T-110.5201 Laboratory Works on Information Security (5 cr)
Lab 4: Crypto-filesystem
Description of the exercise
In this assignment you will simulate an encryption of an external memory (such as usb memory stick) using a file as the storage media. Simulation is needed because there is no physical access to the server machines (in addition, the servers are virtual). Two different schemes will be used: encrypted loopback device with dm_crypt and encryption layer for an existing filesystem with encFS.
1. Preparation
Check that you have the following packages installed (dpkg -l, apt-get install):
- cryptsetup
- linux-modules corresponding to the kernel version in use (hint: apt-cache search and uname -a)
Load the dm_crypt and aes_generic (why not aes?) kernel modules. Please remove cryptoloop from use, if its attached to the kernel.
For the third exercise, ensure that you have encFS installed and FUSE is available. This should be done in similar fashion as the earlier checks.
lsmod (8), modprobe (8)
2.Crypto filesystem with loopback and device mapper
Create a file with random bytes to make it harder for the attacker to recognize which parts of device are used to store data, and which are left empty. This can be done with the command:
dd if=/dev/urandom of=loop.img bs=1k count=8k
Create a loopback device for the file using losetup(8). Then using cryptsetup(8), format the loopback device and map it to a pseudodevice. Please use LUKS with aes-cbc-essiv:sha256 cipher (should be default).
Create an ext2 filesystem on the pseudodevice, created in the previous step. The filesystem can be created with mkfs.ext2(8).
Release the file by first removing the pseudodevice and then detaching the loopback device. After this, you have successfully created an encrypted filesystem into a file. The filesystem is ready, and requires a passphrase to be entered when mounting it.
Now mount your filesystem. Create some files and directories on the encrypted filesystem. Check also what happens if you try to mount the system with a wrong key.
| 2.1 | Provide the commands you used. | 2 p |
| 2.2 | Explain the concepts of the pseudodevice and loopback device. | 1 p |
| 2.3 | What is LUKS? (Knowing the meaning of abbreviation won't bring you a point.) | 1 p |
| 2.4 | What is this kind of encryption method good for? What strengths and weaknesses does it have? | 3 p |
| 2.5 | Why did we remove cryptoloop from the assignment and replaced it with dm_crypt? Extending the question a bit, what realities must a sysadmin remember with any to-be-deployed and already deployed security-related software? | 1 p |
3. encFS
Using encFS, mount an encrypted filesystem on a directory of your choice. This gives you the encryption layer. After this, create a few directories, and some files in them. Unmount encFS using Fuse's fusermount.
Check what was written on the file system.
| 3.1 | Provide the commands you used. | 1 p |
| 3.2 | Explain how this approach differs from the loopback one. Does this solve any problems or create more? | 3 p |
| 4. |
Extra points for an excellent demo, or in-depth mastery of the topic or software | 3p |