Introduction
I have long been playing with the idea of building an encrypted minisd disk. My lappie has a card reader device, and it seems to be very convenient to use a small MiniSD card to hold keypairs and other sensitive material. But only if properly secured through proper encryption.
I wanted to setup the entire sd card for encryption on a device level. No use of encrypted container files or such.
I feared this to be very difficould, little did I know how easy this really is on the latest Ubuntu release Jaunty Jackelope.
It can be very easily setup using dm-crypt.
Preparing the system
In order to setup device level encryption a few initial steps is needed. What the system does is to inject a level of enctyption between the partion and the file system on top of it.
So firstly you need to add the needed software to the ubuntu system using the software repository:
sudo apt-get install cryptsetup
This will add the needed executables and system libraries to your system. However this will not quite cut it. Remember I mentioned the idea of injecting a layer of security between the partition and the file system?
As a consequence the system needs to load extra functionality on the kernel level to enable this functionality. Add the following three lines to the file /etc/modules:
sudo vi /etc/modulesAdd:
aesdm_moddm_cryptWhen this is done you will need to reboot your pc or manally load the kernel objects in the above order:
sudo modprobe aesRepeat this for each module.
Your basic system software should now be ready to fly.
Nuking the device
In order to be sure that no residual stuff is on the sd I decided to nuke it completely as the very first step
Note: THIS WILL FOREVER DESTROY WHAT IS ON THE TARGET DEVICE! You have been warned.sudo dd if=/dev/urandom of=/dev/mmcblk0
The card reader loads the raw device as /dev/mmcblk(n) the /dev/urandom device is a pseudo device that will generate random data. So I completely fill the card with random data.
To be even more sure stuff is deleted use /dev/random. This will take a bit longer.
Now create a new partition on the device:
sudo parted /dev/mmcblk0 mkpart primary 0 63This will create a new primary partition from mb 0 to 63. Making a total of 64 megabytes which is the capacity of the small sd.
If the above gives you problems try the graphical GUI though gparted.
This concludes the setup needed to the partition on the sd.
Setup of dm-crypt
We now need to setup the encryption on the device. I chose to create a luks device. This will create a device with "Linux unified key setup". It is a linux standard for encryption, header and data, and should *knock on wood* make it possible to use the same sd on other distros.
Create the encryption:
sudo cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/mmcblk0p1 The above will provide a reasonable level of security and can be relaxed and enforced according to your taste. Please see the manual pages.
The process will make you confirm the process by typing in "YES" in capital lettering. After this the system will prompt you for a new passcode.
When this is done take out the sd card, wait a few seconds and reinsert it. The system (gnome) will now prompt you for a passcode. Once the passcode entered above has been keyed in the system will mount a new instance in /dev/mapper/
.
For instance my device is called:
/dev/mapper/luks_crypto_e72069ca-04f2-4fd1-824b-aac25c41455b
This then concludes the setup of the encryption. Easy wasn't it?
Setting up a filesystem on your new crypt device
In order to use the new device it must have a file system. You can choose any one you like, but I felt adventurous and created a brand new ext4 device. The latest of the linux file system standard:
sudo mkfs -t ext4 /dev/mapper/luks_crypto_e72069ca-04f2-4fd1-824b-aac25c41455b
Sync the filesystem to the disk:
sync
Eject and re-insert your sd a final time, and you will now see Gnome popping up a file manager listing the contents of your new drive.
Now all you need is to create a folder where your non-root user has read and write access.
The drive mounts in /media/disk
