January 25, 2010

Linux Security Tip-of-the-day: Building/Using Encrypted Virtual Partitions

In my last tip-of-the-day (http://www.linux.com/community/blogs/linux-security-tip-of-the-day-backup-the-configuration-files.html) I noted that I use encrypted virtual partitions on a remote machine to backup security related and modified configuration files, today I will show you how to create and use those virtual partitions.

I will not be going into much depth on the process and optional arguments because you can easily review the manual pages for the applications used to determine the modification you wish to use.

The basic command shown should be enough to get a new user running, but advanced users should be able to utilize parts of this guide to replicate the process for physical data and swap partitions in addition you can derive enough info to make additional encrypted swap partitions within virtual partitions.

Organization of Document

The document will be broken down into the following parts, wherever possible I will refer to previous headings to expedite the instructions:


  1. Making the encrypted virtual partition
  2. Mounting existing encrypted virtual partitions
  3. Completely unmounting the virtual partitions
  4. Credits/Links


Making the encrypted virtual partition

This process will have many steps, so be prepared to spend ~10 minutes or longer on this process.


Making the Virtual Partition

When deciding to make a virtual partition you must be aware of your needs and the potential uses. You can build a statically sized or dynamically sized (sparse file) virtual partition files to be used. The static partitions will always use the amount of data that is assigned, the benefit of using these files is that you can fill them with random data to accent the security provided by the encryption. The dynamically sized virtual partitions will have a size limited to the specified value, but will only consume as much space as the data that is contained within them.


Statically Sized  Virtual Partitions/Files

The example command below gives you a base input to create the statically sized virtual partition:

dd if=/dev/zero of=virtualpartition bs=1M count=10k

The first argument “if=/dev/zero” if referring to the input file, which in this case is /dev/zero which will file the specified space with zeros, you can modify the file to /dev/urandom to fill the space with random data which will accent the security. 

The 2nd argument “of=virtualpartition” is stating that the output file will be a new file called virtualpartition, this is were you assign the name of the file that will hold the virtual partition. 

The 3rd argument”bs=1M” is specifying the block size to be used to write the data, a block size of 1M is large enough to speed up the creation process, I recommend keeping it at 1M. 

The 4th argument “count=10K” is stating to write 10,000 block of the specified block size, which in this case will make a file-size of 1M(1,000,000,000B)*10k(10,000B)=10G(10,000,000,000B). You can adjust the value to build the virtual partitions to whatever size you need.


Dynamic Sized Virtual Partitions/Files

The example command below gives you a base input to create a dynamically sized virtual partition(sparse file):

dd if=/dev/zero of=sparsefile.img bs=1 seek=10G count=0


The first argument “if=/dev/zero” is indicating to fill the files from the output file /dev/zero or fill it with nothing., if you change this input then the file cannot be statically resized, so you do not want to modify these parameters.

The 2nd argument “of=virtualpartition” if stating the file name for the output file, the name of the virtual-partition, you can give the file whatever name you like, because you may find it useful to have multiple virtual-partitions on your system.

The 3rd argument of “bs=1” is stating that the block size will be 1 byte, you will not want to change this value because it is assigning a very small footprint for the file to start at.

The 4th argument “seek=10G” is specifying the maximum size of the virtual partition, you can tune this to whatever size in B, K, M, or G you wish to use.

The 5th argument “count=0” is telling it to copy only 0 block of input, or not to actually fill the file with any data.


Mounting the file to loopback device address

Before any encryption can be applied or used you must make the system see the file as a device, in order to do this you must mount the file to a loopback device address as shown below:

losetup /dev/loop0 virtualpartition

The first argument “/dev/loop0” is stating the loopback device to assign mount the virtual-partition file to. You can use the command “losetup -a” to see which loopback devices are already in use, and the value can be assigned from loop0 to loop7.

The 2nd argument is stating the file to mount, in this case it will be the file “virtualpartion” which resides in the current working directory. You can modify this value to point to whichever virtual-partition file you wish to mount.


Formatting the virtual-partitions as an encrypted partition

Now we need to input the proper values into the system and the virtual-partition to assign the passphrases and make it automatically encrypt all contained data.. You can do it with the following command:

cryptsetup -s 256 -y luksFormat /dev/loop0

The first argument “-s 256” is stating the key size in bits, in this case a 256 bit key is assigned which should be sufficient.

The 2nd argument “luksFormat” is telling the application to format the specified device for encryption.

The 3rd argument “-y” is telling the program to request the passphrase twice to confirm that you entered what you intended.

The 4th argument “/dev/loop0” is referring to the loopback address that you assigned the file to in the previous step.

This process will ask for a confirmation that you accept that the data will be deleted, then it will ask the 


Opening the encrypted partition

Now that we have the virtual-partition setup and the file mounted to a device node we can open the encrypted partition for use. To open the encrypted partition you can enter the example command below:

cryptsetup luksOpen /dev/loop0 backup

The first argument “luksOpen” is instructing he program to open the encrypted device/partition.

The 2nd argument “/dev/loop0” is referring to the loopback device that you assigned the file to in the previous step, you can supplement this argument with whatever loopback address you used.

The  3rd argument “backup” is stating the name/location that you would like to assign the virtual-partition to, this name will be indexed in  the /dev/mapper directory showing that it is an encrypted partition.

Following entry of the command it will prompt you to input the passphrase that you previously assigned to open the encrypted partition.



Adding a file-system to the virtual-partition

Now that you can see the virtual files-ystem (in the example) as /dev/mapper/backup you can finally apply a file-system to it. The example command before can assign a file system to the example file:

mkfs -t ext3 /dev/mapper/backup

The first argument “-t ext3” is telling the program to assign an ext3 file-system to the file/device/partition. You can supplement this with whatever file-system you prefer.

The 2nd argument “/dev/mapper/backup” is referring to the now unlocked virtual file-system that has been mapped to  the specified location. You can supplement this value with whatever file/name you assigned to your partition.

Mount the virtual-partition to a disk mount point

We are almost done with the setup.

Now that is has been setup you can mount it as you do with a normal partition, the following command will mount the example virtual-partition:

mount /dev/mapper/backup /mnt/tmp/

The first argument “/dev/mapper/backup” is stating the device name that the virtual-partition was assigned to. You can supplement the value with whatever name you gave your encrypted virtual-partition in the previous step.

The 2nd argument “/mnt/tmp” is the mount point, this is stating the empty directory on your system that you wish to mount the partition to.


Now we finally have everything done and you can start using it as a standard partition.



Mounting existing encrypted virtual partitions

To mount an existing encrypted virtual-partition you will follow the steps as outlined below, I am listing the sections from above in the necessary order to limit redundant information:

  1. Mounting the file to loopback device address
  2. Opening the encrypted partition
  3. Mount the virtual-partition to a disk mount point

Completely unmounting the virtual partitions

After you are done working with the data contained in the encrypted virtual-partitions you will need to take the proper steps to completely remove the footprints of the partition from your system, due to the steps that are needed to mount it you have a few things to attend to.



Unmount the virtual partition from the mount point

You will need to umount the partition from the mount point first to make sure that the data is no longer showing up within the root filesystem. The following exmaple command will unmount the partition from the assinged mount mount.

umount /mnt/tmp

The only argument is the mount point that was used, you can also suplpiment this value with the block device used (the name in the /dev/mapper directory.


Close the Encrypted partition

Now you will need to close the encrypted partition so that if someone wishes to access the data they will have to enter the passphrases. The following command will close our example partition:

cryptsetup luksClose /dev/mapper/backup

The first argument “luksClose” is telling the program to close the luks encrypted partition.

The 2nd argument “/dev/mapper/backup” is telling the system which mapped encrypted partition should be closed. You can supplement the value with the name that you assigned to your encrypted virtual-partition.

If you have forgotten the name you can run the command “ls /dev/mapper” to see all encrypted partitions you have open, the entry control is not an open partition so it can be ignored.



Unmount the file from the loopback device

This is the last step.

So far you have removed it from the root file system and closed the encrypted file, but the last footprint that is left is the mapping to the loopback device, you an review the files that are mapped to a loopback device by issuing the command “losetup -a”. The following command will unmount the example file from the loopback device:

losetup -d /dev/loop0

The first argument “-d” is telling the system to delete the device/file.

The 2nd argument “/dev/loop0” is referring to the loopback device that the file was mounted to. If you used another loopback address you can supplement this value.


Now the file and all footprints have been removed, there are no traces of your actions (apart from the history file).


I hope you learned something useful today and can find a good use for the new information.




I have been using this method for quite some time, but when I first came up with the method I used the following sources for base information:

http://maarten.lippmann.us/?page_id=116 – This page contains many dd usage examples that helped me to create virtual-partitions.

http://slackware.osuosl.org/slackware64-current/README_CRYPT.TXT – This guide is part of the Slackware documentation and can be used to setup encrypted partitions before or after an installation, it can also guide you to set the partitions up to me unlocked and mounted on boot.



1/26/09 Afterthought:

These newly created encrypted virtual partitions can be mounted to any existing directory, so ideally you can set up services such as ftp, http, tftp or samba to use the mounted directories thus allowing you to use them interchangeably for limited time periods, which will make communication and backup from remote systems simpler.

Click Here!