This image be our episode 279-1 entitled Luxeike True Crypt, and in part of the series, Privacy, and Security.
It is posted by Klaatu, and in about 25 minutes long, and Karina Cleanflag.
The summary is.
Klaatu demonstrates how to tune LVM, and crypts it up to create and use portable encrypted file systems.
This episode of HBR is brought to you by an honest host.com.
Get 15% discount on all shared hosting with the offer code HBR-15.
That's HBR-15.
Bit your web hosting that's honest and fair at An Honest Host.com.
Hey everybody, this is Klaatu.
Remember back when there was a thing called True Crypt?
I kind of don't, to be honest, it's been ages since I've thought about or much less used
to True Crypt, and even when I used it, it was more of an experiment.
Let's learn about this tool.
Those are way back in my early days of getting a clue about computers.
I don't exactly remember what True Crypt did, but I do remember, certainly a couple of years back,
there was this big kerfuffle about whether True Crypt was truly secure, and how no one had
actually seen the source code or something like that, or people had seen it, but no one had sat down
to audit the code, something to that nature.
And then of course, True Crypt just sort of disappeared, at least officially.
Other people have forked True Crypt since then.
There's Vera Crypt, there's something else cipher or something.
So you can find new versions of it and continue to use it, I guess.
And I might have some interest in that if I needed all of the different features of True Crypt
such as super easy drop dead simple cross platform compatibility.
I don't need that. I use Linux at work. I use Linux at home.
For many things that I do, I do not feel an urgent need to have a solution that is cross
platform for my own use. It just doesn't apply.
So I was sitting around the other day thinking, how could I encrypt files on a
per file basis or a per collection basis? The immediate thing that came to mind, of course,
was GPG. I've used GPG in the past. It worked out pretty well.
There is somewhat flexible. I mean, you can encrypt a GPG file or a file with GPG
basing the encryption on your own private key or you can
base it. You can do symmetric encryption such that you don't have to have a key present.
You just have to know the passphrase, enter it, and suddenly the file is
opened to you. In fact, even though this episode is about luck, so let's really quick
like, let's do a GPG encrypted file. So I'm going to echo a few space bar into a new file
called my secret file.txt. Now that exists on my hard drive and so I can encrypt it with GPG,
which is GNU PG, which is the free and open source version of PGP, pretty good privacy.
So I'll do GPG dash dash symmetric with two ms. That's why in
in the ETR, I see it took me a while to get that through my head. And then the path to the file
my secret file.txt. Then on my computer, it prompts me with a GUI pin entry dialog box.
So I just put in bogus 123, bogus 123, and that's it. It doesn't say anything in return.
So I guess it worked. So we'll do an LS of my secret file asterisk. And yes, now I have my secret
file.txt and my secret file.txt.gpg. So if I cat my secret file.txt.gpg, I get a bunch of nonsense
characters that doesn't really look like anything. And that's of course what we would want in
an encrypted file. But if I cat my secret file.txt, we see food and bar in the output. Because
the workflow of GPG is that it creates a copy of the thing that you have encrypted,
which obviously leaves the original lying around, which is technically fine,
as long as you remember to then shred my secret file.txt and then trash my secret file.txt.
And now that file presumably is forgotten. Now we just have the encrypted version of it.
To look at that again, we'll do a GPG-dcrypt my secret file.txt.gpg. And it pops up this little
pin entry thing. It always looks like pine entry to me because the pin and entry are all one
word. So bogus 123, and then in the output of the command, it shows me food and bar. And if I do
an LS of my secret file.txt, again, I still only have the encrypted version of this file,
which is good, I guess, unless you of course wanted to then edit that thing. So in order to edit,
you'd have to do that same process again, except you'd redirect the output to my secret
secret file.txt and then enter the password and then it dumps the output into that file.
And now I could do like an e-max of my secret file.txt. I could add fubar and then maybe add
baz and now I've got the improved version of that file. But then I have to go back up to the
GPG-demetric to recreate that file. And you can write right over it. I mean, you don't have to,
you know, you don't have to do anything too fancy. It prompts you. Oh, it already exists. Shall I over
right? Yes. And so now I've recreated it. But of course, now I've got the old copy still on my
drive. So I'll do a shred again of my secret.txt or my secret file.txt. And then we'll just
cat that to make sure that it's non-sensical. Yes, it is. And so then we'll just trash it. Okay. So that is
that's sort of the GPG version. That's the GPG option for that. And as you can tell,
for something that you're going to, if you're going to use something frequently,
that would not be the optimal method of encrypting something for everyday use or for
weekly use or whatever. So if you need something a little bit more robust, I was looking around.
And the first, my first stop was the E-cryptFS program, or I should say, sweet of tools. There's
an E, there's an E-cryptFS-usels, and then there's E-cryptFS itself. And there's the demon that comes
along with that. But all of that is dependent upon a module, a kernel module called E-cryptFS. And
I've tried this on a couple of different systems now. And it just seems to be not exactly working.
And I would love to hear from you, dear listener, if you, dear listener. I mean, fellow hacker
public radio comrad. If you've had better luck with it than I had, because I certainly could
not get it working on Slackware, there's a bug or not a bug, but there's an issue or a post
over on Linux questions.org from someone using it on Slackware and said, hey, can't use it on the
huge kernel, but it seems to work on the general, the generic kernel. And I thought, well, that's a little
weird, but okay, I could do that. Not really sure if I want to. Then I thought, well, I could just
recompile the kernel. And then I realized, if it's this hard, then that's not the answer for me.
Like, if it's going to be this tenuous, that's not the one that I want. So then I tried the same
thing on REL, on a REL desktop, and that's Red Hat Enterprise Linux. And, um, and that didn't work
either. It seemed to work, but every time I launched the demon, it said, I can't connect to this
device. And I couldn't, I thought, well, maybe I just need to create the device, slash dev slash
e-cryptFS. But then I, I tried to run the e-cryptFS demon, and it didn't seem to want to work.
It's what, uh, either. And yeah, there were just a lot of, and then I tried to load the module,
and it claimed that the module wasn't a module. It couldn't be found. So I just, I decided
fairly early on that this was not the tool that I wanted to resort to. Like, that's just wasn't
going to, that's not sustainable. If it couldn't work on two out of two systems, just don't bother.
So, so I turned to my old friend, LVM. LVM is the, I think it stands for logical volume manager,
or something like that. It's kind of an infrastructure tool within your computer.
If you're running Linux, you almost certainly have it. And if not, it's super easy to get from
your repository. If not encountered a Linux yet, that, that is so marginalized, that it doesn't have
LVM pretty easily obtainable. So, I mean, LVM ships on Slack where it's, it is implemented by default
on Fedora and Rell. It is easily available for Ubuntu and WN if it's not already there.
Along with LVM, there's an encryption suite to, so that you can have full volume encryption,
or partial volume encryption called Lux, LUKS. And the front end or the user facing tool for
Lux is a command called crypt setup. And that's what I'm going to use to implement a kind of
virtual drive manager setup, which I think is if memory serves is kind of what true crypt did.
You would have these, these true crypt volumes and then you would open true crypt and you would
choose the volume that you wanted to decrypt for, for that session. And that's, that's pretty much
what LVM and Lux and encrypt setup can provide for us. So, let me run you through the user, the use
case of it, the work flow, just so that you get an idea of what we're aiming for and then I'll run
you through how to set it up for yourself. It is not difficult. The prerequisites are that you
have LVM and, and Lux encrypt setup installed. It depends on your distribution, how that is packaged.
I imagine on Slack where I know that LVM is one package and encrypt setup is another. That's
really all you need to get started. So, let's, let's go through how I use this. So, I've got a volume
on my hard drive called food.img. If I do a file on food.img, it tells me that it is a Lux encrypted
file version one and then some specs on how it's been encrypted. Okay, so I'm going to do a
encrypt setup. That's the main command. And then the sub command to that is Lux open. That's LUKS
and then open with a capital O. Food.img and then some some string for myself. I could call it
food. I could call it penguin. I could call it whatever I want. And you'll see where this
manifests itself momentarily. So, encrypt setup, Lux Open Food.img, that's the source and then
the destination is food. It now prompts me for a password. So, I'm going to put in the
amount of password. Vogue is one, two, three. It processes that request and then returns me to
a prompt. So, if I do an LS slash dev and if you know LVM, you would know where to look
probably. On my system, it's LS slash dev slash mapper and in slash dev slash mapper, which is
kind of the LVM station. That's where all the LVM volumes go when they're activated.
I now have an entry there called food. So, now I can just do a normal mount command.
I'm doing this as root by the way. Crypt setup and mount. You would want to do with either
pseudo or as root, depending on your distribution and what you've got set up on your computer.
So, I'm going to do a mount of slash dev slash mapper slash food to some place on my system.
So, I'll just do it slash M&T slash HD because that's short.
And now if I open, I can open up a dolphin file browser window here by a manager.
And I'll go to slash M&T slash hard HD and here's my little file. I've got a folder in there
called vault and I've got a test file that says food and bar. And that's about the extent of what
I've stored there. Pretty small actually, but that's okay. So, I can open up this text file.
I can add entries, bars, hacker, public, radio. I'll save that.
Now, it's a larger file than was before.
That's it. Now, if I'm done with it, I can do an e-mount of slash M&T slash HD.
And then a lux-close. So, that's crypt set-up lux-close space food.
And now if I do an LS slash dev slash mapper, I have nothing listed there anymore.
So, it's a file that you can put on a thumb drive or you can put anywhere you want.
It's self-contained. And whatever you want to interface with it or interact with it,
you can do a crypt set-up lux-open and put it somewhere in your device tree as if though it was
a hard drive. And then open it up, modify your files, un-mount it, and then close it. Lux-close,
take it out of your out of your device tree. And that's built-in to pretty much like I said,
pretty much any Linux system that you're on or it's easily obtainable. So, here's how to
make that happen for yourself. It is not difficult. It's only about, I don't know, six or seven steps.
So, what I just did, that's the repeatable kind of everyday use of it. That's the workflow.
Lux-open, mount, un-mount lux-close. That's what you have to do every time you want to use it.
What I'm about to cover now is what you have to do this part once in order to create the volume.
So, this is your setup steps. First of all, obviously, you need LVM and crypt set-up. They might
be called, they may be in packages called LVM and crypt setup. Respectively, they might be maybe
in one package. I don't know how your distribution hand manages it. On Slackware, there's an LVM
package, and then there's a crypt set-up package. So, you're looking for something like that.
Once you've got LVM and crypt set-up on your system, you can, you can do this.
First thing is to create an empty file. It can be of any size, really. You do have to determine the
size in advance. If I recall correctly, true crypt was the same way. I'm going to do that with
F allocates. If you do a man, F allocates a locate, you see that it is a command that pre-allocates
or deallocates a space to a file. Options look like the one that we want is the dash dash length.
And that's probably all we need for now. Yeah, it looks like it. So, that's what we'll do. So, F
allocates an dash dash length. I don't make this, I don't know, 128 megabytes.
I mean, it could be a lot larger than that if you need more space, but I'm, this is for demonstration
purposes, so I'm keeping it pretty small. And that doesn't take long. So, now bar.img exists.
So, if I do an LS-LH of bar.img, yep, it's 128 megabytes. Now that we've got our empty
space for data, we can do a script set up part. So, this need to be root for or you have to use
pseudo. I'm going to just become root because I don't have pseudo set up on this particular machine,
never did bother. And then I'll do a script set up dash dash verify dash passphrase.
That is to get set up to prompt us to create a password, because this is symmetric encryption.
And we're going to do the Lux format subcommand of course bar.img. So, this is basically,
it says this is going to overwrite data on bar.img irrevocably. Type yes and uppercase, okay? Yes.
Enter a passphrase, okay? Bogus 123. Bogus 123. And so, that's working. So, this is obviously formatting
this data block, this empty file space that we set aside that we allocated into a, into a,
into a script set up into a Lux volume. So, now if I do a file on bar.img,
it doesn't, in detail, me that bar.img is a Lux encrypted file.
All right, that's great. So, now we can, we can, we know how to get these things attached to our system already.
And for that, we do crypt set up, if you'll recall, Lux open, and then the source bar.img,
and then the destination bar prompting me for my password. So, I'll do Bogus 123.
And if I do an LS in slash dev slash mapper, I should see a bar entry there, and there is.
So, now, normally, you know, this part seems familiar, because this is how you normally do it.
But right now, this is a Lux encrypted file, but there's nothing in the file.
So, what we can do is we can do mkfs.ext2, for instance,
on slash dev slash mapper slash bar.
Actually, you know what we should do is give it a label. Let's give this a label.
We'll call this true crypt, just to be clever.
There we go. Okay, so now we've got a file system on this, this Lux volume.
So, now, from now, that's set up. Now you're done. That's it. So, from now on,
when you want to use that, well, you know what, I should mention actually, because, okay, so if I,
if I go to Dalton, you know, technically you're done, but if you're not super familiar with,
with managing these kinds of devices, it might be useful to do one more thing. So, first of all,
I'm going to open up Dalton, which is my file manager on kd e, and I'm going to go to the little
menu that, you know, gives me all the different places. And I should see, you should see, and there,
since it is in the dev mapper thing, you should actually see it listed as an available drive that you could,
that you can mount. And indeed, indeed, it is. So, here's a true crypt volume, or that's what we
named it, remember, to be clever. And then it's asking me for my password. Oh, that's the wrong
password. It's asking me for the device, you know, the Lux password. No, it's not. It's asking
me for my root password. There we go. Because I already gave it the Lux password to get it into my
device tree. Okay, so there's a lost and found directory. So, as a normal user, of course, I can't
do anything in this, in this volume. Now, if you assigned it a simpler file format, or a file system,
like a fat or something like that, that doesn't even do file permissions, then you could skip
this step. But I'm going to go ahead and do this step, because this is how I would actually do it in
real life. So, it mounted it because I did this through Dolphin. It used U disk control too,
as I recently learned, to place it into, I guess it's U disk control too. It's anyway, or U disk
too, so that's U disk control. But anyway, it dumped it into slash run slash media slash
clats U slash true crypt. And there's a lost and found directory there. So, I'm going to make a
directory in run media clats U, true crypt, and I'm going to call it, I guess I'll just call it
vault. Then I'm going to tone that directory so that it is owned by clats U colon users. And that
way I'll have access to this folder, whether or not I'm on my own system, or I'm on a system where
my user name is different, or whatever. So run media clats U, true crypt slash vault. And now I'm
going to chamad that to 770, I guess. I mean, it's encrypted. I don't know how, I don't really know
that it actually matters at this point. But that's what I'll do. So, it'll be read, write, execute
to the user, to the group, and then to no one else. Again, if they've gotten through the encryption
at that point, I guess it's probably, everything's probably lost. So heck, I'm just going to
chamad it to 777 there. So now I've got access to vault, I can do things like create new files,
so I'll exit root my root prompt, and I'll do an echo hello world into, well, I think I'll
create a file here, and I'll put hello.txt. I'll drag that into my terminal paste location there. So
now I'm echoing contents into this hello.txt file that I just created. I could copy stuff into it,
like I could go to a folder where there are small graphics. Here's a small graphic that is 13
kilobytes. I'll copy that into there. Here's another one. Here's a vector of kitchen sink.
I don't know why I have that on my hard drive, really. I mean, I know why it's there. I just don't
know why I would keep it there. So anyway, now I've got data in this vault, and if I wanted to
discontinue using this, I can, again, go into my little places menu here. Oh, no, I can't.
I don't know how to eject or unmount a volume from dolphin. Actually, at least not as I currently
have it set up. That's all right. So I'll go back to my root prompt, and I'll do a U-mount slash
run media, clots to true crypt, and then I'll do a crypt set up, looks, close of what is it called
bar, right? And I think, yeah, bar. And now it's gone. It doesn't exist. It is a mere, is a mere
encrypted file on the hard drive. And I can verify that, of course, by just doing an LS
slash LH of bar.img. It's 128 megabytes. It is encrypted. I can do file bar.img.
Of course, I can do like I can do head of bar.img and get all kinds of Garbled
non-sensical text. Now, since this file of encrypted data is it's just a file, you can put it on
thumb drives. You can email it to yourself. You can do whatever you want to do with it. It is a
self-contained encrypted volume. And it is as easy as that, at least on Linux. Again, not really
cross-platform necessarily, although from what I've understood, you can get LVM and probably
crypt set up on a SIGWIN and other places, so maybe it is technically cross-platform, but
definitely with Linux, it's just kind of, it's a no-brainer. So that's, that's, um, yeah, that's
looks like true-crypt. Hopefully that was informative and helpful. Thanks for listening.
Dr. next time.
You've been listening to Hecker Public Radio as Hecker Public Radio.org. We are a community podcast
network that releases shows every weekday Monday through Friday. Today's show, like all our shows,
was contributed by a HPR listener like yourself. If you ever thought of recording a podcast,
a click on our contributing to find out how easy it really is. Hecker Public Radio was found
by the digital.com and the informomicon computer club and is part of the binary revolution at
themirif.com. If you have comments on today's show, please email the host directly, leave a comment
on the website or record a follow up episode yourself. On this otherwise status, today's show
is released on the creative comments, attribution, share a like, feed.au license.