How to determine if a cryptsetup-LUKS encrypted partition is working?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to determine if a cryptsetup-LUKS encrypted partition is working?
I set up cryptsetup-LUKS encryption on a partition.
Then create and edit some files in the directory (mount point)
containing the LUKS format partition.
Is there a way to copy the encrypted file(s) without going through the device mapper attached to the LUKS device so I can check if the file is encrypted?
Conundrum:
If I unmount the device mapper, I cannot get access to the files in the LUKS device to determine if the text contents look unreadable. which (may) imply encryption.
You can use `filefrag` to determine the physical location of the file (might need -v and/or -e options, check the manpage).
Add to that the data offset of the LUKS header (maybe 4096 512-byte-sectors = 2 MiB, check with `cryptsetup luksDump`).
And then look at the raw file using `hexdump -C --skip $(($offset + 4096*512)) --length $filesize /dev/luksdisk`. You should get random data. (And plain text data if you use /dev/mapper/luksthing w/o adding the 2MiB to the offset)
If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...
Or you could just trust it. LUKS works.
Last edited by frostschutz; 04-19-2016 at 09:06 AM.
Oh, sure. That's the reason my /boot is actually a USB stick. Which stays on my keychain. In my pocket. And it has encrypted keyfiles on it so a $5 keylogger will only give you a useless passphrase. As long as you don't have a dongle that logs entire USB traffic or copies the entire USB stick... but even so, it's incredibly hard to defend against physical access.
But the concerns of the OP were whether the data was encrypted at all in the first place. That works fine. At worst you will find old, unencrypted data - if you didn't use full disk encryption from the start and also didn't wipe your drives when you decided to switch...
----
There is actually another type of attack, that applies only to fully automated installs with no random components... if you know which distro / version was installed initially and using which options, you know where specific files are located because they always end up located in the same place. And then you can change bytes on disk and thus destroy those files, and if you destroy the correct files they may alter your boot process or security in some way that offers an attack vector...
Which is why I try to avoid such fully automated / standard installs. Not sure if installers nowadays are smart enough to randomize the way they're populating filesystems during first install a little...
But those are very advanced topics, if all you want is a little protection in case a thief comes and takes your stuff away, no need to be paranoid
Last edited by frostschutz; 04-19-2016 at 12:08 PM.
If this is too complicated you can create some plain string (`echo something-unique-which-does-not-show-up-on-the-encrypted-partition > plain.txt`), `sync`, and then see if you can find it with `strings /dev/device | grep something-unique-which-does-not-show-up`. Takes ages because it stupidly reads the whole disk... but should give a result only for the /dev/mapper/luksthing, not /dev/luksdisk...
My test partition is less than 500 MiB. So I tried searching for one of the filename in the LUKS device, /dev/sd6:
Quote:
[user1@localhost ~]$ ls
Desktop Documents Downloads luks_keyfile mntsda6 Music Pictures Public Templates Videos
[user1@localhost ~]$ ls mntsda6/
lost+found luks_keyfile testluks.txt
As for the grep, it's not supposed to give a result if the device is encrypted. Run the same on /dev/mapper/sda6_mapper and you should see a result if that string exists in one of your files.
Last edited by frostschutz; 04-19-2016 at 01:07 PM.
Only one "small" problem.....
The /dev/sda6 partition is crypsetup-LUKS encrypted!
This means the human readable file name no longer exists in /dev/sda6.
Please show the exact sequence of commands you used to set up that LUKS container, open it, make the filesystem, and mount it. I have a feeling you are not using encryption at all. For starters, putting the key file inside the encrypted container is madness since it cannot be accessed until after the container is unlocked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.