Practical Data Encryption

I was recently faced with the situation where I wanted to encrypt an external drive. And I wanted it to work across different operating systems.

It turns out, there two ways to go about encrypting data: doing so at the block level, or encrypting individual files. The most important distinction I can make between the two is that block-level encryption is more secure (no one can tell if there’s actually data in a block, and where it belongs), but encryption at the file level allows for multi-tenancy at the file system level (every user can pick which files to encrypt, and the encryption method/key that will be used). As a result, it makes more sense to use block-level encryption for personal volumes (e.g. external usb drives), and settle with the file-level approach for the system disk.

Encryption tools

What are the tools that we have to choose from, though, and how do they stack up? Not so long ago, Gareth Halfacree wrote a nice review on LinuxUser that examines the four most popular open-source tools out there: LUKS+dm-crypt, eCryptfs, EncFS, and TrueCrypt. Here’s a quick-and-dirty summary of each:

  • LUKS, the Linux Unified Key Setup, is by far the most commonly used tool for whole-disk encryption among Linux distributions. It provides a standard platform-independent on-disk data format, that facilitates compatibility, interoperability, and secure password management that is carried out in a documented manner by every program. The reference implementation for LUKS is cryptsetup, which uses dm-crypt as the disk encryption backend.
  • eCryptfs, the Enterprise Cryptographic Filesystem, is a POSIX-compliant encrypted stacked filesystem derived from Erez Zadok’s Cryptfs. It stores cryptographic data in the header of each file written, which offers less security (as an attacker can infer which data belongs to which file, and access certain file metadata that can reveal the file’s contents), but allows for more flexibility w.r.t. encryption policies. It’s been widely adopted in cases where multi-tenancy is needed within the same file system (e.g. it is the default tool for encrypting home directories in Ubuntu).
  • EncFS, is a FUSE-based cryptographic filesystem that takes a similar approach w.r.t. data encryption as eCryptFS. However, since it is implemented in user-space, it allows for more configuration flexibility compared to the latter, at the expense of performance lost due to context switching.
  • TrueCrypt is a user-space tool that relies on OTFE (on-the-fly encryption). It can be used to create encrypted “data containers”, i.e. virtual encrypted disks within a file, or encrypted partitions/storage devices. It’s Achilles’ heel is its license, which contains distribution and copyright-liability restrictions that prevent it from getting an OSI stamp of approval. As a result, you will not find it in your package repository. Ironically, it is the easiest tool to use of the bunch (comes with a user-friendly GUI and stuff).

In his review, Halfacree tests each tool by transferring one large, or multiple small files. The results follow.

Performance comparison of four popular data encryption techniques: TrueCrypt, LUKS+dm-crypt, eCryptfs, EncFS.
Performance comparison of four popular data encryption techniques: TrueCrypt, LUKS+dm-crypt, eCryptfs, EncFS.

If you read what I wrote above, the numbers shouldn’t surprise you. Both block-level approaches rank significantly higher than the guys that need to jump through hoops and layers to encrypt your data. Other than that, I wouldn’t be quick to crown TrueCrypt as the winner based on performance. I did choose it for my drive, however, because it offers clients for Linux, Windows, and OS X. This is not the case with LUKS, which you’d best save for volumes only accessible in Linux (although FreeOTFE can be used to access encrypted volumes in Windows, I haven’t tested it myself).

Creating a LUKS+dm-crypt encrypted volume in Linux

Setting up a LUKS volume in Ubuntu is pretty easy:

# Install LUKS, i.e. cryptsetup
$ sudo apt-get install -y cryptsetup

# Unmount the device
$ sudo umount /dev/sdc1

# Setup LUKS on the partition (this also works for a device,
# e.g. /dev/sdc)
$ sudo cryptsetup luksFormat -c aes -h sha256 /dev/sdc1

This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

# Mount partition
$ sudo cryptsetup luksOpen /dev/sdc1 encrypted_disk
Enter passphrase for /dev/sdc1:

# Format new partition
$ sudo mkfs.ext4 /dev/mapper/encrypted_disk

# Mount the filesystem
$ sudo mkdir /mnt/encdisk
$ sudo mount -t ext4 /dev/mapper/encrypted_disk /mnt/encdisk/

# Unmount the disk
$ sudo umount /mnt/encdisk
$ sudo cryptsetup luksClose encrypted_disk

The above commands work when you encrypt an entire storage device as well. Once you plug the device back in, your desktop environment should pick it up and prompt you for your passphrase directly. I’ve tested the above procedure on RedHat- and Debian-based distros, and can confirm it works every time.

Creating a TrueCrypt encrypted volume in Linux (or OS X)

I admit that LUKS won me over when I found out that it stands with one foot in the linux kernel. However, I was unable to find a tool that would allow me to mount LUKS-encrypted volumes under OS X, which led me to TrueCrypt. In the majority of the guides you’ll find online for creating TrueCrypt volumes, you’ll notice everything’s done through its GUI. Myself, I found the GUI restrictive, as it only allowed me to create specific filesystems on the volume (HFS+ in OS X, and ext* in Linux). What I needed, however, was an NTFS TrueCrypt volume that can be seen by Linux, Windows, and OS X. Here’s how I created that in Linux (after downloading and installing TrueCrypt):

# Create the encrypted volume -- choose None for the filesystem
# when prompted. Removing --quick securely formats device (if
# previously used for private data)
$ truecrypt -t --random-source=/dev/urandom --quick -c /dev/sdc

# Mount the volume
$ truecrypt -t --filesystem=none /dev/sdc

# Create the (NTFS) filesystem
$ mkfs.ntfs -f -L encrypted_disk /dev/mapper/truecrypt1

In Mac OS X, things work a bit differently:

# Create a fat filesystem on the new encrypted volume
$ /Applications/ -t \
--filesystem=fat -c /dev/rdiskX

# Mount the volume in Truecrypt, and find the virtual device
# /dev/diskY for the volume, then format the volume to NTFS
# through disk utility

Once created, the volume can be normally mounted through the TrueCrypt interface.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s