Linux Examples: LUKS

This section gives a series of examples of how to create Linux LUKS volumes, and then mount them using FreeOTFE.
These examples have been tested using Ubuntu Jaunty 9.04 and SuSE 10.3, 11.0 + 11.1 using cryptsetup LUKS; though they should work for all compatible Linux distributions.

Note: The executable name in the following examples is cryptsetup-luks; most systems use cryptsetup.

Initial Setup

To begin using LUKS under Linux, ensure that the various kernel modules are installed:
modprobe cryptoloop

    modprobe aes
    modprobe anubis
    modprobe arc4
    modprobe blkcipher
    modprobe blowfish
    modprobe cast5
    modprobe cast6
    modprobe cbc
    modprobe crc32c
    modprobe crypto_algapi
    modprobe crypto_hash
    modprobe cryptomgr
    modprobe crypto_null
    modprobe deflate
    modprobe des
    modprobe ecb
    modprobe gf128mul
    modprobe hmac
    modprobe khazad
    modprobe lrw
    modprobe md4
    modprobe md5
    modprobe michael_mic
    modprobe serpent
    modprobe sha1
    modprobe sha256
    modprobe sha512
    modprobe tea
    modprobe tgr192
    modprobe twofish_common
    modprobe twofish
    modprobe wp512
    modprobe xcbc

    # dm_mod should give you dm_snapshot, dm_zero and dm_mirror?
    modprobe dm_mod
    modprobe dm_crypt

At this point, typing 
dmsetup targets
should give you something along the lines of:
crypt            v1.0.0
striped          v1.0.1
linear           v1.0.1
error            v1.0.1


Typing 
lsmod
will show you which modules are currently installed.

Defaults: If not overridden by the user, LUKS defaults to encrypting with:

Cypher: AES
Cypher keysize: 128 bit
Cypher mode: cbc-plain
Hash: SHA-1

Check loop devices

Make sure you have enough devices available. You can check how many you have by doing:
ls -d1 /dev/loop* | wc -l

Creating extra loop device entries

An easy way to create more (for example 128), is by doing
for i in $(seq 0 127); do 
   if [ ! -f  /dev/loop$i ] ; then
      mknod -m0660 /dev/loop$i b 7 $i
      chown root.disk /dev/loop$i
   fi
done

You can have up to 256 loop devices.

Example #1: Mounting a LUKS Volume Using LUKS's Default Encryption

This example demonstrates use of a LUKS volume using the LUKS's default encryption system: AES128 with the user's password hashed with SHA1, using 32 bit sector IDs as encryption IVs

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_default.vol bs=1M count=1
losetup /dev/loop0 ./volumes/vol_default.vol
echo password1234567890ABC | cryptsetup-luks luksFormat /dev/loop0
cryptsetup-luks luksDump /dev/loop0 
echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
dmsetup ls
dmsetup table
dmsetup status
cryptsetup-luks status myMapper
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup-luks luksClose myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button

Example #2: Mounting a LUKS Volume Using 256 bit AES Encryption

This example demonstrates use of a LUKS AES256 volume.

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_aes_256.vol bs=1M count=1
losetup /dev/loop0 ./volumes/vol_aes_256.vol
echo password1234567890ABC | cryptsetup-luks -c aes -s 256 luksFormat /dev/loop0
cryptsetup-luks luksDump /dev/loop0 
echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
dmsetup ls
dmsetup table
dmsetup status
cryptsetup-luks status myMapper
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup-luks luksClose myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the losetup volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button

Example #3: Mounting a LUKS Volume Using 128 bit Twofish Encryption

This example demonstrates use of a LUKS Twofish 128 volume.

Creating the volume file under Linux

dd if=/dev/zero of=./volumes/vol_twofish.vol bs=1M count=1
    losetup /dev/loop0 ./volumes/vol_twofish.vol
    echo password1234567890ABC | cryptsetup-luks -c twofish luksFormat /dev/loop0
    cryptsetup-luks luksDump /dev/loop0 
    echo password1234567890ABC | cryptsetup-luks luksOpen /dev/loop0 myMapper
    dmsetup ls
    dmsetup table
    dmsetup status
    cryptsetup-luks status myMapper
    losetup /dev/loop1 /dev/mapper/myMapper
    #cat ./test_files/2MB_Z.dat > /dev/loop1
    #cat ./test_files/2MB_0x00.dat > /dev/loop1
    mkdosfs /dev/loop1
    mkdir ./test_mountpoint
    mount /dev/loop1 ./test_mountpoint
    cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
    cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
    cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
    cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
    umount ./test_mountpoint
    losetup -d /dev/loop1
    cryptsetup-luks luksClose myMapper
    losetup -d /dev/loop0
    rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE

  1. Select "Linux | Mount..."
  2. Select the losetup volume file
  3. In the dialog shown, enter "password1234567890ABC" as the key, and set any of the options wanted.
  4. Click the "OK" button


Das Originaldokument ist zu finden unter http://ccf-it.de/tiki-5.0/tiki-index.php?page=DiskEncryption