Linux Examples: dm-crypt

LibreCrypt: Open-Source disk encryption for Windows

Linux Examples: dm-crypt

This section gives a series of examples of how to create Linux dm-crypt containers, and then open them using LibreCrypt.

These examples have been tested using Fedora Core 3, with a v2.6.11.7 kernel installed; though they should work for all compatible Linux distributions.

Initial Setup
Defaults
Example #1: Opening a dm-crypt Container Encrypted Using dm-crypt's Default Encryption
Example #2: Opening a dm-crypt Container Encrypted Using 128 bit AES
Example #3: Opening a dm-crypt Container Encrypted Using 256 bit AES, using SHA256 ESSIV
Example #4: Opening a dm-crypt Container Encrypted Using 448 bit Blowfish
Example #5: Opening a dm-crypt Container Encrypted Using 256 bit Twofish and Offset
Example #6: Opening a dm-crypt Container Encrypted Using 256 bit AES with MD5 Password Hashing
Example #7: Opening a dm-crypt Container Encrypted Using 448 bit Blowfish, MD5 Password Hashing and SHA-256 ESSIV
Example #8: Opening a dm-crypt Container Encrypted Using AES-256 in XTS Mode (aka XTS-AES-256)

Initial Setup

To begin using dm-crypt under Linux, ensure that the various kernel modules are installed:

modprobe cryptoloop

modprobe deflate
modprobe zlib_deflate
modprobe twofish
modprobe serpent
modprobe aes_i586
modprobe blowfish
modprobe des
modprobe sha256
modprobe sha512
modprobe crypto_null
modprobe md5
modprobe md4
modprobe cast5
modprobe cast6
modprobe arc4
modprobe khazad
modprobe anubis

modprobe dm_mod **(this should give you dm_snapshot, dm_zero and dm_mirror?)**
modprobe dm_crypt

At this point, typing "dmsetup targets" should give you something along the lines of:

crypt            v1.0.0
striped          v1.0.1
linear           v1.0.1
error            v1.0.1

Typing "lsmod" will show you which modules are currently installed.

Defaults

If not overridden by the user, dm-crypt defaults to encrypting with:

Cypher: AES

Cypher keysize: 256 bit

User key processed with: RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)"). "Hash with "A"s, if hash output is too short" option - selected

IV generation: 32 bit sector ID

Cypher:	AES
Cypher keysize:	256 bit
User key processed with:	RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)"). "Hash with "A"s, if hash output is too short" option - selected
IV generation:	32 bit sector ID

Example #1: Opening a dm-crypt Container Encrypted Using dm-crypt's Default Encryption

This example demonstrates use of a dm-crypt container using the dm-crypt's default encryption system: AES128 with the user's password hashed with RIPEMD160, using the 32 bit sector IDs as encryption IVs

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_default.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_default.vol
echo password1234567890ABC | cryptsetup create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0

"Encryption" tab:

* Select the "AES (CBC; 256/128)" cypher
* Select "32 bit sector ID" as the IV generation method* Set "Sector zero location" to "Start of encrypted data"

"File options" tab:

* Leave offset at 0
* Leave sizelimit at 0

"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #2: Opening a dm-crypt Container Encrypted Using 128 bit AES

This example demonstrates use of a dm-crypt AES128 container.

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_aes128.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_aes128.vol
echo password1234567890ABC | cryptsetup  -c aes -s 128 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash.
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
"Encryption" tab:
- Select the "AES (CBC; 128/128)" cypher
- Select "32 bit sector ID" as the IV generation method* Set "Sector zero location" to "Start of encrypted data"
"File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #3: Opening a dm-crypt Container Encrypted Using 256 bit AES, using SHA256 ESSIV

This example demonstrates use of a dm-crypt AES256 container using SHA-256 ESSIV sector IVs.

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_aes_essiv_sha256.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_aes_essiv_sha256.vol
echo password1234567890ABC | cryptsetup  -c aes-cbc-essiv:sha256 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
```
* Ensure "Hash with "A"s, if hash output is too short" is checked.
```
- Leave iteration count at 0
"Encryption" tab:
- Select the "AES (CBC; 256/128)" cypher
- Select "ESSIV" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- Select "SHA-256 (256/512)" as the IV hash
- Select "AES (CBC; 256/128)" as the IV cypher
"File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #4: Opening a dm-crypt Container Encrypted Using 448 bit Blowfish

This example demonstrates use of a dm-crypt Blowfish 448 container.

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_blowfish_448.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_blowfish_448.vol
echo password1234567890ABC | cryptsetup -c blowfish -s 448 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
"Encryption" tab:
- Select the "Blowfish (CBC; 448/64)" cypher
- Select "32 bit sector ID" as the IV generation method* Set "Sector zero location" to "Start of encrypted data"
"File options" tab:
- Leave offset at 0
- Leave sizelimit at 0
"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #5: Opening a dm-crypt Container Encrypted Using 256 bit Twofish and Offset

This example demonstrates use of a dm-crypt Twofish 256 container, with the encrypted container beginning at an offset of 3 sectors (3 x 512 = 1536 bytes) into the container file.

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_twofish_o3.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_twofish_o3.vol
echo password1234567890ABC | cryptsetup -c twofish -o 3 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "RIPEMD-160 (160/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
"Encryption" tab:
- Select the "Twofish (CBC; 256/128)" cypher
- Select "32 bit sector ID" as the IV generation method* Set "Sector zero location" to "Start of encrypted data"
"File options" tab:
- Set offset to 1536 bytes (i.e. 3 sectors, each of 512 bytes)* Leave sizelimit at 0
"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #6: Opening a dm-crypt Container Encrypted Using 256 bit AES with MD5 Password Hashing

This example demonstrates use of a dm-crypt Twofish 256 container, with the user's password processed with MD5.

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_aes_md5.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_aes_md5.vol
echo password1234567890ABC | cryptsetup -c aes -h md5 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "MD5 (128/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
"Encryption" tab:
- Select the "AES (CBC; 256/128)" cypher
- Select "32 bit sector ID" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
"File options" tab:
```
* Leave offset at 0
```
- Leave sizelimit at 0
"Open options" tab:
- Select any unused drive letter
- Leave readonly unchecked
Click the "OK" button

Example #7: Opening a dm-crypt Container Encrypted Using 448 bit Blowfish, MD5 Password Hashing and SHA-256 ESSIV

This example demonstrates use of a dm-crypt Blowfish 448 container, with the user's password processed with MD5 and ESSIV using SHA-256.

Note that although the main cypher is Blowfish 448, Blowfish 256 is used as the IV cypher as the IV hash outputs 256 bytes

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_blowfish_448_essivsha256_md5.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_blowfish_448_essivsha256_md5.vol
echo password1234567890ABC | cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 -h md5 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file
"Key" tab:
- Enter "password1234567890ABC" as the key
- Leave GPG executable blank
- Leave GPG keyfile blank
- Leave seed blank
- Select the "MD5 (128/512)" hash
- Ensure "Hash with "A"s, if hash output is too short" is checked.
- Leave iteration count at 0
"Encryption" tab:
```
* Select the "Blowfish (CBC; 448/64)" cypher
```
- Select "ESSIV" as the IV generation method
- Set "Sector zero location" to "Start of encrypted data"
- Select "SHA-256 (256/512)" as the IV hash
- Select "Blowfish (CBC; 256/64)" as the IV cypher
"File options" tab:
Leave offset at 0
- Leave sizelimit at 0

"Open options" tab:

* Select any unused drive letter
* Leave readonly unchecked

Click the "OK" button

Example #8: Opening a dm-crypt Container Encrypted Using AES-256 in XTS Mode (aka XTS-AES-256)

This example demonstrates use of a dm-crypt AES-256 container in XTS mode (aka XTS-AES-256) and using SHA-512 for hashing

Creating the container file under Linux:

dd if=/dev/zero of=./containers/vol_aes_xts.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_aes_xts.vol
echo password1234567890ABC | cryptsetup -h sha512 -c aes-xts-plain --key-size 512 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint

Opening the container under LibreCrypt:

Select "Linux | Open..."
Select the container file

"Key" tab:

* Enter "password1234567890ABC" as the key
* Leave GPG executable blank
* Leave GPG keyfile  blank
* Leave seed blank
* Select the "SHA-512 (512/1024)" hash
* Ensure "Hash with "A"s, if hash output is too short" is checked.
* Leave iteration count at 0

"Encryption" tab:

* Select the "AES (256 bit XTS)" cypher
* Select "Null IV" as the IV generation method

"File options" tab:

* Leave offset at 0
* Leave sizelimit at 0

"Open options" tab:

* Select any unused drive letter
* Leave readonly unchecked

Click the "OK" button