Encrypt Your Files With zuluCrypt

by muungwana

ZuluCrypt [1] is a project that seeks to provide an easier to use front end to cryptsetup [2] and tcplay[3]. Tcplay is a command line tool that can create and open TrueCrypt [4] formatted encrypted volumes. Cryptsetup is a command line tool that can be used to create and open LUKS formatted encrypted volumes. Cryptsetup can also open TrueCrypt volumes.

There are two kinds of encrypted volumes. There are those that use what is commonly know as "a header," and those that do not. TrueCrypt and LUKS volumes use a header. Cryptsetup has an encrypted format that does not use a header, and its commonly known as "plain dm­crypt."

There are two kinds of headers using encrypted volumes. There are those that use an encrypted header, and those that do not. TrueCrypt use an encrypted header, whereas LUKS does not. The use of non-encrypted header in LUKS makes it obvious to everybody that the volume is an encrypted LUKS volume, and this may be problematic to some people.

The use of encrypted header, as in TrueCrypt volumes, or no header at all, as in PLAIN (plain dm­ crypt) volumes, make these volumes indistinguishable from random noise and this may seem useful at a glance. However, its usefulness does not hold up against scrutiny, as the likelihood of being believed that a 100GB file made up of cryptographically sound random data is just a 100GB file made up of random data and not a container file for an encrypted volume is not very high. These no header volumes or volumes that use a hidden header gives what is commonly known as "plausible deniability," a still controversial topic among cryptographers.

TrueCrypt, LUKS, Apple's FileVault, and Microsoft's BitLocker, among others stores information necessary to unlock the volume within the volume itself, in the volume's header. With these volumes, the header must be provided before the volume can be opened, and a missing or corrupted header will make it impossible to open the volume. It is very important to have at least one header back up stored in a safe place, just in case the one on the volume gets corrupted some how.

LUKS stands for "Linux Unified Key Setup." It is a specification of how to store information necessary to open a LUKS formatted encryption volume. LUKS encryption format is the standard format in Linux, and a recommended one if the encrypted volume is to be used among Linux systems. TrueCrypt is a better alternative if the encrypted volume is to be shared between Linux, Windows and OSX computers.

ZuluCrypt can create and open three types of encrypted volumes, LUKS, TrueCrypt and PLAIN volumes. A PLAIN volume is a header less encrypted volume, and hence, all necessary encryption information is provided by zuluCrypt when it creates or open these volumes.

Pros and cons of the three volumes.

PLAIN:

Pro:

First, it does not use a volume header, and hence, it’s not possible to "brick" the entire volume simply by overwriting a small part of it. Second, it does not use a header, and hence, its impossible to know if the volume is made up of only cryptographically sound random data or if its an encrypted volume.

Cons:

It does not use a header, and hence, any tool that opens these volumes must provide the encryption options that were used when the volume was created. Different tools may use different encryption options, making these encrypted volumes not very portable between applications, or even between different versions of the same application.

TrueCrypt

Pro:

First, it uses an encrypted header, and hence, its not possible to know if the volume is TrueCrypt formatted encrypted volume, or if the volume is just made up of cryptographically sound random data. Second, is a hidden volume. A TrueCrypt volume can have up to two different encrypted volumes. The first volume is commonly known as "outer volume" and the second optional one is commonly known as "hidden volume". When a TrueCrypt volume is about to be opened, the user has an option to select which one of the two to open by giving appropriate key.

Cons:

It uses a header. As it is not possible to open a header using encrypted volume without its header, and hence, a corrupted TrueCrypt header makes it impossible to open the volume. If you use a TrueCrypt volume, make sure you have at least one backup of the volume header.

LUKS

Pro:

A LUKS volume can be opened with up to 8 different keys.

Cons:

First, a LUKS header is stored unencrypted, making it obvious the volume is LUKS formatted encrypted volume, and this may not be desirable under certain circumstances. It is possible to create a LUKS volume with a detached header and zuluCrypt can open these volumes using the "LUKS" plugin. Second, it uses a header. As it is not possible to open a header using encrypted volume without its header, and hene, a corrupted LUKS header makes it impossible to open the volume. If you use a LUKS volume, make sure you have at least one backup of the volume header.

ZuluCrypt can do two types of encryption. It can do single file encryption/decryption or block device encryption.

File encryption.

File encryption is done using libgcrypt as a cryptographic backend. Files are encrypted using 256 bit AES in CBC mode. The encryption key is derived from user passphrase using pbkdf2 with 10,000 rounds of iterations and sha2 as a cryptographic hash function. The resulting encrypted file will have a file size that equals (64 + 1024 * n) bytes, where n is a number starting from zero.

The file encryption functionality is for those who want to store a file or two in an encrypted form, but prefer not to go through the hassle of managing encrypted containers in image files. This functionality is akin to file encryption using gpg with a symmetric key.

How to create an encrypted file:

1. Start zuluCrypt.

2. Go to the menu and then click "zC­>encrypt a file" to open a file encryption dialog window.

3. At the dialog that will show up, click the button that is on the same line as "source path" text. A file dialog will show up. Select the file you want to store encrypted, enter the password to be used to encrypt the file, and then click "create." The encrypted version of the file will be created at the path given by the "destination path" field.

To decrypt the file created with above steps:

1. Start zuluCrypt.

2. Go to the menu and then click "zC­>decrypt a file" to open a file decryption dialog window.

3. At the dialog that will show up, click the button that is on the same line as "source path" text. A file dialog will show up, select the file you want to decrypt, enter the password to be used to decrypt the file and then click "create." The decrypted version of the file will be created at the path given by "destination path" field.

Block device encryption.

A hard drive or a usb stick are two examples of block devices. A regular file can simulate a block device through a use of devices known as "loop devices." These devices have a device path that starts with "/dev/loop."

The infrastructure in the Linux kernel that deals with block device encryption is called "dm­crypt," and it does its work through a process commonly known as OTF (on the file encryption). Dm­crypt devices are represented by device addresses that start with "/dev/dm­," and these paths are usually accessed through their soft links that reside in "/dev/mapper."

Below is an example of steps taken in creating a 100MB encrypted container in a file, and adding a file in it to be stored securely.

1. Create a 100MB file.

2. Attach a loop device to the file.

3. Create an OTF encryption mapper against the loop device.

4. Put a file system on the encryption mapper.

5. Mount the file system on the mapper.

6. Copy the file to be stored securely to the file system through the mount point.

7. Unmount the file system.

8. Destroy the OTF encryption mapper.

9. Detach the loop device from the file.

10. Maintain the encrypted volume as a secure holder of files within it.

All zuluCrypt does is provide a GUI to make it easy to do above specified tasks.

With the above steps:

Step one deals with a path that look like "/home/ink/secret.img." This is a path to a regular file.

Step two converts the "/home/ink/secret.img" file to something like "/dev/loop0" loop device path.

Step three converts "/dev/loop0" loop device path to something like "/dev/mapper/secrets.img". Data written to "/dev/mapper/secrets.img" will get encrypted, and then passed forward to "/dev/loop0" on their way to "/home/ink/secret.img". When data is read from "/dev/mapper/secrets.img," the data will be read from "/dev/loop0," who in turn, will read it from "/home/ink/secret.img," decrypted by dm­crypt, and then given to the reader. This process is called "on the fly encryption" because the encryption mapper does not store or hold on to data. Rather, it gets data and then encrypts or decrypts it, depending on the direction of data flow, and then passes it along.

How to create an encrypted container in an image file.

1. Start zuluCrypt.

2. Go to "menu­>create­>encrypted container in a file" to open a dialog window.

3. Enter the name of the file to be used to hold the container in the "file name" field.

4. Enter the size of the container in the "file size" field.

5. Click "create."

6. Wait for the container file to be created, and for the volume creation dialog to show up.

7. Enter the password to be used to create the volume.

8. Select the type of volume you want to create from the "volume type" list.

9. Click create to create the volume.

How to create an encrypted container in a partition.

1. Start zuluCrypt.

2. Go to "menu­>create­>encrypted container in a partition" to open a dialog window.

3. Click/double click on the partition you want to create a volume in, and then advance to step seven in the instruction list above. If the partition you want to put an encrypted container does not show up on the list, then restart zuluCrypt from root's account and try again.

How to open an encrypted container that reside in a file using zuluCrypt.

1. Start zuluCrypt.

2. Go to "menu­>open­>encrypted container in a file" to bring up a dialog window.

3. On the dialog window, click the button to the right of "volume path" field, and then browse to where the volume is and click it to open it. Alternatively, you can just drag the volume file on zuluCrypt to generate a password dialog prompt with the file path already filled in.

4. Enter the volume key in the volume key field, and then click "open" to open the volume.

How to open an encrypted container that reside in a partition using zuluCrypt.

1. Start zuluCrypt.

2. Go to "menu­>open­>encrypted container in a partition" to bring up a dialog window.

3. On the dialog window, click/double click on the partition with an encrypted volume you want to open.

4. Enter the volume key in the volume key field and then click "open" to open the volume.

With both of the previous methods mentioned above, the volume will be opened and mounted at a path whose last component is given by the entry in the field "mount name." When the volume is successfully opened, zuluCrypt will automatically open the mount point path. To close the volume, click its entry on the zuluCrypt window, and then click "close" on the pop up window.

ZuluCrypt can open an encrypted volume using keys derived from different sources. These sources include a pass phrase, a key file, a key retrieved from kwallet, a key retrieved from Gnome's libsecret, a key retrieved from an internal secure storage system, and a key from a GPG encrypted key file, among other sources.

To use a passphrase volume key, make sure the key source option reads "key," and then enter the passphrase on the entry field at the bottom.

To use a keyfile as the source of volume key, click the option bar, select "keyfile," and then press the button on the lower right to bring a dialog box that will allow you to browse to where the key file is.

To use a plugin as the source of the volume key, click the option bar, select "plugin," and then press the button on the lower right to bring up a list of available plugins. Select the one you want from the list.

Volume keys stored in Kwallet, Gnome keyring or internal secure storage system plugins can be managed by going to "menu­>options­>manage volumes in internal/kde/gnome wallet."

Storage of keys in a Gnome wallet/keyring seem most appropriate in a gnome session. but this has some security repercussions. The keys are stored in the user keyring, and this keyring gets unlocked when the user logs in. This means that once a user is logged in and the keyring is open, any application that runs in that user session can read those keys using public APIs exposed by the storage system.

In a KDE system, a Kwallet secure storage system seems most appropriate, but it suffers from the same security problem that the Gnome secure storage system has. Once the wallet is open, any application running in the user session can access it using public APIs exposed by the storage system.

The behaviors of the above secure storage systems is by design, but this design may not be ideal for some users under certain use cases. The internal secure storage system is powered by libgcrypt, and it does not have the behavior of the above two systems. An unlocked internal secured storage system is accessible only to the instance of zuluCrypt that unlocked it.

Favorites.

For convenience, most used volumes can be easily opened by adding them to the favorite list.

Entries on the list are added in the dialog window opened by clicking "menu­>options­>manage favorites". Favorite entries are added by clicking the "favorite" entry on the menu.

Erase data in a device.

It is very important to create encrypted volume over cryptographically strong random data to make it impossible to know what part of the encrypted volume has been used and what part has not. If the encrypted volume is created over predictable data patterns, like on a device with only zeros in it, forensic analysis may reveal how much and what part of the encrypted volume are in use.

When creating an encrypted container in a device, zuluCrypt offers an option to first write random data over the device. This feature can be performed on other devices by activating it through "menu­>erase data in a device". Random data is written to disk by opening a plain dm­crypt encryption mapper on the device with a 64 byte random key, and then blasting zeros on the device through the mapper. This technique has proven to be faster when compared to alternatives, like writing random data on the device read from "/dev/urandom."

System and non system volumes.

To enforce access controls on what user can access what block device and what they can do with the access they have, zuluCrypt employs a concept of "system volumes" and "non system volumes."

A system volume is defined as a volume that has an active entry in "/etc/fstab", "/etc/crypptab", "/etc/zuluCrypt/system_volumes.list," or if udev identifies it as such, if udev is enabled. Ideally, all volumes inside the computer are to be considered system volumes.

A non system volume is a volume that failed in the above considerations, or if it has an entry in "/etc/zuluCrypt/non_system_volumes.list". Ideally, these volumes are pluggable USB based hard drives or USB sticks.

Partitions can be added or removed from the list of system or non system volumes simply by starting zuluCrypt from root's account, then going to "menu­>options­>manage system volumes/manage non system volumes," and then adding the volume in the appropriate list.

Permissions.

ZuluCrypt limits what a user can do on block devices through Unix's group based permission system using two groups, "zulucrypt" and "zulumount."

If a device is identified as a system device, only a root user or a user who is a member of group "zulucrypt" can create an encrypted volume in the device or taking/restoring volume headers. If you want to create a volume in a device and the device does not show up on the list, restart zuluCrypt from root's account and try again.

If a device is identified as a system device, zuluMount will mount it only if the user is root, is a member of group "zulumount," or the device has an entry in "/etc/fstab" with either "user" or "users" mount options set.

ZuluMount.

ZuluMount is a general purpose mounting tool that can open zuluCrypt supported encrypted volumes, as well as non encrypted volumes.

ZuluMount can also auto detect plugged in devices and auto mount them.

Footnote references:

[1] http://code.google.com/p/zulucrypt/

[2] http://code.google.com/p/cryptsetup/

[3] https://github.com/bwalex/tc­play

[4] http://www.truecrypt.org/