LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-19-2016, 03:52 AM   #1
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Rep: Reputation: Disabled
How to determine if a cryptsetup-LUKS encrypted partition is working?


I set up cryptsetup-LUKS encryption on a partition.
Then create and edit some files in the directory (mount point)
containing the LUKS format partition.

Is there a way to copy the encrypted file(s) without going through the device mapper attached to the LUKS device so I can check if the file is encrypted?

Conundrum:
If I unmount the device mapper, I cannot get access to the files in the LUKS device to determine if the text contents look unreadable. which (may) imply encryption.

Please advice.
Thank you.
 
Old 04-19-2016, 09:01 AM   #2
frostschutz
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 95

Rep: Reputation: 28
You can use `filefrag` to determine the physical location of the file (might need -v and/or -e options, check the manpage).

Add to that the data offset of the LUKS header (maybe 4096 512-byte-sectors = 2 MiB, check with `cryptsetup luksDump`).

And then look at the raw file using `hexdump -C --skip $(($offset + 4096*512)) --length $filesize /dev/luksdisk`. You should get random data. (And plain text data if you use /dev/mapper/luksthing w/o adding the 2MiB to the offset)

If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...


Or you could just trust it. LUKS works.

Last edited by frostschutz; 04-19-2016 at 09:06 AM.
 
Old 04-19-2016, 10:11 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by frostschutz View Post
Or you could just trust it. LUKS works.
Consider https://twopointfouristan.wordpress....sk-encryption/
 
Old 04-19-2016, 11:55 AM   #4
frostschutz
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 95

Rep: Reputation: 28
Oh, sure. That's the reason my /boot is actually a USB stick. Which stays on my keychain. In my pocket. And it has encrypted keyfiles on it so a $5 keylogger will only give you a useless passphrase. As long as you don't have a dongle that logs entire USB traffic or copies the entire USB stick... but even so, it's incredibly hard to defend against physical access.

But the concerns of the OP were whether the data was encrypted at all in the first place. That works fine. At worst you will find old, unencrypted data - if you didn't use full disk encryption from the start and also didn't wipe your drives when you decided to switch...

----

There is actually another type of attack, that applies only to fully automated installs with no random components... if you know which distro / version was installed initially and using which options, you know where specific files are located because they always end up located in the same place. And then you can change bytes on disk and thus destroy those files, and if you destroy the correct files they may alter your boot process or security in some way that offers an attack vector...

This type of attack was previously described here http://www.jakoblell.com/blog/2013/1...ks-partitions/

Which is why I try to avoid such fully automated / standard installs. Not sure if installers nowadays are smart enough to randomize the way they're populating filesystems during first install a little...

But those are very advanced topics, if all you want is a little protection in case a thief comes and takes your stuff away, no need to be paranoid

Last edited by frostschutz; 04-19-2016 at 12:08 PM.
 
Old 04-19-2016, 12:18 PM   #5
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
How about trying to use photorec to scan the raw disk to see what (if any) files it's able to find.
 
Old 04-19-2016, 12:37 PM   #6
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
You can use `filefrag` to determine the physical location of the file (might need -v and/or -e options, check the manpage).
man page for filefrag:
filefrag [ -bblocksize ] [ -BeksvxX ] [ files... ]

My mount point for the encrypted partition is mntsda6
LUKS partition is sda6
Device mapper name is /dev/mapper/sda6_mapper.

So I did a umount on mntsda6 to remove access via LUKS.

Quote:
[user1@localhost ~]$ ls mntsda6/
lost+found luks_keyfile testluks.txt
[user1@localhost ~]$ sudo umount mntsda6/
[sudo] password for user1:
[user1@localhost ~]$ ls mntsda6/

[user1@localhost ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 12G 0 disk
├─sda1 8:1 0 500M 0 part /boot
├─sda2 8:2 0 10.2G 0 part
│ ├─centos-root 253:0 0 9G 0 lvm /
│ └─centos-swap 253:1 0 1.2G 0 lvm [SWAP]
├─sda3 8:3 0 1K 0 part
├─sda4 8:4 0 312M 0 part
├─sda5 8:5 0 100M 0 part
└─sda6 8:6 0 200M 0 part
└─sda6_mapper 253:2 0 198M 0 crypt

sr0 11:0 1 57.3M 0 rom /run/media/user1/VBOXADDITIONS_5.0.16_105871


NOTE: └─sda6_mapper is a child of └─sda6, but is did not display as such on this block's quote.


[user1@localhost ~]$ ls /dev/sda
/dev/sda
[user1@localhost ~]$ ls /dev/sda/sda6_mapper
ls: cannot access /dev/sda/sda6_mapper: Not a directory
[user1@localhost ~]$ sudo filefrag /dev/sda
[sudo] password for user1:
/dev/sda: 0 extents found
[user1@localhost ~]$
How do I apply filefrag to /dev/sda6 ?

I have other questions, but will post it separately.
Thank you.

Last edited by fanoflq; 04-19-2016 at 01:04 PM.
 
Old 04-19-2016, 12:52 PM   #7
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...
My test partition is less than 500 MiB. So I tried searching for one of the filename in the LUKS device, /dev/sd6:

Quote:
[user1@localhost ~]$ ls
Desktop Documents Downloads luks_keyfile mntsda6 Music Pictures Public Templates Videos
[user1@localhost ~]$ ls mntsda6/
lost+found luks_keyfile testluks.txt

[user1@localhost ~]$ sudo umount mntsda6/
[sudo] password for user1:
[user1@localhost ~]$ ls mntsda6/
[user1@localhost ~]$ sudo sync
[sudo] password for user1:
[user1@localhost ~]$ sudo strings /dev/sda6 | grep luks_keyfile
[user1@localhost ~]$
Does not work! Why???

Last edited by fanoflq; 04-19-2016 at 12:58 PM.
 
Old 04-19-2016, 12:58 PM   #8
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
Quote:
Originally Posted by fanoflq View Post
My test partition is less than 500 MiB. So I tried searching for one of the filename in the LUKS device, /dev/sd6:

Does not work! Why???
You need to grep for whatever string is INSIDE of the luks_keyfile file, not grep for the name of the file.

Also, is your sda6 encrypted? If so then it's not supposed to work.
 
Old 04-19-2016, 01:06 PM   #9
frostschutz
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 95

Rep: Reputation: 28
Quote:
Originally Posted by fanoflq View Post
How do I apply filefrag to /dev/sda6 ?
You have to pick a file.

Here is an example for filefrag, although in a different context (trim testing) : http://unix.stackexchange.com/a/85880/30851

As for the grep, it's not supposed to give a result if the device is encrypted. Run the same on /dev/mapper/sda6_mapper and you should see a result if that string exists in one of your files.

Last edited by frostschutz; 04-19-2016 at 01:07 PM.
 
Old 04-19-2016, 01:11 PM   #10
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
You have to pick a file.
Only one "small" problem.....
The /dev/sda6 partition is crypsetup-LUKS encrypted!
This means the human readable file name no longer exists in /dev/sda6.

Correct?
 
Old 04-19-2016, 01:14 PM   #11
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
You need to grep for whatever string is INSIDE of the luks_keyfile file, not grep for the name of the file.

Also, is your sda6 encrypted? If so then it's not supposed to work
Yup. It is encrypted....
That means even the filenames are encrypted, correct?
 
Old 04-19-2016, 01:42 PM   #12
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
[user1@localhost ~]$ ls -al mntsda6/
total 21
drwxr-xr-x. 3 user1 root 1024 Apr 18 23:26 .
drwx------. 16 user1 user1 4096 Apr 19 04:29 ..
drwx------. 2 root root 12288 Apr 18 23:16 lost+found
-rw-rw-r--. 1 user1 user1 7 Apr 18 23:26 luks_keyfile
-rw-rw-r--. 1 user1 user1 23 Apr 18 23:25 testluks.txt

# Say I am looking for luks_file.
And assume first three items in above list are offsets.


[user1@localhost ~]$ offset=$((1024+4096+12288))

[user1@localhost ~]$ echo $offset
17408
[user1@localhost ~]$ filesize=7
[user1@localhost ~]$ echo $filesize
7
# Not sure why these option names, e.g. --length, does not work! Do you?
[user1@localhost ~]$ hexdump -C --skip $(($offset + 4096*512)) --length $filesize /dev/sda6
hexdump: invalid option -- '-'
... ... ...
.. ...

# Replace option names with short name
[user1@localhost ~]$ sudo hexdump -C -s $(($offset + 4096*512)) -n $filesize /dev/sda6
[sudo] password for user1:
00204400 03 90 b8 17 aa 68 a7 |.....h.|
00204407
[user1@localhost ~]
The content in luks_keyfile is "123456", quotes not included,but the listing says it is 7 bytes.

It looks random, but I am not sure if it is even the correct file content!

There has got to be a better way to confirm encryption can be verified since we know the passphrase, cipher used, filename, ....!
 
Old 04-19-2016, 01:48 PM   #13
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
I already recommended you try photorec, is there a reason you don't want to go that route?

Copy some supported file type onto the encrypted partition, use photorec to scan the disk, see if it can find it or any other files.

Here's the full list of the file types photorec can find and recover:
http://www.cgsecurity.org/wiki/File_...ed_By_PhotoRec

Last edited by suicidaleggroll; 04-19-2016 at 01:49 PM.
 
Old 04-19-2016, 02:35 PM   #14
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
I already recommended you try photorec, is there a reason you don't want to go that route?
I am learning Linux.
So I am trying recommendations as I get them.
photoRec is next.

Thanks.
 
Old 04-19-2016, 05:15 PM   #15
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,298

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Please show the exact sequence of commands you used to set up that LUKS container, open it, make the filesystem, and mount it. I have a feeling you are not using encryption at all. For starters, putting the key file inside the encrypted container is madness since it cannot be accessed until after the container is unlocked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] 14.1: Problems with luks encrypted / partition l0rddarkf0rce Slackware 4 11-17-2013 04:15 AM
changing a LUKS encrypted partition's key Cultist Slackware 1 03-20-2012 12:13 PM
Problem with Encrypted Partition using LUKS on Debian michalng Debian 1 03-18-2011 03:04 PM
[Slackware 13.0]Cryptsetup problem with encrypted home partition dlinux Slackware 3 08-29-2009 12:18 PM
Recover encrypted LUKS partition itinlopez Linux - General 3 11-30-2008 02:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration