⬆️ ⬇️

Paranoia without borders or encrypt LVM from files

After reading today's topic from a BSD blog about data encryption, I had the idea to create LVM-volume from one file and encrypt it.

I will not pull the cat by the tail, but immediately show how I did.







In this case, files on one hard disk are encrypted in one partition (/ tmp), but no one forbids placing container files anywhere. Let's get started!

')

Create 5 files of 50 MB each, which will be containers:



/tmp # for i in `seq 1 5`; do dd if=/dev/zero of=safe.$i bs=1M count=50; done

50+0 records in

50+0 records out

52428800 bytes (52 MB) copied, 0.235608 s, 223 MB/s





Check:

/tmp # ls

-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.1

-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.2

-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.3

-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.4

-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.5





Now turn our safes into devices using losetup :

/tmp # for i in `seq 1 5`; do losetup /dev/loop$i /tmp/safe.$i; done



Now we have 5 devices of 50 MB each in size to store large amounts of data, combining them into one Logical Volume.



If the pvcreate utility is not available, install it.

apt-get install lvm2 (for ubuntu)



/tmp # pvcreate /dev/loop{1,2,3,4,5}

Physical volume "/dev/loop1" successfully created

/tmp # vgcreate vg0 /dev/loop{1,2,3,4,5}

Volume group "vg0" successfully created

/tmp # vgscan

Reading all physical volumes. This may take a while...

Found volume group "vg0" using metadata type lvm2

/tmp # lvcreate --size 200M --name lvopt vg0

Logical volume "lvopt" created





Now we have a 200MB LV located in / dev / vg0 / lvopt

We encrypt it, for example, using twofish :

/tmp # cryptsetup -y create datasafe /dev/vg0/lvopt

Enter passphrase:

Verify passphrase:





That's all you can now check what happened. First, let's format a new device in ext4:

mkfs.ext4dev /dev/mapper/datasafe

mke2fs 1.41.9 (22-Aug-2009)



:

mount -t ext4 /dev/mapper/datasafe /mdia/safe/






Fill our safe with data to make sure it works. The data will be taken from / dev / zero

cat /dev/zero >> /media/safe/test

cat: write error: No space left on device





Now in LV there is a test file occupying all the available space, let's check:

df -h

Filesystem Size Used Avail Use% Mounted on

[....]

/dev/mapper/datasafe 194M 193M 0 100% /media/safe





Now unmount our LV:

umount /media/safe/

cryptsetup remove datasafe





And try to read the contents of the device now:



less -f /dev/vg0/lvopt



Make sure the device is encrypted!



Container files can be of different sizes and be located on any hard drives, which should make it difficult to detect them, as well as combining them into one device.

Source: https://habr.com/ru/post/76699/



All Articles