Disk encryption: an example with Loop-AES

This post’s topic is exactly the same as a speech that I did at the MOCA 2008. I enjoy using encrypted disks from several years and I think it is a topic worth writing about. The first part of this post will be an introduction about disk encryption in general; an overview about a particular setup for laptops’ hard disks will follow.

Why you should bother about encrypting your disks? The exact goal here is to protect the confidentiality of your data when it is not being used. This means that you should not worry about other people accessing your files if your laptop is stolen, or if you lose a CD-ROM or a USB memory key. On the other hand, if an opponent accesses your encrypted disks while you’re using them disk encryption will be bypassed. Also, disk encryption alone doesn’t grant data integrity and availability.

So, is it worth to spend time and effort into encrypting your disks after all? As usual, when taking decisions about security, you have to make a trade-off: if you encrypt your disks you’re not likely to put at danger 25 million people’s personal data just by losing a CD-ROM, for example. Nowadays we can store a lot of data in very little space: think about CD-ROMs, USB memory keys… even laptops keep getting smaller. The smaller the storage device, the easier is to lose it or to have it stolen.

I am going to describe my laptop’s disk encryption setup as a practical example of what disk encryption involves. My laptop runs Linux (Arch Linux, to be precise) and it has only one hard disk. To implement disk encryption I’ve used Loop-AES; it was the best choice for the setup I wanted to do and I think this still holds true. Loop-AES has a very well made README: everything I will describe can be seen there in detail, command by command and updated to the last Loop-AES version. For this very reason my description won’t be detailed: if you want to do this setup, or one of the others described in the Loop-AES README, check it out; if you’re Italian you may also want to look at the translation of the README’s sections that involve this particular setup.

In general, when encrypting a disk the more data you encrypt the better it is. Most of Linux full disk encryption setup that I found on the Internet are not really full. They leave out the /boot partition because the boot loader, be it LILO or Grub, is not able to boot the system using a kernel from an encrypted /boot partition. Keeping your /boot partition unencrypted makes it relatively easy for it to be tampered with and this could have bad consequences for the rest of the encrypted disk too. Even if I said before that disk encryption does not assure data’s integrity I think that it is better to avoid leaving /boot unencrypted. Being this paranoid, I’m not even going to consider encryption schemes that involves only home directories for the same reason and, moreover, because sensitive data can be written on other disk places as well: think of /var or /tmp as examples.

My setup involves two partitions on the hard disk: the root and the swap partition, both encrypted using the AES cipher with 256 bit keys. I assume that the target system has a working Linux installation with that partition scheme.

The first step is to install Loop-AES itself. Loop-AES has a kernel space part, which just replaces the standard kernel module for loopback devices management, loop.ko. The user space tools required to use Loop-AES are modified versions of some util-linux programs: mount, umount, swapon, swapoff and losetup. In order to realize the full disk encryption with a boot CD-ROM, diet-libc and statically compiled versions of GPG, and AESpipe are also needed. The latter is an utility downloadable from the Loop-AES website that can encrypt the data that it reads from the standard input.

The swap partition is simply encrypted with a random key generated at every computer’s boot. After having installed Loop-AES this means just a little modification on /etc/fstab. Using a random encryption key at every boot means that that at every reboot the data previously written on the swap partition is lost. This is not a problem for me because I don’t use suspend-to-disk.

The root partition setup instead is more articulated: the unencrypted /boot partition resides on a CD-ROM that I bring along with me even when I don’t have my laptop at hand.

To create the boot CD-ROM you need to have a kernel with some custom options set : as example, you don’t want to compile the loopback device driver on it, neither built-in nor as module, because Loop-AES replaces it. Then you will need a key file, created with GPG; Loop-AES will use your password to unlock this key file and the 65 keys that are on it to encrypt the disk; this implies that an opponent without the keyfile (that is on the boot CD-ROM) will have to crack all the 65 keys to get your data. An initial RAM-disk is also needed: in the Loop-AES distribution there is a script that creates it accordingly with a configuration specified by you. Last, to have your boot CD-ROM working, you will need to put a boot loader on it: the README suggests using ISOLINUX that indeed works very well (I had fun customizing its startup picture).

The last step is to encrypt the data of your root partition. In order to do this you need to reboot your system with a Live-CD or something alike, modify the /etc/fstab root partition entry and use the AESpipe utility to actually encrypt your disk’s content. This will take quite some time (at least it did on my old laptop), but after this your work is really done!

2 Comments

  1. Thanassis

    Well, loop-AES is no longer supported in Arch (they removed support for it from util-linux-ng in revision 71260 of the main trunk). If you want to be able to mount your loop AES partitions/DVDs/etc with the mainline kernel, read the instructions I wrote here: http://bugs.archlinux.org/task/18619

Leave a Reply