Tag Archives: howto

Encrypting a Linux home partition with Truecrypt

Scope:

This post will be short (and sweet). We will secure the majority of our personal data by encrypting our home partition. This is important for users with personal or sensitive data on their laptops, as well as other mobile devices such as the Google Nexus 7 when it runs Ubuntu Linux.

General Information:

The steps to encrypt a partition with Truecrypt are probably the easiest ones compared to alternatives such as LUKS and other Linux Kernel built in tools. This involves installing Truecrypt, creating an encrypted partition, copying all the sensitive data into it, deleting the sensitive data from the unencrypted partition it was previously on, and configuring mounting and umounting of the Truecrypt volume during startup/shutdown. You will need to perform this as the root user, and you will need an empty partition which you can encrypt. The steps are generic: they assume you are encrypting a brand new home partition (and not something else), after storing your user data under the /home folder on the root partition. They have been tested on Slackware64 but will work on all Linux distributions. Please adjust the partitions, runlevel scripts and installation procedure for your Linux distribution (as an example, for Ubuntu, Truecrypt might be available via Aptitude repositories vs. a binary installation package, and the runlevels will not be in traditional BSD style).

Procedure:

  1. Install Truecrypt after downloading from here:
    # tar vxf ./truecrypt-7.1a-linux-x64.tar.gz
    # ./truecrypt-7.1a-setup-x64
  2. Create an encrypted Truecrypt partition. You will be asked about the partition, passwords and keyfiles to use:
    # truecrypt --text --create
  3. Mount the new encrypted volume in a temporary location and copy all sensitive data to it. This should be done as root from singleuser runlevel if operating on the /home folder:
    # telinit 1
    # mkdir /tmp/encrypted
    # /usr/bin/truecrypt --text --mount --protect-hidden=no --volume-type=normal --keyfiles= /dev/sda6 /tmp/encrypted
    # cp -aR --preserve=all /home/* /tmp/encrypted/
    # rm -rf /home/*
  4. Configure mounting/unmounting on startup/shutdown:
    Edit /etc/rc.d/rc.S and add the following line after “/sbin/mount -a …”:

    /usr/bin/truecrypt --text --mount --protect-hidden=no --volume-type=normal --keyfiles= /dev/sda6 /home

    Edit /etc/rc.d/rc.6 and add the following line before “/sbin/umount -a …”:

    /usr/bin/truecrypt --text --dismount /dev/sda6
  5. Test with a reboot!

1 Comment

Filed under #!, Slackware

MediaTomb on the Ben Nanonote

What can I say, the title speaks for itself. As no big surprise, the most versatile piece of UPnP streaming media servers out there, MediaTomb, is humming along with no problems on Qi Hardware’s Ben Nanonote. Real world usage scenarios could include using the Ben as a little DJ in parties by streaming to VLC or other UPnP supporting players, or other wild fantasies Ben owners might have. The best news here is that there is absolutely no brain work involved. I simply had to fire up the network connection on the Ben, grab the right hard linked binary, untar it and run. All of this can be done directly from the Nanonote (once it’s online):

# wget http://downloads.sourceforge.net/mediatomb/mediatomb-static-0.11.0-r2-linux-uclibc-mips32el.tar.gz
# tar vxzf mediatomb-static-0.11.0-r2-linux-uclibc-mips32el.tar.gz
# cd ./mediatomb
# ./mediatomb.sh

To automate, add this to /etc/rc.local and make it executable, but remember MediaTomb must be started from the mediatomb folder.

Once started, media tomb can be accessed on port 49152 with your browser. For me, this translates to http://192.168.3.2:49152 and looks like this:

MediaTomb on Nanonote

MediaTomb on Nanonote

So far, it’s an awesome remote file browser, and as soon as I can get VLC to compile on my Slackware, it’s party time!

Leave a comment

Filed under Ben Nanonote

Eavesdropping with Linux – A BigBrother Network Bridge (or: kiss your privacy goodbye)

All wires can be tapped. Luckily Ethernet wires are no exception. This How-to will cover the fastest way to get everything you need for eavesdropping on your network neighbors: setting up 2 bridged Ethernet adapters and configuring them for an uninterrupted network flow, which then can be monitored or shaped.

The most reliable way to achieve full transparency and control over a specific network segment is to have a full featured operating system on a network bridge (a HUB or a Switch) – Having network tools running locally on a relay point is hard to beat. There are lots of commercial grade relay points you can purchase, but any Cisco router which will give you network management tools is likely to still be lacking, and expensive. In other words – good-luck running graphical or 3rd party propriety applications on your 300$ switch.

This How-to will leave you with a box which will always come up with 2 bridged adapters. There will be uninterrupted network flow between the box and the network segment it fragments. There will be remote access and tools to play with. It shall be a real privacy violator. Let’s get to it!

You will need:

  • 1 Desktop/Workstation/Server
  • 2 Ethernet cards
  • Linux distribution (we like Slackware Linux) with this software installed:
    • net-tools
    • bridge-utils
    • iptables
    • X11 (recommended for VNC)
    • xfs (recommended for VNC)

1.  Prepare Ethernet adapters for bridging:

The about to be bridged adapters should have no assigned IPs and placed in promiscuous mode:

# ifconfig eth0 0.0.0.0 promisc up
# ifconfig eth1 0.0.0.0 promisc up

2. Bridge the Ethernet adapters using bridge-utils:

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1

3. Configure and initialize the new network bridge:

# ifconfig br0 192.168.0.233 netmask 255.255.255.0 broadcast 192.168.0.255 up

4. Ensure uninterrupted flow between adapters and bridge:

# iptables -A INPUT -i eth0 -j ACCEPT
# iptables -A INPUT -i eth1 -j ACCEPT
# iptables -A INPUT -i br0 -j ACCEPT

5. Setup networking for the eavesdropping machine itself:

# route add default gateway 192.168.0.1 br0
# echo "nameserver 204.11.104.3" > /etc/resolv.conf

6. Install a TightVNC server for remote access:

Having access to the graphic environment on the eavesdropping machine is very handy, when you consider the awsome GUI of Wireshark and Zenmap (or the lame fact Wireshark MUST have a GUI to run). TightVNC is the best VNC server out there, and it happens to be free! Get the source, compile and install, then start the X Font Server and TightVNC:

# xfs -daemon
# vncserver :1

7. Install Wireshark (and other tools)

This is where it all comes together – the power of having color-coded packet entries fly by your eyes at the speed of lite, or, well, electricity, is hard to beat. Wireshark is the best network packet analyzer out there. Luckily, it’s also the easiest to run. Get the source, compile and install. ZenMap also goes a long way on such a setup, but as it ships with Slackware, we’ll leave those steps out.

8. Script the whole thing:

This bit is here only to ensure you’ll keep eavesdropping after a reboot 😉 The easiest way to achieve this is to dump all the above commands into a file, make it executable, and place an entry for it in /etc/rc.local.

You can use this tested rc.bigbrother script if you are feeling lazy. It will do all of the above and more. Just place it anywhere and add to /etc/rc.local.

Screen-shot:

Screen-shot of BigBrother in action

Screen-shot of BigBrother in action

Leave a comment

Filed under #!

Are YOU paranoid? 10 steps for encrypting your Ubuntu HOME.

Are you paranoid? I am.

If you keep most of your work on a net-book/laptop, you should consider the possibility of having it lost or stolen. All the backups in the world will not prevent someone else from having full access to all your personal and embarrassing information. One way to get around this is to encrypt your hard drive. The safest way is to encrypt the whole drive before the operating system is installed. Encrypted installation is offered by Debian, and soon by SUSE.

To be really safe, you should keep check-sums of your unencrypted boot sectors, etc, on your encrypted partition, to prevent tempering with the few unencrypted bits. But, if you didn’t piss the KGB off very recently, you might feel safe with encrypting only the folder that contains your user documents. Under Windows Vista +, that would be \Users\YOUR USER NAME, but I suspect that would inevitably leave some loose ends. One way or another, if your are even slightly paranoid, you are probably not using Windows. On Linux, encrypting your home directory is probably reasonable enough.

Here are 10 steps to accomplish this on Debian/Ubuntu systems (Adapt to your Linux/BSD/OpenSolaris):

1. Install the packages: initramfs-tools, hashalot and lvm2:

$ sudo apt-get install initramfs-tools hashalot lvm2

2. load (or make sure have been built into the kernel) the modules: aes-x86_64 or aes-i586, dm-crypt and dm-mod:

$ sudo modprobe aes-x86_64 dm-crypt dm-mod

3. Create (or designate) a partition that would be encrypted. Allow enough room because I’m not sure growing it later is an option. Any data on it will be destroyed:

$ sudo fdisk /dev/YOUR DRIVE ON WHICH THE TO-BE-ENCRYPTED PARTITION IS

4. Check for bad blocks:

$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/YOUR TO-BE-ENCRYPTED PARTITION

5. Fill you to-be-encrypted partition with random data. Note: (This takes AGES, but makes things safe. By ages I mean ~ 2 hours for every 10 GB):

$ sudo dd if=/dev/urandom of=/dev/YOUR TO-BE-ENCRYPTED PARTITION

6. Setup an encrypted luks volume

$ sudo cryptsetup -y –cipher aes-cbc-essiv:sha256 –key-size 256 luksFormat /dev/YOUR TO-BE-ENCRYPTED PARTITION

7. Unlock it:

$ sudo cryptsetup luksOpen /dev/YOUR TO-BE-ENCRYPTED PARTITION pvcrypt

8. Create a volume group and a volume:

$ sudo pvcreate /dev/mapper/pvcrypt
$ sudo vgcreate vg /dev/mapper/pvcrypt
$ sudo lvcreate -n VOLUME-NAME
-L VOLUME-SIZE vg

9. Create a file-system on /dev/mapper/vg-VOLUME-NAME:

$ sudo mkfs.ext3 /dev/mapper/vg-VOLUME-NAME

10. Edit /etc/fstab. Add the line:

mount -t ext3 /dev/mapper/vg-VOLUME-NAME /home

9. Edit /etc/crypttab. Add the line:

pvcrypt /dev/YOUR-ENCRYPTED-PARTITION none luks,retry=1,lvm=vg

10. This is the fun part: log out all users, switch to a console and login as root. Move the /home directory to be /home-SOMETHING. Create a new empty /home directory, and mount the encrypted volume in it. Then copy the entire contents of your /home-SOMETHING into /home preserving all attributes, times and ownerships. Here’s a few simple steps to do it:

$ sudo mv /home /home-plain

$ sudo mkdir /home

$ sudo mount /dev/mapper/vg-VOLUME-NAME /home

$ sudo cp -aR –preserve=all /home-plain/* /home/

Ready to see if it worked? Reboot! you should do this from the console directly:

$ sudo /sbin/reboot

Upon boot up, when your system tries to mount your /home partition, which is now encrypted, you will be asked for a password before booting continues. After the correct password is supplied, the system boots on.

If you have more locations you would like to encrypt, you can create more volumes on the encrypted volume group. To understand how to, or for a detailed guide for installing Ubuntu Linux on an encrypted volume group  to begin with, see the page from which I’ve adapted the steps above.

Leave a comment

Filed under #!