Thursday, 24 July 2008

Encrypted removable storage with Fedora 9

Linux Unified Key Setup (LUKS) is a way to create encrypted disk partitions on Linux. It has been around for a while now, and Fedora 9 provides LUKS support out of the box. Encrypted partitions can be configured to be unlocked with several passphrases, allowing many users to share the partition. Disk access speeds are almost comparable to that of unencrypted disks. Best of all, LUKS is cross-platform. Even Windows users are able to use an encrypted partition created with LUKS.

The number of material on the net about creating LUKS partitions is surprisingly low. The few link I checked out only detailed how to setup permanent encrypted partitions that got mounted at every bootup. My requirement was to encrypt an external hard-drive that I use for backup purposes, therefore I set out to find out the process of encrypting a removable disk on my own. I was helped along the way by http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncryption and http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS


Step 1:
Change in to the single user mode.

telinit 1

Step 2:
Check whether the drive is still mounted. (My drive is plugged in to /dev/sdb. Yours may vary)
mount | grep sdb
Unmount the drive if it is still mounted.
umount /dev/sdb

Step 3 (Optional):
For maximum security, the drive must be filled with random data. This can be done in two ways. Both methods are effective, but take a long time. You will possibly have to leave the process overnight to complete. Be warned; this step will OVERWRITE ALL DATA on the disk.

Method 1:
Use dd to write data from /dev/urandom. Make sure you type it correctly. If you type /dev/random by mistake, your grand-kids will be wrinkled and toothless by the time it finishes.
dd if=/dev/urandom of=/dev/sdb

Method 2:
Suggested by LUKS wiki. Kills two birds with one stone by writing random data to the disk and checking it for errors at the same time.
badblocks -c 10240 -s -w -t random -v /dev/sdb


Step 4:
Create the LUKS partition.
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb

Step 5:
Load the logical encrypted device.
cryptsetup luksOpen /dev/sdb my_enc_drive
This command will create /dev/mappers/my_enc_drive. You can provide any name you like in place of "my_enc_drive". To check whether the command succeeded, type:
ls -l /dev/mappers
You should see a new entry titled "my_enc_drive" in the output.

Step 6:
Create the file system. You can choose any file system you like. Be aware of permission problems when using secure file systems such as ext3. In this case, I am creating an ext3 file system on the encrypted disk.
mkfs.ext3 /dev/mapper/my_enc_drive

Step 7:
Mount the drive.
mount -t ext3 /dev/mapper/my_enc_drive /media/my_enc_drive

If everything went successfully, your encrypted file system is ready now. Reboot the computer to bring up the desktop and plug the drive in. It is automatically recognized as an encrypted drive and you will be prompted for a password.



In theory, the drive should be mounted automatically after you enter the password. But on my machine, the entry to /dev/mapper was automatically created, but the drive wasn't mounted automatically. I still haven't found the reason for this behaviour, but it is only a minor setback. The drive can be used without any problem by manually mounting it.
sudo mount -t ext3 /dev/mapper/luks_crypto_8e8d6392-7be3-4964-8e6d-9de57e886fa5 /media/my_enc_drive
" luks_crypto_8e8d6392-7be3-4964-8e6d-9de57e886fa5" is the name automatically generated by the HAL daemon. Yours will definitely be different.

To unmount the drive after using it. Simply type:
sudo umount /media/my_enc_drive
sudo cryptsetup luksClose luks_crypto_8e8d6392-7be3-4964-8e6d-9de57e886fa5


LUKS can be a viable alternative to TrueCrypt. The disk access speeds seem much better compared to TrueCrypt, at least on my machine. Best of all, LUKS comes pre-installed with Fedora 9. Therefore you don't need to struggle with getting the sources and compiling TrueCrypt.

Sunday, 13 July 2008

Secure File Deletion With srm

On any operating system, files deleted using the built-in file deletion utilities are never really deleted. Behind the scenes, deletion is simply a matter of removing the file from the directory entry and adding the blocks occupied by the file to the free block list. The file still exists on the disk like a ghost. The OS might reuse some of the blocks for another file, but it's not guaranteed that the whole file will get overwritten, therefore enough sensitive data from deleted files can be recovered with even the simplest of utilities. Even if all the blocks get casually overwritten, there are sophisticated methods that can be employed by a determined attacker to recover most of the overwritten data from a hard drive platter.

srm is a project that attempts to provide secure file deletion options to the familiar rm command used in all Unix derivatives. srm is fully compatible with the regular rm command, therefore there's no learning curve involved. There are 3 options for secure deletion.
  • -s, --simple : Simple one pass overwriting with random data. (Least secure option.)
  • -P, --openbsd : Emulates OpenBSD behaviour by overwriting in 3 passes.
  • -D, --dod : Conforms to the US DoD specification of overwriting in 7 passes.
Installation is a simple affair. Download the tar ball, extract, configure, make, make install, and you're set.

Although it is dificult to guarantee total security, srm is a good open source solution for normal users who wish to keep their data private. A determined government agency might still get to your data, but certainly not your pesky script-kiddie cousin.

Tuesday, 8 July 2008

WPA issues in Kernel 2.6.25.9-76

After accepting an auto update to the kernel which installed kernel 2.6.25.9-76, Fedora 9 failed to connect to WPA enabled wireless networks. The network manager applet kept attempting to connect and failing, repeatedly prompting for the WPA key without any success. Attempting to connect manually using the iwconfig commands also failed when attempting to obtain a DHCP lease using dhclient. Connecting to a WEP network succeeded, suggesting that the problem lay with WPA support. Restarting the wpa-supplicant service with service restart wpa_supplicant failed with the error Starting wpa_supplicant: /etc/wpa_supplicant/wpa_supplicant.conf, , dbus_bus_request_name[dbus]: Resource temporarily unavailable. At this point I was stymied with no possible solution coming to mind except reverting back to the old kernel, which worked perfectly. Judging by the bugzilla report, the problem appeared to be related to a couple of wireless fixes incorporated in to the kernel.

At this point, I decided to wait a couple of days for an updated kernel to be pushed through the auto-updates. But since none seemed to be forthcoming, I downloaded kernel-2.6.25.10-86.fc9.i686 from Koji (http://koji.fedoraproject.org/koji/buildinfo?buildID=55121) and installed it without any problems using yum.
sudo yum --nogpgcheck localinstall kernel-2.6.25.10-86.fc9.i686.rpm kernel-devel-2.6.25.10-86.fc9.i686.rpm kernel-headers-2.6.25.10-86.fc9.i386.rpm

The new kernel fixes the WPA issue and my wireless network is back online again. If you are experiencing the same problem, I recommend the latest kernel build, which is working perfectly for me at the moment.

Monday, 7 July 2008

TrueCrypt 6.0 on Fedora 9

TrueCrypt 6.0 was released on 4th of July. The new version has many improvements, the most important ones being parallelized encryption/decryption and hidden volume support for Linux and MacOS. Parallelized encryption/decryption makes use of multiple cores to speed up the process, therefore TrueCrypt on a dual core machine would be twice as fast compared to a machine with a single core processor. The new version for Linux also makes use of the native kernel cryptographic services for the XTS mode, making disk accesses almost as fast as normal disk accesses. Full feature list for TrueCrypt 6.0 can be found at http://www.truecrypt.org/docs/?s=version-history

Since there are no binaries for Fedora, TrueCrypt has to be compiled from the source. The process is quite straight forward and hasn't changed since the last release. The sources have been fixed with the correct includes, so this version will not spill out compiler errors.

TrueCrypt 6.0 is a worthy update that will make your disk encryption process more streamlined.

Thursday, 3 July 2008

Firefox 3 sets a world record !

The Firefox Download Day was an absolute success with over 8 million unique copies downloaded within the first 24 hours of release. The Guiness book of world records has officially confirmed it today.

Don't forget to get your Download Day contributor certificate. :) Mozilla will be mailing you a link to the site to download it.