this is called losetup, I think it's pronounced lo-setup like loopback setup, and not lose tup, my brain decided to learn it as lose tup and now I can never remember this command when I need it!
the command to mount the .dd file as a loopback device is:
sudo losetup -f --show <your_disk_dump.dd>
-f or --find will find the next available loop device that has not been created and create it.
--show will show the name of the new loopback device that was created.
You will now need to decrypt the new loopback device that you just created, this can be done by running the following command:
sudo cryptsetup open /dev/<your_loopback_device> <mapper_point>
or
sudo cryptsetup open /dev/<your_loopback_device> <mapper_point> --header <your/header/location>
with this, you should be able to use lsblk to see the new decrypted device that was created and mount it. If you don't decrypt the loopback device, then it will read bad superblock and will not mount properly. Also, if you are using this for forensic purposes for some reason, you can use the -r or --read-only parameter to make the loopback device read-only. I haven't really tested it, but give it a try and see what happens!
you will now want to mount the loopback device.
sudo mount /dev/<loopback_device> /<your_mountpoint>
if the loopback device contains an encrypted partition, you can now decrypt it with cryptsetup like before.
Finally, if you want to detach the loopback device, first unmount the partition with umount as described above, but it's far up into the page and I'd be lazy enough to not scroll, so.
sudo umount /mnt/<loopback_mountpoint>
then you want to run the losetup command again with the -d parameter, specifying the specific loopback point you want to detach
losetup -d <loop_device>
and you're home free!
Now, I'll talk about how we can encrypt the .dd file with something like GPG symmetric encryption to style on the forensic investigator after they're already cowering in the corner filling the room with tears.
Obviously, this should probably not be used as a viable method to hide a partition. But ignoring that (because we're cool). Using symmetric GPG is fundamentally insecure, and 4096 bit keys should be used instead, but the command to do the symmetric encryption is pretty simple. It's just:
gpg -c <Your_Funny_.dd_monstrosity>
This will probably take a bit of time to spit out the full encrypted2 file
To decrypt it, you need to then run:
gpg <Your_Funny_.dd_monstrosity.gpg>
you will then be prompted to enter your password to decrypt the file.
I hope this helped someone get an encrypted USB set up somewhere and you enjoyed reading this as much as I enjoyed writing it (population: 0! My style is kind of boring, I'm working on it.. Not really though.) If you've lurked on this blog more than once, you probably noticed that I added a table of contents to this blog post. Would you believe me if I told you it was generated entirely using Vim in about 10 keystrokes? No? Well I'm only half-lying, but it's what I'll be discussing next. What I've added to my vimrc has increased the ease of writing HTML by a ton. This in combination with something like Hugo or a different site generator would be magic.
If you're into that whole "Plausible deniability" thing, then I found an up and coming piece of prototype software called shufflecake, I recommend reading the entire first web page, it's quite funny.
from the minimal amount of reading I did, this software seems to be VeraCrypt with a fresh coat of paint. Keep in mind it's still in development, but it could be cool to learn about just for the thrill of it. I might even try to demo it at a later point in time.
So go forth, random human or crawler bot! (I managed to get on DuckDuckGo before Google somehow, ducks for them I guess!) Take this knowledge and do something cool with it.
until next time.