Security 101: Physical Security - Disk Encryption II
In this part, we're going to examine how can we use encryption on systems where we don't have block level access to devices, as well as how can we encrypt devices without losing our data.
Previous parts:
1. Introduction
2. General Principles and Guidelines
3. Physical Security: Intro
4. Physical Security: Single User Mode
5. Physical Security: Securing your Bootloader
6. Physical Security: Disk Encryption I
Encrypting on systems you have no block level access
We can use a file as a device that will encrypt/decrypt our data. We will start by creating a "sparse file".
What is a sparse file?
In computer science, a sparse file is a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty. This is achieved by writing brief information (metadata) representing the empty blocks to disk instead of the actual "empty" space which makes up the block, using less disk space (i.e. sparse files contain blocks of zeros whose existance is recorded, but have no space allocated on disk). The full block size is written to disk as the actual size only when the block contains "real" (non-empty) data.
When reading sparse files, the file system transparently converts metadata representing empty blocks into "real" blocks filled with zero bytes at runtime. The application is unaware of this conversion.
Most modern file systems support sparse files, including most Unix variants and NTFS, but notably not Apple's HFS+. Sparse files are commonly used for disk images, database snapshots, log files and in scientific applications.
Starting up the process!
We will be storing our sparse file in /data/. The folder doesn't exist, so we will create it ourselves!
sudo mkdir /data
sudo fallocate -l 100M /data/encvolume1
sudo dd if=/dev/urandom of=/data/encvolume1 bs=1M count=100
sudo string /data/encvolume1
Now, the process is the same as in the previous article. We will format the file with LUKS:
sudo cryptsetup luksFormat /data/encvolume1
Enter a passphrase, and then your encryption entry point will be initialised.
sudo cryptsetup luksOpen /data/encvolume1 encvolume1
Enter your passphrase (the one you used just above), and then create our filesystem, and mount it!
sudo mkfs -t ext4 /dev/mapper/encvolume1
sudo mount /dev/mapper/encvolume1 /path/to/mount/fs
Encrypting on an Existing Device
In a nutshell, you can, and you can't. You can't do it in one run. It's not possible to encrypt a device that already has files. What you CAN do though, is to copy your files in a different device, and setup your encryption.
Without explaining everything again, I will provide you with a template of the commands you need. Just adjust your paths and device names. In my example, /path/to/origin resides inside /dev/sdc1
mkdir -p /path/to/backup-target
mv /path/to/origin /path/to/backup-target
sudo umount /dev/sdc1
sudo dd if=/dev/urandom of=/dev/sdc1
sudo cryptsetup luksFormat /dev/sdc1
sudo cryptsetup luksOpen /dev/sdc1 encvolume1
sudo mkfs -t ext4 /dev/mapper/encvolume1
sudo mount /dev/mapper/encvolume1
mv /path/to/backup-target /path/to/origin
And you are done!
In the next part, we will wrap up our Physical Security section! Click here to read it!
Wow! Nice.... following you for more.
Please visit my profile hope you will like my photography and please don't forget to follow and upvote me....@saan💐👍