本文共 14375 字，大约阅读时间需要 47 分钟。

Linux Examples: dm-crypt

This section gives a series of examples of how to create Linux dm-crypt volumes, and then mount them using FreeOTFE Explorer.

These examples have been tested using Fedora Core 3, with a v2.6.11.7 kernel installed; though they should work for all compatible Linux distributions.

---

Initial Setup

To begin using dm-crypt under Linux, ensure that the various kernel modules are installed: 

modprobe cryptoloopmodprobe deflatemodprobe zlib_deflatemodprobe twofishmodprobe serpentmodprobe aes_i586modprobe blowfishmodprobe desmodprobe sha256modprobe sha512modprobe crypto_nullmodprobe md5modprobe md4modprobe cast5modprobe cast6modprobe arc4modprobe khazadmodprobe anubismodprobe dm_mod (this should give you dm_snapshot, dm_zero and dm_mirror?)modprobe dm_crypt

At this point, typing "dmsetup targets" should give you something along the lines of:

crypt            v1.0.0striped          v1.0.1linear           v1.0.1error            v1.0.1

Typing "lsmod" will show you which modules are currently installed.

---

Defaults

If not overridden by the user, dm-crypt defaults to encrypting with:

Cypher:	AES
Cypher keysize:	256 bit
User key processed with:	RIPEMD-160 (not "RIPEMD-160 (Linux; Twice, with A)"). "Hash with "A"s, if hash output is too short" option - selected
IV generation:	32 bit sector ID

---

Example #1: Mounting a dm-crypt Volume Encrypted Using dm-crypt's Default Encryption

This example demonstrates use of a dm-crypt volume using the dm-crypt's default encryption system: AES128 with the user's password hashed with RIPEMD160, using the 32 bit sector IDs as encryption IVs

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_default.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_default.volecho password1234567890ABC | cryptsetup create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "RIPEMD-160 (160/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "AES (CBC; 256/128)" cypher
   • Select "32 bit sector ID" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #2: Mounting a dm-crypt Volume Encrypted Using 128 bit AES

This example demonstrates use of a dm-crypt AES128 volume.

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_aes128.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_aes128.volecho password1234567890ABC | cryptsetup  -c aes -s 128 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "RIPEMD-160 (160/512)" hash.
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "AES (CBC; 128/128)" cypher
   • Select "32 bit sector ID" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #3: Mounting a dm-crypt Volume Encrypted Using 256 bit AES, using SHA256 ESSIV

This example demonstrates use of a dm-crypt AES256 volume using SHA-256 ESSIV sector IVs.

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_aes_essiv_sha256.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_aes_essiv_sha256.volecho password1234567890ABC | cryptsetup  -c aes-cbc-essiv:sha256 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "RIPEMD-160 (160/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "AES (CBC; 256/128)" cypher
   • Select "ESSIV" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
   • Select "SHA-256 (256/512)" as the IV hash
   • Select "AES (CBC; 256/128)" as the IV cypher
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #4: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish

This example demonstrates use of a dm-crypt Blowfish 448 volume.

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_blowfish_448.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_blowfish_448.volecho password1234567890ABC | cryptsetup -c blowfish -s 448 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "RIPEMD-160 (160/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "Blowfish (CBC; 448/64)" cypher
   • Select "32 bit sector ID" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #5: Mounting a dm-crypt Volume Encrypted Using 256 bit Twofish and Offset

This example demonstrates use of a dm-crypt Twofish 256 volume, with the encrypted volume beginning at an offset of 3 sectors (3 x 512 = 1536 bytes) into the volume file.

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_twofish_o3.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_twofish_o3.volecho password1234567890ABC | cryptsetup -c twofish -o 3 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "RIPEMD-160 (160/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "Twofish (CBC; 256/128)" cypher
   • Select "32 bit sector ID" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
5. "File options" tab:
   • Set offset to 1536 bytes (i.e. 3 sectors, each of 512 bytes)
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #6: Mounting a dm-crypt Volume Encrypted Using 256 bit AES with MD5 Password Hashing

This example demonstrates use of a dm-crypt Twofish 256 volume, with the user's password processed with MD5.

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_aes_md5.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_aes_md5.volecho password1234567890ABC | cryptsetup -c aes -h md5 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt ./test_mountpointcp ./test_files/BINARY_ZEROS.dat ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "MD5 (128/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "AES (CBC; 256/128)" cypher
   • Select "32 bit sector ID" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #7: Mounting a dm-crypt Volume Encrypted Using 448 bit Blowfish, MD5 Password Hashing and SHA-256 ESSIV

This example demonstrates use of a dm-crypt Blowfish 448 volume, with the user's password processed with MD5 and ESSIV using SHA-256.

Note that although the main cypher is Blowfish 448, Blowfish 256 is used as the IV cypher as the IV hash outputs 256 bytes

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_blowfish_448_essivsha256_md5.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_blowfish_448_essivsha256_md5.volecho password1234567890ABC | cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 -h md5 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "MD5 (128/512)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "Blowfish (CBC; 448/64)" cypher
   • Select "ESSIV" as the IV generation method
   • Set "Sector zero location" to "Start of encrypted data"
   • Select "SHA-256 (256/512)" as the IV hash
   • Select "Blowfish (CBC; 256/64)" as the IV cypher
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

---

Example #8: Mounting a dm-crypt Volume Encrypted Using AES-256 in XTS Mode (aka XTS-AES-256)

This example demonstrates use of a dm-crypt AES-256 volume in XTS mode (aka XTS-AES-256) and using SHA-512 for hashing

Creating the volume file under Linux:

dd if=/dev/zero of=./volumes/vol_aes_xts.vol bs=1K count=100losetup /dev/loop0 ./volumes/vol_aes_xts.volecho password1234567890ABC | cryptsetup -h sha512 -c aes-xts-plain --key-size 512 create myMapper /dev/loop0dmsetup lsdmsetup tabledmsetup statuslosetup /dev/loop1 /dev/mapper/myMapper mkdosfs /dev/loop1mkdir ./test_mountpointmount /dev/loop1 ./test_mountpointcp ./test_files/SHORT_TEXT.txt        ./test_mountpointcp ./test_files/BINARY_ZEROS.dat      ./test_mountpointcp ./test_files/BINARY_ABC_RPTD.dat   ./test_mountpointcp ./test_files/BINARY_00_FF_RPTD.dat ./test_mountpointumount ./test_mountpointlosetup -d /dev/loop1cryptsetup remove myMapperlosetup -d /dev/loop0rm -rf ./test_mountpoint

Mounting the volume under FreeOTFE Explorer:

1. Select "Linux | Mount..."
2. Select the volume file
3. "Key" tab:
   • Enter "password1234567890ABC" as the key
   • Leave GPG executable blank
   • Leave GPG keyfile blank
   • Leave seed blank
   • Select the "SHA-512 (512/1024)" hash
   • Ensure "Hash with "A"s, if hash output is too short" is checked.
   • Leave iteration count at 0
4. "Encryption" tab:
   • Select the "AES (256 bit XTS)" cypher
   • Select "Null IV" as the IV generation method
5. "File options" tab:
   • Leave offset at 0
   • Leave sizelimit at 0
6. "Mount options" tab:
   • Select any unused drive letter
   • Leave readonly unchecked
7. Click the "OK" button

转载地址：http://elhvi.baihongyu.com/