LibreCrypt: Open-Source disk encryption for Windows
This section gives a series of examples of how to create Linux dm-crypt containers, and then open them using LibreCrypt.
These examples have been tested using Fedora Core 3, with a v2.6.11.7 kernel installed; though they should work for all compatible Linux distributions.
To begin using dm-crypt under Linux, ensure that the various kernel modules are installed:
modprobe cryptoloop modprobe deflate modprobe zlib_deflate modprobe twofish modprobe serpent modprobe aes_i586 modprobe blowfish modprobe des modprobe sha256 modprobe sha512 modprobe crypto_null modprobe md5 modprobe md4 modprobe cast5 modprobe cast6 modprobe arc4 modprobe khazad modprobe anubis modprobe dm_mod **(this should give you dm_snapshot, dm_zero and dm_mirror?)** modprobe dm_crypt
At this point, typing "dmsetup targets" should give you something along the lines of:
crypt v1.0.0 striped v1.0.1 linear v1.0.1 error v1.0.1
Typing "lsmod" will show you which modules are currently installed.
If not overridden by the user, dm-crypt defaults to encrypting with:
Cypher: | AES |
---|---|
Cypher keysize: | 256 bit |
User key processed with: | RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)"). "Hash with "A"s, if hash output is too short" option - selected |
IV generation: | 32 bit sector ID |
This example demonstrates use of a dm-crypt container using the dm-crypt's default encryption system: AES128 with the user's password hashed with RIPEMD160, using the 32 bit sector IDs as encryption IVs
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_default.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_default.vol
echo password1234567890ABC | cryptsetup create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
"Encryption" tab:
* Select the "AES (CBC; 256/128)" cypher
* Select "32 bit sector ID" as the IV generation method* Set "Sector zero location" to "Start of encrypted data"
"File options" tab:
* Leave offset at 0
* Leave sizelimit at 0
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt AES128 container.
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_aes128.vol bs=1K count=100
losetup /dev/loop0 ./containers/vol_aes128.vol
echo password1234567890ABC | cryptsetup -c aes -s 128 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
"Encryption" tab:
"File options" tab:
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt AES256 container using SHA-256 ESSIV sector IVs.
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_aes_essiv_sha256.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_aes_essiv_sha256.vol echo password1234567890ABC | cryptsetup -c aes-cbc-essiv:sha256 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
Select the "RIPEMD-160 (160/512)" hash
* Ensure "Hash with "A"s, if hash output is too short" is checked.
"Encryption" tab:
"File options" tab:
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt Blowfish 448 container.
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_blowfish_448.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_blowfish_448.vol echo password1234567890ABC | cryptsetup -c blowfish -s 448 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
"Encryption" tab:
"File options" tab:
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt Twofish 256 container, with the encrypted container beginning at an offset of 3 sectors (3 x 512 = 1536 bytes) into the container file.
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_twofish_o3.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_twofish_o3.vol echo password1234567890ABC | cryptsetup -c twofish -o 3 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
Select the "RIPEMD-160 (160/512)" hash
Ensure "Hash with "A"s, if hash output is too short" is checked.
Leave iteration count at 0
"Encryption" tab:
"File options" tab:
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt Twofish 256 container, with the user's password processed with MD5.
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_aes_md5.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_aes_md5.vol echo password1234567890ABC | cryptsetup -c aes -h md5 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
Ensure "Hash with "A"s, if hash output is too short" is checked.
Leave iteration count at 0
"Encryption" tab:
"File options" tab:
* Leave offset at 0
"Open options" tab:
Click the "OK" button
This example demonstrates use of a dm-crypt Blowfish 448 container, with the user's password processed with MD5 and ESSIV using SHA-256.
Note that although the main cypher is Blowfish 448, Blowfish 256 is used as the IV cypher as the IV hash outputs 256 bytes
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_blowfish_448_essivsha256_md5.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_blowfish_448_essivsha256_md5.vol echo password1234567890ABC | cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 -h md5 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
Ensure "Hash with "A"s, if hash output is too short" is checked.
Leave iteration count at 0
"Encryption" tab:
* Select the "Blowfish (CBC; 448/64)" cypher
"File options" tab:
Leave offset at 0
"Open options" tab:
* Select any unused drive letter
* Leave readonly unchecked
Click the "OK" button
This example demonstrates use of a dm-crypt AES-256 container in XTS mode (aka XTS-AES-256) and using SHA-512 for hashing
Creating the container file under Linux:
dd if=/dev/zero of=./containers/vol_aes_xts.vol bs=1K count=100 losetup /dev/loop0 ./containers/vol_aes_xts.vol echo password1234567890ABC | cryptsetup -h sha512 -c aes-xts-plain --key-size 512 create myMapper /dev/loop0 dmsetup ls dmsetup table dmsetup status losetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1 mkdir ./test_mountpoint mount /dev/loop1 ./test_mountpoint cp ./test_files/SHORT_TEXT.txt ./test_mountpoint cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint umount ./test_mountpoint losetup -d /dev/loop1 cryptsetup remove myMapper losetup -d /dev/loop0 rm -rf ./test_mountpoint
Opening the container under LibreCrypt:
"Key" tab:
* Enter "password1234567890ABC" as the key
* Leave GPG executable blank
* Leave GPG keyfile blank
* Leave seed blank
* Select the "SHA-512 (512/1024)" hash
* Ensure "Hash with "A"s, if hash output is too short" is checked.
* Leave iteration count at 0
"Encryption" tab:
* Select the "AES (256 bit XTS)" cypher
* Select "Null IV" as the IV generation method
"File options" tab:
* Leave offset at 0
* Leave sizelimit at 0
"Open options" tab:
* Select any unused drive letter
* Leave readonly unchecked
Click the "OK" button