Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
LUKSUS
Shell

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
LUKSUS
LUKSUS.checks
LUKSUS.functions
LUKSUS.logo
LUKSUS.usage
LUKSUS.variables
LUKSUS.welcome
README

README

    __       __  __   __ __    _____    __  __   _____
   / /      / / / /  / //_/   / ___/   / / / /  / ___/
  / /      / / / /  / ,<      \__ \   / / / /   \__ \ 
 / /___   / /_/ /  / /| |    ___/ /  / /_/ /   ___/ / 
/_____/   \____/  /_/ |_|   /____/   \____/   /____/  


# SYNOPSIS
#
# Creates an encrypted filesystem on a hardrive or other storage
# media. LUKSUS also supports creating an encrypted filecontainer.
# Uses Linux LUKS encryption facility.

# BACKGROUND
#
# The purpose of this script is to provide an easy eay to encrypt
# storage media in Linux and DragonflyBSD, such as hardrives, usb sticks,
# sd cards or external hardrives. It uses the LUKS and cryptsetup
# crypto subsystem internal to the Linux Kernel.
# This is thus a wrapper script for cryptsetup, shred and mkfs.

# Why? Because doing all these tasks manually is 
# time consuming and can be a little tricky. At least I think so.
# Also, writing this has been a great learning experience.

# HOW IT WORKS
#
# The script works like this:
# all existing data will be brutally removed beyond reconstruction (forensically)
# then it writes random data to the drive
# then creates a keyfile
# then encrypts the drive using the keyfile stored in /keys
# a LUKS header backup will also be placed in /keys
# please remember to take care of your /keys
# if you loose your /keys, the keyfile to your encrypted drive, then
# the data will be impossible to retrieve.


# DISCLAIMER 
#
# As with all securit measures: Use with caution.
# I, the author, take no responsibility if a black hole appears,
# and implodes your house, your town and the entire planet earth as an
# effect of using this script.
# Understand that the author takes no responsibility, and cannot
# be held liable if you, the user, use the script to destroy the
# files/contents of your storage media.
# As a consequence it is the sole responsibility of the user
# to use this software correctly. The author cannot be held
# liable for any damages, as of this disclaimer.
# Furthermore you are responsible for the content you encrypt.
# END DISCLAIMER

# USAGE
# The usage of LUKSUS can take two different forms, 
# mainly whether you are using LUKSUS on a physical device or a
# virtual file. These two requires somewhat different commandline
# arguments.
# As of version 1.0, LUKSUS defaults to passphrase
# for securing the volume. Using a keyfile is optional
# and can be activated by using the commandline option: usekey
#
#Command line arguments are: devicename volumename size truecrypt usekey
# AT LEAST TWO FIRST COMMAND LINE ARGUMENTS ARE REQUIRED
# IF CREATING A FILECONTAINER SIZE IS REQUIRED (examples: 1000M 5G)

# ./LUKSUS DEVICENAME VOLUMENAME optional options
# ./LUKSUS DEVICENAME VOLUMENAME LOCATION-OF-ENCRYTED-VOLUME-CONTAINER SIZE[M] truecrypt usekey

# USAGE: Physical drive
# ./LUKSUS DEVICENAME NICKNAME-of-luks-container
# ./LUKSUS DEVICENAME VOLUMENAME truecrypt

# USAGE: File container
# ./LUKSUS loopback-DEVICENAME nickname-of-lukscontainer filename filesize-in-megabytes

# EXAMPLES: 
# ENCRYPT PHYSICAL MEDIA: Using password
# ./LUKSUS /dev/sdb1 rambo1
 
# ENCRYPT PHYSICAL MEDIA: Using keyfile
# ./LUKSUS /dev/sdb1 rambo1 usekey

# CREATING AN ENCRYPTED FILECONTAINER (LUKS on Linux and DragonFlyBSD)
# ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M 
# ./LUKSUS /dev/vn0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M

# To enable the use of TrueCrypt instead of LUKS append the option: truecrypt
# ./LUKSUS /dev/sdc1 library truecrypt
# ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M truecrypt

# This last example is a corner case. This would create an encrypted
# filecontainer using truecrypt with a passphrase as well as with a keyfile.
# That keyfile would then work as a backdoor or an extra way into the archive, in case the password gets lost.
# ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M truecrypt usekey


# ENCRYPTED FILECONTAINER
# It is possible to create an encrypted file container
# The usage then changes a little as the script then needs to
# know which loopbackdevice you wish to use, where the encrypted
# filecontainer should be located, and how large it should be.
# Please note that the size must have M for megabytes or G for
# gigabyte appended to the size.

# The following will use loop0, and place the encrypted container in
# /usr and will have 1000MiB as space.
#
# ./LUKSUS /dev/loop0 mysecretlibrary /usr/thelibrary.encrypted 1000M
#
# For creating an encrypted filecontainer on DragonFlyBSD
# ./LUKSUS /dev/vn0 mysecretlibrary /usr/thelibrary.encrypted 1000M

# DRAGONFLYBSD NOTES:
# There are a few things to note about running this on DragonflyBSD...
#
# DragonFlyBSD does not ship with bash by default, so you have to install it
# from the repositories. "pkg_radd bash" will do the trick
#
# NO EXT4, UFS IS USED 
# The scripts does the same things as under Linux, but with one major
# exception.
# It does not create EXT4 filesystems, but UFS filesystems. 
# The mkfs.ext4 tool shipped in e2fsprogs does not like the Dfly
# loopback device, and I have not yet managed to get it to work.
# Therefore the user will get a UFS filesystem instead.
#
# TRUECRYPT NOTES:
#
# Truecrypt defaults to using passphrase for volume security.
# A keyfile can be added by using the commandline argument: usekey
#
# Applies to both on Linux and DragonflyBSD
# Truecrypt / tcplay is slow when it is creating encrypted
# filecontainers on Linux. Once the volume has been created
# speeds are nominal. This has at least been the case in my 
# testing on Virtualbox instances of various Linux distributions.
#
# For some reason the cryptsetup tool in Dfly takes a very long time
# to do its work when it is manipulating loopback LUKS volumes, ie.
# file containers... I do not know the reason to this strange behaviour, 
# but once it has created the volume, file transfer speeds are nominal and fast.
# In my experience it takes 15 minutes to finish the process of creating
# an encrypted filecontainer. Just have patience when creating encrypted filecontainers with 
# loopback devices:)
#
# ON KEYFILES - ARE THEY BETTER THAN PASSWORDS?
-
(Passphrase-protected) Keyfiles are two-factor (something you have,
something you know) and passphrases are one-factor (something you
know). It should be obvious that (passphrase-protected) keyfiles are
at least as secure as passphrases because you need a passphrase to use
them. Considering you also need access to the appropriate filesystem,
they'd be more secure, if just by a little bit.
If you're talking about plaintext keyfiles, they're one-factor secure
(something you have). It's not so obvious whether a plaintext is more
or less secure than a passphrase. It would depend on the context, I
guess.
-
Keyfiles are possession factors (something you have). Possession
factors are threatened by theft and duplication. Since a keyfile is
just a file, it's relatively easy to duplicate it, so it's not a very
strong factor. In theory, a possession factor can be destroyed -- but
not if it's been duplicated or stolen!
Passphrases are knowledge factors (something you know). Knowledge
factors are threatened by guessing and discovery. A strong passphrase
that's not stored anywhere but your head is still weak against
compulsive discovery (the cyrpto wrench attack, legal compulsion, etc.).
-
Source: Reddit discussion
http://www.reddit.com/r/crypto/comments/1gnezg/keyfile_or_passphrase/



# REQUIREMENTS:
# an empty hardrive or storage media
# knowledge about which device the hardrive or storage
# blkid will provide this
# media resides on
# cryptsetup
# dialog
# GNU coreutils

# this script works on Linux and DragonFlyBSD.
# Tested on: Debian, Ubuntu, ArchLinux and DragonFlyBSD

# Luksus is released under GNU GPLv2 License
# located here: http://www.gnu.org/licenses/gpl-2.0.html
#
# I really want to hear from you, feedback, the ways you use it, 
# suggestions, tips and so on. 
# My email is: thomas.frivold.at.gmail.com

########################################################
#################### TODO ##############################
########################################################

# Another round of extensive testing on several 
# Linux distros and Dragonfly BSD with
# DM-LUKS and Truecrypt
# + add a nice dialog interface * or remove it *
# + better support command line options in a nice POSIX manner
# + add the commandline option to use with or without dialog *or forget it*
# +Properly works on Truecrypt and LUKS
# +Properly tested on Linux: Debian, Ubuntu, Arch, Fedora, CentOS
# +Properly tested on DragonFlyBSD
# +Attemps to work on default installations:
#  Dialog use is not enforced anymore. If package is not installed,
#  then the script will skip fancy dialog use. Dialog is not shipped
#  with all distros by default. Less headache for the user.
# +Properly tested across Linux and DragonflyBSD (all features tested
# on 3 linux distros and on Dfly.



########################################################
#################### CHANGELOG #########################
########################################################
# v1.0RC5 29.07.2013 12:30

# +LUKSUS now defaults to passphrase. Using a keyfile is 
# optional. User feedback suggested that many users preferred
# to use passphrase instead of keys. Therefore the default
# has been set to passphrase, with using keyfiles being optional.
# +The dawn of modularization of the encryption engine code.
# I am hoping to be able to add support for FreeBSDs GBDE and GELI,
# NetBSD's CGD and OpenBSDs BIOCTL. This would bump the number of
supported platforms to 5.

# v1.0RC4 22.07.2013 15:09
# +Removed some extra integrity checks. They were redundant and broke
# Truecrypt support
# Feature freeze, and all that is required now is more testing.
# Fixed some regressions. Testing is a good idea.

# v1.0RC3 22.07.2013 12:00
# +Better dialog - yesno now works
# I like where this is going

# v1.0RC2 18.07.2013 19:00

# +Improved logging and reporting further
# +Cleaner OS Detection

# v0.99
# Truecrypt command line option added
# Usage cleanup
# Readme testing

# v0.95 06.03.2013 15:13
# +Truecrypt support

# v0.8.91 05.03.2013 20:00
# Small bugfixes

# v0.8.9 05.03.2013 13:28
# +DragonFlyBSD support is now fully supported.
# Cryptsetup / dm-luks spends a lot of time with its operation, 
# 10-15 minutes, but apart from that, LUKSUS runs on DragonFlyBSD.
# Functions need more attention and cleanup, but everything is working
# quite well now.


# v0.8.5 26.02.2013 12:00
# Cleanup before public release on Freecode.com!
# Hello World

# v0.8.4 26.02.2013 10:00
# Added a routine to check the screensize, and display
# a logo according to which screensize the user has.
# Cleaned up a little bit here and there

# v0.8.3 25.02.2013 20:00
# Tweaks 

# v0.8.2 25.02.2013 15:00
# Added a welcome sequence
# Added a logo! (yay)

# v0.8.1 25.02.2013 14:30
# Added missing apostrophe

# v0.8 24.02.2013 10:15
# + Improved code quality, implemented simple modularization.



# v0.7 02.01.2013 13:20
# + Added support for loopback devices 
#   creating an encrypted container is now possible with LUKSUS
# + Began work on implementing functions throughout
# + Added some conditional checks with regex

# v0.6 02.01.2013 01:35
# + improved documentation (README file)
# + Added some nice sanity checks
# + Further cleaned up the code
# + Added a definite CTRL+C to cancel now
# + Added dependency checks

# v0.5 25.04.2012 12:30
# + initial public release
#   live on github here: https://github.com/thomasfrivold/luksus
#   (yay)
# + massive cleanup
# + added a conditional check to verify that user is root
# + added a conditional check in the middle of the procedure to
#   verify that a LUKS container has been created on the device
#   good for integrity 
# + added a routine to hackup the luks header with a conditional
#   check as suggested by the luks FAQ
#   here: http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery
# + fixed mounting procedure
#   changed name of the script from cryptcreate to luksus
#   the luksus name is more a pun than a functional name
#   luksus means luxury in Norwegian and coincidentally it includes the main technology
#   used to encrypt hardrives in Linux since the 2.6 kernels - Linux Unified Key Setup
#   on a celebratory note, the script can now be considered stable. Even though
#   it lacks some niceties such as a fully fledged ncurses dialog menu system
#   which is aimed at version v1.0
#   - Thomas Frivold 

# v0.4
# + cleaned up script
# + added required runtime arguments

# v0.3
# + added command line input

# v0.2
# + cosmetic fixes
# + did some nice thinking about dialog

# v0.1 16.04.2012 GMT+1 1320
# + initial release

Something went wrong with that request. Please try again.