Personal data security is often overlooked by many computer users today. As people use their computers more, they never stop to think about how much personal data is accessible on their hard drive. I have been looking for a safe and convenient way to deploy cryptology in Linux. So far Truecrypt has been the best choice. It is very convenient and cross platform. This story will show how to use it on Ubuntu Linux along with some basic data safety principals.
A quick word about data in Linux
One of the first things that fascinated me about Linux is devices are treated as files. For example if you have an IDE hard drive, it is located at /dev/hda or a SCSI hard drive is located at /dev/sda. This is true about all devices in Linux including serial ports /dev/ttyS0 and sound cards /dev/dsp.
You could output the data from these devices as they where any other file, for example you could redirect the data from your hard drive to the standard output using
cat /dev/sda
On most computers this will generate garbage to the screen. It is better to pipe this data to a utility called ‘hexdump’ to see the data in hexadecimal format. Note the -C command will also display the ASCII output
cat /dev/sda | hexdump -C
Using this command will output all of your data to the screen. It is probably not usefully to try to read all the data at once. It is better to use the ‘dd’ utility so you can control how much data you read and write. The parameter ‘if=’ is the device your copying from, ‘bs=’ is the block size and ‘count=’ is the number of blocks to copy.
dd if=/dev/sda bs=512 count=1 | hexdump -C
In this example you can clearly see my boot record. Notice that the copy stops at line 200 where 200 is hexadecimal for 512.
Random data
Two important devices on any Linux system are /dev/random and /dev/urandom. These are both pseudo random number generators. The difference between /dev/random and /dev/urandom is that the second is known as a non-blocking random number generator. To see this we have the following example. Try typing the following into your console.
cat /dev/random | hexdump -C
You will notice that not much data is coming out. If you move your mouse or start opening programs, you will see more output. This is because /dev/random listens to hardware for a good source of true random data. If you try the same example with /dev/urandom you will instantly see lots of data being outputted. This is because urandom will not wait for fresh random data and generate pseudo random filler when needed. This makes it much faster.
Preparing a hard dive for security
Having random data is very important to format ones hard drive. A normal format and even operating re-install will not destroy old data. For example the following pictures are from an old hard drive I installed a fresh copy of Slackware Linux on.
I never did any personal work on this installation. It was was only used once in a hardware experiment. If I pipe the raw data do a program called ‘strings’ which only shows ASCII data then grep my name, I see old e-mails and other personal data from when this hard drive was in my computer running windows XP.
esalazar@manchester:~$ cat /dev/sdb | strings | grep evan | less
For most people this could be very frightening. But yet most people sell or give their old computers away doing nothing but a simple format and re-installation. It is very important to copy random data to the entire hard drive before using. This will ensure that any previous data will be completely erased. It is important to use random data because copying zeros will not be sufficient. In a forensic analysis some bytes will be more “zero” than others leaving all the data available. Some would suggest that the following procedure be carried out 7 times on a drive for maximum security.
dd if=/dev/urandom of=/dev/sdb
On my computer this ran at about 4.3MB (Megabytes) a second. For larger drives you may want to create a simple script to run this 7 times while you sleep. If this is a new drive, one pass should be sufficient.
Installing Truecrypt
Although Truecrypt is open source, there is not yet an available package for Ubuntu in the regular repositories. Therefor true crypt has to be installed manually from the source code (Actually a .deb package was recently released for 7.10). As of this writing the current version is 4.3a and can be downloaded from http://www.truecrypt.org/downloads.php.
Once the source code is downloaded un-tar it in your home folder
tar xvzf truecrypt-4.3a-source-code.tar.gz
If you do not have the kernel source code and compiler packages you can download them with the following command.
sudo apt-get install build-essential build-common
sudo apt-get install linux-source-2.6.22
Where 2.6.20 is your current version, you can use ‘uname -a’ to see your kernel version
Once you finish downloading the packages go to the Linux source folder and un-tar the kernel.
cd /usr/src/linux
sudo tar xvjf linux-source-2.6.22.tar.bz2
Now go to the Trucrypt build folder and type the following to build and install Truecrypt
cd ~/truecrypt-4.3a-source-code/Linux
sudo ./build.sh
sudo ./install.sh
At this point the install of Truecrypt should be complete. You can verify by running ‘truecrypt –help’.
Drive Encryption
Now that Truecrypt is installed and we have a properly formated hard drive we can now encrypt it. I will first start by running in interactive mode with the quick flag. The quick flag disables the copying of random data to the drive. This is not needed in this case because the drive I am using already has random data.
esalazar@manchester:~$ sudo truecrypt –quick -c
Volume type:
1) Normal
2) Hidden
Select [1]:
The first prompt will ask what volume type we are using. For this I am going to create a Normal type. The next prompt ask for the path to the volume. In my case I am going to use /dev/sdb
Enter file or device path for new volume: /dev/sdb
WARNING: Data on device will be lost. Continue? [y/N]: y
For the file type I am going to select none. This is because I plan on using ext3 instead of FAT.
Filesystem:
1) FAT
2) None
Select [1]: 2
Next is the Hash algorithm. I normally go with RIPEMD-160 From my research this looks like the most secure.
Now for the encryption algorithm. Truecrypt gives you the option to chain several algorithms for maximum security. In this example I am going to choose Serpent-Twofish-AES
Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 10
AES-Twofish-SerpentNow for the password. You can use a password, key file or both for your security. If you are only using a password make sure to pick a very strong one. More than likely the easiest way to crack your volume will be through a dictionary attack.
Enter password for new volume ‘/dev/sdb’:
Re-enter password:Enter keyfile path [none]:
Last Truecrypt will need random data to build its internal key. If you are running Truecrypt as root or sudo you can enter random data by moving the mouse.
Please move the mouse randomly until the required amount of data is captured…
Mouse data captured: 100%Now the drive is complete
Done: 38172.75 MB Speed: 38170.54 MB/s Left: 0:00:00
Volume created.
Filesystem creation
Now that the drive is setup for encryption, we need to put a file system on it. For this example I am going to use ext3. First step is to map the device
esalazar@manchester:~$ truecrypt -i
Enter esalazar’s or root’s system password:
Enter volume path: /dev/sdb
Enter mount directory [none]:
Protect hidden volume? [y/N]:
Enter keyfile path [none]:
Enter password for ‘/dev/sdb’:
Now the hard drive is mapped to ‘/dev/mapper/truecrypt0′ you can verify this by typing ‘truecrypt -l’. This means that any plantext or un-encrypted data that is sent to /dev/mapper/truecrypt0 will be encrypted and written to /dev/sdb. At this point I can create a the ext3 filesystem on /dev/mapper/truecrypt0
esalazar@manchester:~$ sudo mkfs.ext3 /dev/mapper/truecrypt0
mke2fs 1.40.2 (12-Jul-2007)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
4889248 inodes, 9772224 blocks
488611 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
299 block groups
32768 blocks per group, 32768 fragments per group
16352 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: doneThis filesystem will be automatically checked every 25 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Now that a filesystem is on the drive I can mount it like any other drive.
esalazar@manchester:~$ cd /media
esalazar@manchester:/media$ sudo mkdir mydrive
esalazar@manchester:/media$ sudo mount /dev/mapper/truecrypt0 mydrive/
Now that the drive is mounted I will create home folder for myself that I have access to.
esalazar@manchester:~$ cd /media/mydrive/
esalazar@manchester:/media/mydrive$ sudo mkdir esalazar
esalazar@manchester:/media/mydrive$ sudo chown esalazar:esalazar esalazar/
Now I can access my drive like any other drive.
Un-Mounting / Un-Mapping
Remember that the drive is still vulnerable while mapped. Therefor it is very important to un-map and un-mount when not in use.
esalazar@manchester:~$ sudo umount /dev/mapper/truecrypt0
esalazar@manchester:~$ truecrypt -d
Remember you can verify the drive is un-mapped with ‘truecrypt -l’.
esalazar@manchester:~$ truecrypt -l
No volumes mapped
Headers backup
Since hard drives are prone to failure it is important to backup the Truecrypt header. The header is the key that the entire hard drive is encrypted with along with some meta-data. This key is then encrypted using your password hash as its key. So if one bit gets corrupted in your header none of your data will ever be able to be restored (Not very easily at least). It is also important to remember that the backup of your header will also have to be kept secure because if it is cracked, it can be used to decrypt your data. Use your best judgment on how you want to save your header.
esalazar@manchester:~$ truecrypt –backup-headers mybackup /dev/sdb
Conclusion
Unfortunately I have barely scratched the surface of cryptology. The cryptology Wiki has some excellent information for those who wish to know more. Much of my interest in cryptology came from Neal Stephenson’s book Cryptonomicon. It is a great book with many technical details along with an epic plot. Fell free to send me any suggestions or comments.