Linux Examples: dm-crypt
Linux Examples: dm-crypt
This section gives a series of examples of how to create Linux dm-crypt volumes, and then mount them using FreeOTFE Explorer.
These examples have been tested using Fedora Core 3, with a v2.6.11.7 kernel installed; though they should work for all compatible Linux distributions.
- Initial Setup
- Defaults
- Example #1: Mounting a dm-crypt Volume Encrypted Using dm-crypt's Default Encryption
- Example #2: Mounting a dm-crypt Volume Encrypted Using 128 bit AES
- Example #3: Mounting a dm-crypt Volume Encrypted Using 256 bit AES, using SHA256 ESSIV
- Example #4: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish
- Example #5: Mounting a dm-crypt Volume Encrypted Using 256 bit Twofish and Offset
- Example #6: Mounting a dm-crypt Volume Encrypted Using 256 bit AES with MD5 Password Hashing
- Example #7: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish, MD5 Password Hashing and SHA-256 ESSIV
- Example #8: Mounting a dm-crypt Volume Encrypted Using AES-256 in XTS Mode (aka XTS-AES-256)
Initial Setup
To begin using dm-crypt under Linux, ensure that the various kernel modules are installed:
modprobe cryptoloop
modprobe deflate
modprobe zlib_deflate
modprobe twofish
modprobe serpent
modprobe aes_i586
modprobe blowfish
modprobe des
modprobe sha256
modprobe sha512
modprobe crypto_null
modprobe md5
modprobe md4
modprobe cast5
modprobe cast6
modprobe arc4
modprobe khazad
modprobe anubis
modprobe dm_mod (this should give you dm_snapshot, dm_zero and dm_mirror?)
modprobe dm_crypt
At this point, typing "dmsetup targets" should give you something along the lines of:
crypt v1.0.0 striped v1.0.1 linear v1.0.1 error v1.0.1Typing "lsmod" will show you which modules are currently installed.
Defaults
If not overridden by the user, dm-crypt defaults to encrypting with:
| Cypher: | AES |
|---|---|
| Cypher keysize: | 256 bit |
| User key processed with: | RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)"). "Hash with "A"s, if hash output is too short" option - selected |
| IV generation: | 32 bit sector ID |
Example #1: Mounting a dm-crypt Volume Encrypted Using dm-crypt's Default Encryption
This example demonstrates use of a dm-crypt volume using the dm-crypt's default encryption system: AES128 with the user's password hashed with RIPEMD160, using the 32 bit sector IDs as encryption IVsCreating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_default.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_default.vol echo password1234567890ABC | cryptsetup create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "AES (CBC; 256/128)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #2: Mounting a dm-crypt Volume Encrypted Using 128 bit AES
This example demonstrates use of a dm-crypt AES128 volume.Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_aes128.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_aes128.vol echo password1234567890ABC | cryptsetup -c aes -s 128 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash.
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "AES (CBC; 128/128)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #3: Mounting a dm-crypt Volume Encrypted Using 256 bit AES, using SHA256 ESSIV
This example demonstrates use of a dm-crypt AES256 volume using SHA-256 ESSIV sector IVs.Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_aes_essiv_sha256.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_aes_essiv_sha256.vol echo password1234567890ABC | cryptsetup -c aes-cbc-essiv:sha256 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "AES (CBC; 256/128)" cypher
- Select "ESSIV" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- Select "SHA-256 (256/512)" as the IV hash
- Select "AES (CBC; 256/128)" as the IV cypher
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #4: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish
This example demonstrates use of a dm-crypt Blowfish 448 volume.Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_blowfish_448.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_blowfish_448.vol echo password1234567890ABC | cryptsetup -c blowfish -s 448 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "Blowfish (CBC; 448/64)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #5: Mounting a dm-crypt Volume Encrypted Using 256 bit Twofish and Offset
This example demonstrates use of a dm-crypt Twofish 256 volume, with the encrypted volume beginning at an offset of 3 sectors (3 x 512 = 1536 bytes) into the volume file.Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_twofish_o3.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_twofish_o3.vol echo password1234567890ABC | cryptsetup -c twofish -o 3 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "Twofish (CBC; 256/128)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- "File options" tab:
- Set offset to 1536 bytes (i.e. 3 sectors, each of 512 bytes)
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #6: Mounting a dm-crypt Volume Encrypted Using 256 bit AES with MD5 Password Hashing
This example demonstrates use of a dm-crypt Twofish 256 volume, with the user's password processed with MD5.Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_aes_md5.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_aes_md5.vol echo password1234567890ABC | cryptsetup -c aes -h md5 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "MD5 (128/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "AES (CBC; 256/128)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #7: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish, MD5 Password Hashing and SHA-256 ESSIV
This example demonstrates use of a dm-crypt Blowfish 448 volume, with the user's password processed with MD5 and ESSIV using SHA-256.Note that although the main cypher is Blowfish 448, Blowfish 256 is used as the IV cypher as the IV hash outputs 256 bytes
Creating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_blowfish_448_essivsha256_md5.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_blowfish_448_essivsha256_md5.vol echo password1234567890ABC | cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 -h md5 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "MD5 (128/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "Blowfish (CBC; 448/64)" cypher
- Select "ESSIV" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- Select "SHA-256 (256/512)" as the IV hash
- Select "Blowfish (CBC; 256/64)" as the IV cypher
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button
Example #8: Mounting a dm-crypt Volume Encrypted Using AES-256 in XTS Mode (aka XTS-AES-256)
This example demonstrates use of a dm-crypt AES-256 volume in XTS mode (aka XTS-AES-256) and using SHA-512 for hashingCreating the volume file under Linux:
Mounting the volume under FreeOTFE Explorer:dd if=/dev/zero of=./volumes/vol_aes_xts.vol bs=1K count=100 losetup /dev/loop0 ./volumes/vol_aes_xts.vol echo password1234567890ABC | cryptsetup -h sha512 -c aes-xts-plain --key-size 512 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
- Select "Linux | Mount..."
- Select the volume file
- "Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "SHA-512 (512/1024)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
- "Encryption" tab:
- Select the "AES (256 bit XTS)" cypher
- Select "Null IV" as the IV generation method
- "File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
- "Mount options" tab:
- Select any unused drive letter
- Leave readonly unchecked
- Click the "OK" button