T-110.5200 Laboratory Works on Information Security (4 cr)
Lab 4: Crypto-filesystem
Description of the exercise
In this assignment you will create an encrypted filesystem on a file (on a real machine a device such as a floppy disk or usb memory stick can be used). Two different schemes will be used: encrypted loopback device with cryptoloop, and encryption layer for an existing filesystem with encFS.
Material
- Loopback Encrypted Filesystem HOWTO
- Cryptoloop HOWTO
- Encfs manual page
1. Preparation
Check that you have cryptoloop and aes kernel modules loaded on a host.
lsmod (8), modprobe (8)
2.Cryptoloop with AES
Create a file with random bytes to make it harder for the attacker to recognize which parts of device are used to store data, and which are left empty. This can be done with the command:
dd if=/dev/urandom of=loop.img bs=1k count=1k
Create an encrypted loopback device using losetup(8).
Create a filesystem on the loopback device, created in the previous step. Linux's default filesystem (ext2) can be created with mke2fs(8)
Unassign the loopback device with losetup. After this, you have successfully created an encrypted filesystem. The filesystem is ready, and requires a passphrase to be entered when mounting it.
Mount the filesystem using mount(8). You'll have to use the encryption option of mount, and describe the correct encryption algorithm.
Create some files and directories on the encrypted filesystem - and test, that you can remount it with the correct key. Check what happens with a wrong key.
| 2.1 | Explain what an encrypted loopback device is. | 3 p |
| 2.2 | Provide the commands you used. | 2 p |
3. encFS
Since the virtual machines have quite little disk space, we need to make some room. First umount samba shares. Then uninstall samba by "yum remove samba samba-common".
Now lets update the kernel and install required files:
yum update kernel-xen
yum install kernel-xen-devel
yum install dkms dkms-fuse
Lets reboot with the new kernel:
shutdown -r now
You have to wait for a minute or two while the machine boots up again. Log back in to the machine after a while. (The connection will refuse until the machine is ready)
Check that that fuse is installed with:
modprobe fuse
Using encFS, mount an encrypted filesystem on a directory of your choice. This gives us the encryption layer.
After this, create a few directories, and some files in them. Unmount encFS using Fuses fusermount.
Check what was written on the file system.
| 3.1 | Provide the commands you used. | 2 p |
| 3.2 | Explain how this approach differs from the loopback one. Does this solve any problems or create more? | 3 p |