Linux-File-Security/Week5 commands.txt at main · Purefekt/Linux-File-Security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
Week5 commands [Veer Singh]

>>> username: root
>>> password: INBMA0634L

We will make a loop device. It is a virtual harddrive which is mapped to a file in the file system. Basically this file can be accessable as a block device.

>>> lsblk
>>> dd if=/dev/zero of=/loop-content-0 bs=4096 count=1024
>>> stat /loop-content-0
the dd command lets use copy files. here we copy contents of the special zero file to the new output file called loop-content-0. the block size will be 4096 and we will have 1024 of these blocks.
We can see the size which is 4MB (4096*1024)

>>> losetup -f
the losetup command is used to manage loop devices.

>>> losetup -f /loop-content-0
>>> lsblk
we can see that loop0 shows up in block devices

>>>  mkfs.ext2 /dev/loop0
>>> lsblk -f
we create a file system on loop0. this file system is ext2, this file system is never empty and creates a "lost+found" dir automatically. we can check the file system with the lsblk -f command, it also has a unique identifier.

>>> mkdir /mnt/loop0; mount /dev/loop0 /mnt/loop0
>>> lsblk -f
>>> ls /mnt/loop0
now we mount it. We can see it has a mountpoint and we can also see it contains a "lost+found" directory.

>>> cat >/mnt/loop0/secret.txt
>>> PIN CODE: 1234
>>> ctrl+c
>>> chmod 000 /mnt/loop0/secret.txt
>>> stat /mnt/loop0/secret.txt
We create a file with some text in it and change the permissions so no one can see it, we can confirm the rights with the stat command.
>>> mcview /loop-content-0
anyone can still use this and if he/she knows how the ext2 system works can find the text of the secret.txt file even if the permissions are not granted. Which means if someone has physical access to a disk, then the permissions do not matter. This is why we use an ENCRYPTED FILE SYSTEM.

We create another loop device for this
>>> dd if=/dev/zero of=/loop-content-1 bs=4096 count=20240
>>> losetup -a
>>> losetup -f /loop-content-1
>>> losetup -a
Now we can see the new loop device shows up

We will use an external package (software) to encypt the file
>>> dnf install cryptsetup
the dnf package manager helps us install this package

>>> cryptsetup luksFormat /dev/loop1
>>> YES
>>> INBMA0634L
>>> INBMA0634L
>>> lsblk -f
We install the encypted file system on loop1 and then set INBMA0634L as the password. We can run the lsblk command to see it.

>>> cryptsetup luksOpen /dev/loop1 encrypt1
>>> INBMA0634L
Makes the file open to users with the password
>>> lsblk -f
we can see encrpt1 shows under loop1

>>> mkfs.ext2 /dev/mapper/encrypt1
>>> mkdir /mnt/loop1
>>> mount /dev/mapper/encrypt1 /mnt/loop1/
>>> ls /mnt/loop1/
>>> lsblk -f
now we setup the file system on encrypt1 as ext2 and mount it to loop1. Again we can see we get an automatically created "lost+found" file.

>>> cat >/mnt/loop1/secret.txt
>>> PIN CODE:1234
>>> ctrl+c
>>> mcview /loop-content-1
Now even if a person has physical access to the drive, the content of this file will not be available since it is in an encrypted form.


We can also use a password file instead of a password
>>> dd if=/dev/zero of=/loop-content-2 bs=4k count=10k
>>> losetup -f /loop-content-2
>>> losetup -a
>>> echo secret password >/loop-key-2
>>> chmod 000 /loop-key-2
>>> cryptsetup luksFormat /dev/loop2 --key-file /loop-key-2
>>> YES
>>> cryptsetup luksOpen /dev/loop2 encrypt2 --key-file /loop-key-2
>>> mkfs.xfs /dev/mapper/encrypt2
>>> lsblk -f
We create a new file under loop2 with xfs file system on it. the permissions are given to nobody 000.

we encrypt the home directory now, the system will ask a password on boot. We create a new partition for it.
>>> fdisk /dev/sda
>>> p
shows the partitions
>>> n
to create a new partitions
>>> p
to create primary partition (this is after n)
>>> PRESS ENTER TWICE - THIS IS NOT A COMMAND, BUT AN INSTRUCTION
>>> p
to check partitions again
>>> w
to save settings
>>> lsblk -f
Now we can see sda4

>>> cryptsetup luksFormat /dev/sda4
>>> INBMA0634L
>>> INBMA0634L
>>> lsblk -f
we can see the changes. Now sda4 is ready to store encrypted file systems

>>> cryptsetup luksOpen /dev/sda4 encrypted-home
>>> INBMA0634L
>>> mkfs.ext2 /dev/mapper/encrypted-home
>>> umount /home/
>>> mount /dev/mapper/encrypted-home /home/
>>> lsblk -f
we mount home dir to the encrypted-home inside the encrypted sda4 partition
>>> reboot
This will restart the vm, which means the remote putty connection will stop. Open connection again.

>>> username: root
>>> password: INBMA0634L

Now we need to edit a configuration file which will run the encrypted home file on boot.

>>>mcedit /etc/crypttab
this will open a mc window, inside this file (Image also shown in main PDF):
>>> encrypted-home
>>> TAB (the key)
>>> /dev/sda4
>>> TAB
>>> none
>>> TAB
>>> luks
Now save this file with F10. Now when we run this machine it will ask for a password on boot. Turn off the virtual machine and open it in the virtualbox, use the normal mode since we wont be able to enter it using putty. A password screen will open as shown in the main PDF. After entering the password we can use putty.

>>> lsblk -f
>>> mount /dev/mapper/encrypted-home /mnt
>>> ls /mnt
>>> lsblk -f
we can also mount it to the mnt folder

Now we want to automatically open this encrypted drive and make it available in the home directory. For this we need to change another configuration file which contains the default mounting points. This means the UUID of encrypted home should appear in sda2.
So we copy the UUID of encrypted-home by selecting it:
>>> mcedit /etc/fstab
delete the UUID where we see /home and paste the UUID we copied and change the file system to ext2. This is shown in the image in man PDF. (To paste in midnight commander user shift+right click)
>>> umount /home/
>>> umount /mnt/
>>> mount /home/
>>> lsblk -f
/home is now under encypted-home

Now we create a key file
>>> umount /home/
>>> cryptsetup luksClose encrypted-home
>>> echo secret key >/key
>>> chmod 000 /key
>>> cryptsetup luksFormat /dev/sda4 --key-file /key
>>> YES
>>> cryptsetup luksOpen /dev/sda4 enc-home --key-file /key
>>> lsblk -f
>>> mkfs.xfs /dev/mapper/enc-home
>>> lsblk -f
Now copy the UUID of enc-home by simply selecting it in the terminal
>>> mcedit /etc/fstab
this will open a midnight commander window, now delete the UUID where we see /home and paste the UUID we just copied. Also change the file system to xfs. This is shown in the main PDF as images.
We can test if this works by
>>> mount /home/
>>> lsblk -f
Now we see /home is attached to enc-home

Now we need to edit the crypttab configuration file. We simply need to change none to /key. Image shown in main PDF.
>>> mcedit /etc/crypttab
remove none and put /key and change encypted-home to enc-home. Quit and save with F10.
NOW REBOOT, now we wont be asked for a password since the password file is connected to the system. So we can directly use putty.

>>> username: root
>>> password: INBMA0634L
>>> lsblk -f
everything is correctly configured

Now we add a new drive to the virtualmachine, we have to do this in the virtualbox setting. The machine must be turned off before this.
Select the virtual machine -> Settings -> Storage -> Controller: SATA -> Adds hard disk -> create -> Next -> Next -> 8MB -> create -> Select the drive from non attached segment -> choose -> OK

We will use this as a "flashdrive". The users who insert this flashdrive are the ones who are able to use the machine.
Open a new putty terminal
>>> username: root
>>> password: INBMA0634L
>>> lsblk -f
We can see it appears as sdb

>>> fdisk /dev/sdb
>>> n
>>> PRESS ENTER 4 TIMES FOR DEFAULT SETTINGS
>>> p
>>> n
>>> lsblk -f
it shows up, now we attach a file system to it
>>> mkfs.ext2 /dev/sdb1
>>> lsblk -f
Now we make a dir called keys and change its rights
>>> mkdir /keys
>>> chmod 000 /keys
>>> lsblk -f
now copy the UUID of sdb1 by simply selecting it
and now we need to edit the fstab config file and add this UUID to it, images shown in main PDF, add the file system ext2, the defaults and 00. Save and quit with F10.

>>> mount /keys/
>>> lsblk -f
>>> mount -o remount,rw /keys/
>>> mv /key /keys/
>>> mount -o remount,ro /keys/
now we mount keys dir. First we change it to read write mode and then move /key to this. Then we re change it to read only mode.
We can find this key dir by
>>> ls /keys/
>>> cat /keys/key
ls shows that its there inside /keys/ dir and cat shows us the content which is a string "secret key" since we are the root user.
we need to reconfigure the crypttab file since we moved the key. The final outcome is shown as an image in the main PDF.
>>> mcedit /etc/crypttab
change /key to /keys/key
save and exit with F10
REBOOT
Now since the drive it attached we are be able to login without any issues, but if we remove this drive then it will not.
>>> username: root
>>> password: INBMA0634L
>>> lsblk -f
We can see that all partitions including encrypted ones are showing

Now we will remove the drive (its like removing the password usb drive) and then try to restart the machine.
Go to virtual box -> select the virtual machine -> settings -> storage -> Select the disk which contains is the usb drive (it must be under Controller:SATA) -> click on the red cross on the bottom -> OK
Now bootup the machine
The machine waits for the encrypted file for a long time and finally asks us to boot with default mode, we continue with "Ctrl+D" but the machine still doesnt boot. So we shut down the machine.
Now we reattach the device which stores the password.
Go to virtualbox -> select the virtual machine -> settings -> storage -> Controller:SATA -> Adds hard disk -> Not attached -> Select the 8MB "usb" drive -> Choose -> OK
Now the system boots up without any issues

If we want to use a device without the presence of the password usb drive, we will have to configure a "No Fail" option in the fstab configuration file. We still will not be able to see or work with any encrypted directories.
To do this, connect to the machine with putty
>>> username: root
>>> password: INBMA0634L
>>> mcedit /etc/fstab
add "nofail" after "defaults" in /home and /keys. This is shown as an image in the main PDF.
Now we reboot.

Now we remove the attached usb drive.
Go to virtual box -> select the virtual machine -> settings -> storage -> Select the disk which contains is the usb drive (it must be under Controller:SATA) -> click on the red cross on the bottom -> OK
Now we reboot the virtual machine
it will take some time since the system is waiting for the usb drive, since there is a nofail option the boot will continue.
>>> username: root
>>> password: INBMA0634L
>>> lsblk -f
as we can see the /home and /key directories do not appear but we can still use the system.