file system encryption

The pc-link reader, could be in many forms: usb, serial, pcmcia, pinpad…

An Axalto (previously Schlumberger’s, now Gemalto) smart card, this could be an access – control card, a bank debit / credit card, health – care card, social – identification card… Some smart card types are actually tiny computers – they have an Operating System, and Java virtual machine inside. Note: many of the smart card vendors are OEM – ed from SCM Microsystems, a Germany – based company. We’d better choose hardware and firmware directly from SCM when work on open – source projects.

ou have important data on your laptop, and one day the laptop is stolen. The best you can expect is that you loose all those valuable information. The worse… who know what it can be!? Since having a computer (hardware) in touch means having access to every data stored on it. How can you protect yourself from that situation?

The solution is encrypting your storage and keep your key safe from others’ access. You can encrypt your home directory or a whole data partition. (Some even encrypts /boot, /swap and /(root) – full disk encryption – so that their activities leave no traces). With Linux, every tools is at your hand, so let start making your life easier. Below is some guide lines on how to do it on Debian.

1.   Install eCryptfs: a Linux native and POSIX – compliant enterprise – class stacked cryptographic file system.

$ aptget install ecryptfsutils
$ modprobe ecryptfs
# you may have to patch your kernel in order for
# ecryptfsd (the key management daemon of eCryptfs)
# to work. in that case, you’d better grab and
# build eCryptfs from the latest source.

2.   Setup eCryptfs:

# simple setup, passphrase entered from stdin,
# eCryptfs allows overlay mounting: mount point
# and the actual storage can be the same.

$ mountt ecryptfs /encrypted/storage /mount/point
# you can now see your new fs using the command df,
# test it, go to your mount point and input some
# data, watch the output at the encrypted storage.
$ cd /mount/point
$ echo “Hello World” > hi.txt
$ cd /encrypted/storage
$ less hi.txt
# umount /mount/point and the file system
# is not accessible anymore


Every security solution comes to a very dead-end that there’s must be a MASTER KEY as the main entrance for the whole system. And we have several ways to protect the master key:

+   the tricky way: store the key somewhere on the disk, e.g: at the first sector of the volume image (offset some bytes to a position only you know) so that the key is hard to find and can not be accidentally deleted. More information about the trick is here.

+   the explicit way: store on an external storage such as usb, the system could only be functional once the usb is plugged in.

+   the “smart” way: smart card is the best way to store key. Since you can write public / private key to a smart card but can only read public key back, no – one can read the private key, including you. Smart card is designed to do encryption / decryption jobs: just request the card to encrypt / decrypt some data using a specified key, and the card sends back the required output.

In an organization, the private key is stored on smart card and given to the “person in charge” without the fear of loosing the key. For personal use, I think the second solution (using usb) is quite enough.

1.   Setup smart card:

# install pcscd, the daemon to talk with
# card reader install OpenSC, the open
# source smart card project

$ aptget install pcscd
$ aptget install opensc
# in my case, I have an Axalto reader which is not
# supported by pcscd. knowing that Axalto’s
# hardwares are OEM-ed from SCM, I just download
# the firmware from SCM, flash the reader and it’s
# then recognized as a SCM SCR 331 device. You can
# play around the smart card using opensc-tool,
# you can erase, init the card’s file system,
# create some PIN, generate some keys using
# pkcs#15-init, encrypt/decrypt can be
# done using pkcs#15-crypt

2.   Working with keys:

Public and private keys are fundamental concepts of Digital Signature. In short, multiply two big prime numbers – two private keys – you have a semi-prime number – the public key. Certificate is wrapper of the public key to work with a CA (Certificate Authority), for the public to check if a public key really belongs to an organization.

# generate public and private keys in RSA 1024
# bit pem format extract the public key from this
# keys pair, encrypt/decrypt with the keys

$ openssl genrsaout private.pem 1024
$ openssl rsain private.pemout public.pemoutform PEMpubout
$ openssl rsautlencryptinkey public.pempubinin file.txtout file.ssl
$ openssl rsautldecryptinkey private.pemin file.sslout decrypted.txt
# create the smart card’s file system,
# then create a PIN

$ pkcs15initcreatepkcs15
$ pkcs15initstorepinauthid 01label “mycom”
# copy private key to smart card, to decrypt,
# we need to specify key’s usage

$ pkcs15initstoreprivatekey private.pemauthid 01id 45format pemkeyusage sign,decipher

3.   Setup the whole thing:

With your smart card properly setup (a public/private key pair has been stored), we can use the following script to: 1. create a temporary volatile file system 2. use smart card to decrypt the password and store to that file system (these files would simply disappear when the machine power down) 3. using the decrypted password to mount with eCryptfs.

# 1. create a volatile fs to temporarily store the
# decrypted passfile

$ mountt tmpfso size=10M,nr_inodes=10k,mode=0700 /tmp_fs
# 2. decrypt the password file from
# /root/passwd to /tmp_fs/passwd

$ pkcs15cryptpkcs1decipherk 45i /root/passwdo /tmp_fs/passwd
# 3. now mount our encrypted
# directories with eCryptfs

$ mountt ecryptfs /encrypted/storage /mount/pointo key=passphrase:passfile= /tmp_fs/passwd, cipher=aes, ecryptfs_key_bytes=16, passthrough=1, verbosity=0

Done! Choose a strong encryption algorithm (e.g AES 256 – bit), and in most cases, you and your data would be safe until they have quantum computer running. Be sure to keep your key secret or your efforts would be of no help. For maximum security, choose a good smart card model, increase your keys’ size, revise all procedures of your software system…

(You’re pretty safe right now, so why there’s an “in most cases” in my last paragraph? The truth of being secured is actually more complex than that, as a quite-simple technique like this could be applied to steal password of a disk-encryption system. This bases on the fact that data in DRAM is not faded right away after loosing power, it still can last for some seconds (or even minutes), and by cooling the DRAM using an air duster (to slow down the fading speed), the DRAM module could than be copied and scanned for password (assuming that password has been entered and kept in memory). Nothing is really safe, however, hardware problem like this should have a hardware solution (like this AES 256-bit encryption Fujitsu hard drives).