How to determine if a cryptsetup-LUKS encrypted partition is working?

fanoflq · 04-19-2016, 03:52 AM

I set up cryptsetup-LUKS encryption on a partition.
Then create and edit some files in the directory (mount point)
containing the LUKS format partition.

Is there a way to copy the encrypted file(s) without going through the device mapper attached to the LUKS device so I can check if the file is encrypted?

Conundrum:
If I unmount the device mapper, I cannot get access to the files in the LUKS device to determine if the text contents look unreadable. which (may) imply encryption.

Please advice.
Thank you.

frostschutz · 04-19-2016, 09:01 AM

You can use `filefrag` to determine the physical location of the file (might need -v and/or -e options, check the manpage).

Add to that the data offset of the LUKS header (maybe 4096 512-byte-sectors = 2 MiB, check with `cryptsetup luksDump`).

And then look at the raw file using `hexdump -C --skip $(($offset + 4096*512)) --length $filesize /dev/luksdisk`. You should get random data. (And plain text data if you use /dev/mapper/luksthing w/o adding the 2MiB to the offset)

If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...

Or you could just trust it. LUKS works.

Habitual · 04-19-2016, 10:11 AM

Quote:

Originally Posted by frostschutz

Or you could just trust it. LUKS works.

Consider https://twopointfouristan.wordpress....sk-encryption/

frostschutz · 04-19-2016, 11:55 AM

Oh, sure. That's the reason my /boot is actually a USB stick. Which stays on my keychain. In my pocket. And it has encrypted keyfiles on it so a $5 keylogger will only give you a useless passphrase. As long as you don't have a dongle that logs entire USB traffic or copies the entire USB stick... but even so, it's incredibly hard to defend against physical access.

But the concerns of the OP were whether the data was encrypted at all in the first place. That works fine. At worst you will find old, unencrypted data - if you didn't use full disk encryption from the start and also didn't wipe your drives when you decided to switch...

----

There is actually another type of attack, that applies only to fully automated installs with no random components... if you know which distro / version was installed initially and using which options, you know where specific files are located because they always end up located in the same place. And then you can change bytes on disk and thus destroy those files, and if you destroy the correct files they may alter your boot process or security in some way that offers an attack vector...

This type of attack was previously described here http://www.jakoblell.com/blog/2013/1...ks-partitions/

Which is why I try to avoid such fully automated / standard installs. Not sure if installers nowadays are smart enough to randomize the way they're populating filesystems during first install a little...

But those are very advanced topics, if all you want is a little protection in case a thief comes and takes your stuff away, no need to be paranoid

suicidaleggroll · 04-19-2016, 12:18 PM

How about trying to use photorec to scan the raw disk to see what (if any) files it's able to find.

fanoflq · 04-19-2016, 12:37 PM

Quote:

You can use `filefrag` to determine the physical location of the file (might need -v and/or -e options, check the manpage).

man page for filefrag:
filefrag [ -bblocksize ] [ -BeksvxX ] [ files... ]

My mount point for the encrypted partition is mntsda6
LUKS partition is sda6
Device mapper name is /dev/mapper/sda6_mapper.

So I did a umount on mntsda6 to remove access via LUKS.

Quote:

[user1@localhost ~]$ ls mntsda6/
lost+found luks_keyfile testluks.txt
[user1@localhost ~]$ sudo umount mntsda6/
[sudo] password for user1:
[user1@localhost ~]$ ls mntsda6/

[user1@localhost ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 12G 0 disk
├─sda1 8:1 0 500M 0 part /boot
├─sda2 8:2 0 10.2G 0 part
│ ├─centos-root 253:0 0 9G 0 lvm /
│ └─centos-swap 253:1 0 1.2G 0 lvm [SWAP]
├─sda3 8:3 0 1K 0 part
├─sda4 8:4 0 312M 0 part
├─sda5 8:5 0 100M 0 part
└─sda6 8:6 0 200M 0 part
└─sda6_mapper 253:2 0 198M 0 crypt
sr0 11:0 1 57.3M 0 rom /run/media/user1/VBOXADDITIONS_5.0.16_105871

NOTE: └─sda6_mapper is a child of └─sda6, but is did not display as such on this block's quote.

[user1@localhost ~]$ ls /dev/sda
/dev/sda
[user1@localhost ~]$ ls /dev/sda/sda6_mapper
ls: cannot access /dev/sda/sda6_mapper: Not a directory
[user1@localhost ~]$ sudo filefrag /dev/sda
[sudo] password for user1:
/dev/sda: 0 extents found
[user1@localhost ~]$

How do I apply filefrag to /dev/sda6 ?

I have other questions, but will post it separately.
Thank you.

fanoflq · 04-19-2016, 12:52 PM

Quote:

If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...

My test partition is less than 500 MiB. So I tried searching for one of the filename in the LUKS device, /dev/sd6:

Quote:

[user1@localhost ~]$ ls
Desktop Documents Downloads luks_keyfile mntsda6 Music Pictures Public Templates Videos
[user1@localhost ~]$ ls mntsda6/
lost+found luks_keyfile testluks.txt

[user1@localhost ~]$ sudo umount mntsda6/
[sudo] password for user1:
[user1@localhost ~]$ ls mntsda6/
[user1@localhost ~]$ sudo sync
[sudo] password for user1:
[user1@localhost ~]$ sudo strings /dev/sda6 | grep luks_keyfile
[user1@localhost ~]$

Does not work! Why???

suicidaleggroll · 04-19-2016, 12:58 PM

Quote:

Originally Posted by fanoflq

My test partition is less than 500 MiB. So I tried searching for one of the filename in the LUKS device, /dev/sd6:

Does not work! Why???

You need to grep for whatever string is INSIDE of the luks_keyfile file, not grep for the name of the file.

Also, is your sda6 encrypted? If so then it's not supposed to work.

frostschutz · 04-19-2016, 01:06 PM

Quote:

Originally Posted by fanoflq

How do I apply filefrag to /dev/sda6 ?

You have to pick a file.

Here is an example for filefrag, although in a different context (trim testing) : http://unix.stackexchange.com/a/85880/30851

As for the grep, it's not supposed to give a result if the device is encrypted. Run the same on /dev/mapper/sda6_mapper and you should see a result if that string exists in one of your files.

fanoflq · 04-19-2016, 01:11 PM

Quote:

You have to pick a file.

Only one "small" problem.....
The /dev/sda6 partition is crypsetup-LUKS encrypted!
This means the human readable file name no longer exists in /dev/sda6.

Correct?

fanoflq · 04-19-2016, 01:14 PM

Quote:

You need to grep for whatever string is INSIDE of the luks_keyfile file, not grep for the name of the file.

Also, is your sda6 encrypted? If so then it's not supposed to work

Yup. It is encrypted....
That means even the filenames are encrypted, correct?

fanoflq · 04-19-2016, 01:42 PM

Quote:

[user1@localhost ~]$ ls -al mntsda6/
total 21
drwxr-xr-x. 3 user1 root 1024 Apr 18 23:26 .
drwx------. 16 user1 user1 4096 Apr 19 04:29 ..
drwx------. 2 root root 12288 Apr 18 23:16 lost+found
-rw-rw-r--. 1 user1 user1 7 Apr 18 23:26 luks_keyfile
-rw-rw-r--. 1 user1 user1 23 Apr 18 23:25 testluks.txt

# Say I am looking for luks_file.
And assume first three items in above list are offsets.

[user1@localhost ~]$ offset=$((1024+4096+12288))

[user1@localhost ~]$ echo $offset
17408
[user1@localhost ~]$ filesize=7
[user1@localhost ~]$ echo $filesize
7
# Not sure why these option names, e.g. --length, does not work! Do you?
[user1@localhost ~]$ hexdump -C --skip $(($offset + 4096*512)) --length $filesize /dev/sda6
hexdump: invalid option -- '-'
... ... ...
.. ...

# Replace option names with short name
[user1@localhost ~]$ sudo hexdump -C -s $(($offset + 4096*512)) -n $filesize /dev/sda6
[sudo] password for user1:
00204400 03 90 b8 17 aa 68 a7 |.....h.|
00204407
[user1@localhost ~]

The content in luks_keyfile is "123456", quotes not included,but the listing says it is 7 bytes.

It looks random, but I am not sure if it is even the correct file content!

There has got to be a better way to confirm encryption can be verified since we know the passphrase, cipher used, filename, ....!

suicidaleggroll · 04-19-2016, 01:48 PM

I already recommended you try photorec, is there a reason you don't want to go that route?

Copy some supported file type onto the encrypted partition, use photorec to scan the disk, see if it can find it or any other files.

Here's the full list of the file types photorec can find and recover:
http://www.cgsecurity.org/wiki/File_...ed_By_PhotoRec

fanoflq · 04-19-2016, 02:35 PM

Quote:

I already recommended you try photorec, is there a reason you don't want to go that route?

I am learning Linux.
So I am trying recommendations as I get them.
photoRec is next.

Thanks.

rknichols · 04-19-2016, 05:15 PM

Please show the exact sequence of commands you used to set up that LUKS container, open it, make the filesystem, and mount it. I have a feeling you are not using encryption at all. For starters, putting the key file inside the encrypted container is madness since it cannot be accessed until after the container is unlocked.