FreeOTFE logo FreeOTFE
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)

Contents

Linux Examples: dm-crypt

This section gives a series of examples of how to create Linux dm-crypt volumes, and then mount them using FreeOTFE.

These examples have been tested using Fedora Core 3, with a v2.6.11.7 kernel installed; though they should work for all compatible Linux distributions.

Initial Setup

To begin using dm-crypt under Linux, ensure that the various kernel modules are installed: 

modprobe cryptoloop

modprobe deflate
modprobe zlib_deflate
modprobe twofish
modprobe serpent
modprobe aes_i586
modprobe blowfish
modprobe des
modprobe sha256
modprobe sha512
modprobe crypto_null
modprobe md5
modprobe md4
modprobe cast5
modprobe cast6
modprobe arc4
modprobe khazad
modprobe anubis

modprobe dm_mod (this should give you dm_snapshot, dm_zero and dm_mirror?)
modprobe dm_crypt
At this point, typing "dmsetup targets" should give you something along the lines of:
crypt            v1.0.0
striped          v1.0.1
linear           v1.0.1
error            v1.0.1
Typing "lsmod" will show you which modules are currently installed.

Defaults

If not overridden by the user, dm-crypt defaults to encrypting with:

Cypher: AES
Cypher keysize: 256 bit
User key processed with: RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)").

"Hash with "A"s, if hash output is too short" option - selected

IV generation: 32 bit sector ID

Example #1: Mounting a dm-crypt Volume Using dm-crypt's Default Encryption

 This example demonstrates use of a dm-crypt volume using the dm-crypt's default encryption system: AES128 with the user's password hashed with RIPEMD160, using the 32 bit sector IDs as encryption IVs

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_default.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_default.vol
echo password1234567890ABC | cryptsetup create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "RIPEMD-160 (160/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "AES (CBC; 256/128)" cypher
    • Select "32 bit sector ID" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #2: Mounting a dm-crypt Volume Using 128 bit AES Encryption

 This example demonstrates use of a dm-crypt AES128 volume.

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_aes128.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_aes128.vol
echo password1234567890ABC | cryptsetup  -c aes -s 128 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "RIPEMD-160 (160/512)" hash.
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "AES (CBC; 128/128)" cypher
    • Select "32 bit sector ID" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #3: Mounting a dm-crypt Volume Using 256 bit AES Encryption, using SHA256 ESSIV

 This example demonstrates use of a dm-crypt AES256 volume using SHA-256 ESSIV sector IVs.

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_aes_essiv_sha256.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_aes_essiv_sha256.vol
echo password1234567890ABC | cryptsetup  -c aes-cbc-essiv:sha256 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "RIPEMD-160 (160/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "AES (CBC; 256/128)" cypher
    • Select "ESSIV" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
    • Select "SHA-256 (256/512)" as the IV hash
    • Select "AES (CBC; 256/128)" as the IV cypher
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #4: Mounting a dm-crypt Volume Using 448 bit Blowfish Encryption

 This example demonstrates use of a dm-crypt Blowfish 448 volume.

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_blowfish_448.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_blowfish_448.vol
echo password1234567890ABC | cryptsetup -c blowfish -s 448 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "RIPEMD-160 (160/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "Blowfish (CBC; 448/64)" cypher
    • Select "32 bit sector ID" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #5: Mounting a dm-crypt Volume Using 256 bit Twofish and Offset

 This example demonstrates use of a dm-crypt Twofish 256 volume, with the encrypted volume beginning at an offset of 3 sectors (3 x 512 = 1536 bytes) into the volume file.

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_twofish_o3.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_twofish_o3.vol
echo password1234567890ABC | cryptsetup -c twofish -o 3 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "RIPEMD-160 (160/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "Twofish (CBC; 256/128)" cypher
    • Select "32 bit sector ID" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
  5. "File options" tab:
    • Set offset to 1536 bytes (i.e. 3 sectors, each of 512 bytes)
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #6: Mounting a dm-crypt Volume Using 256 bit AES Encryption, with MD5 Password Hashing

 This example demonstrates use of a dm-crypt Twofish 256 volume, with the user's password processed with MD5.

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_aes_md5.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_aes_md5.vol
echo password1234567890ABC | cryptsetup -c aes -h md5 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "MD5 (128/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "AES (CBC; 256/128)" cypher
    • Select "32 bit sector ID" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button

Example #7: Mounting a dm-crypt Volume Using 448 bit Blowfish Encryption, MD5 Password Hashing, and SHA-256 ESSIV

 This example demonstrates use of a dm-crypt Blowfish 448 volume, with the user's password processed with MD5 and ESSIV using SHA-256.

Note that although the main cypher is Blowfish 448, Blowfish 256 is used as the IV cypher as the IV hash outputs 256 bytes

Creating the volume file under Linux: 
dd if=/dev/zero of=./volumes/vol_blowfish_448_essivsha256_md5.vol bs=1K count=100
losetup /dev/loop0 ./volumes/vol_blowfish_448_essivsha256_md5.vol
echo password1234567890ABC | cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 -h md5 create myMapper /dev/loop0
dmsetup ls
dmsetup table
dmsetup status
losetup /dev/loop1 /dev/mapper/myMapper 
mkdosfs /dev/loop1
mkdir ./test_mountpoint
mount /dev/loop1 ./test_mountpoint
cp ./test_files/SHORT_TEXT.txt        ./test_mountpoint
cp ./test_files/BINARY_ZEROS.dat      ./test_mountpoint
cp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpoint
cp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpoint
umount ./test_mountpoint
losetup -d /dev/loop1
cryptsetup remove myMapper
losetup -d /dev/loop0
rm -rf ./test_mountpoint
Mounting the volume under FreeOTFE:
  1. Select "Linux | Mount..."
  2. Select the volume file
  3. "Key" tab:
    • Enter "password1234567890ABC" as the key
    • Leave GPG executable blank
    • Leave GPG keyfile blank
    • Leave seed blank
    • Select the "MD5 (128/512)" hash
    • Ensure "Hash with "A"s, if hash output is too short" is checked.
    • Leave iteration count at 0
  4. "Encryption" tab:
    • Select the "Blowfish (CBC; 448/64)" cypher
    • Select "ESSIV" as the IV generation method
    • Set "Sector zero location" to "Start of encrypted data"
    • Select "SHA-256 (256/512)" as the IV hash
    • Select "Blowfish (CBC; 256/64)" as the IV cypher
  5. "File options" tab:
    • Leave offset at 0
    • Leave sizelimit at 0
  6. "Mount options" tab:
    • Select any unused drive letter
    • Leave readonly unchecked
  7. Click the "OK" button