1. Data At Rest Encryption
1

2. Encryption Types
 Linux offers two primary types of encryption:
 disk encryption
 file encryption.
2

3. Disk encryption
Disk encryption involves encrypting an entire disk or partition, such that all data
stored on that disk is protected by the encryption.
Disk encryption tools, provide a high level of security, as they protect all data on
the disk, including the operating system, system files, and user data.
This makes disk encryption particularly useful for protecting sensitive
information stored on laptops, external hard drives, and other portable devices.
3

4. File Encryption
File encryption, on the other hand, involves encrypting individual
files or directories.
File encryption tools, offer more granular control over encryption,
allowing users to selectively encrypt only the files they need to
protect.
This makes file encryption particularly useful for protecting sensitive
documents, such as financial records, medical records, and personal
data.
4

5. Encryption Tools
5

6. DM-Crypt
DM-Crypt is a widely used disk encryption tool in Linux that allows users to
encrypt entire hard drives or individual partitions.
It is built on top of the Device Mapper (DM) framework, which is a component
of the Linux kernel that provides a generic way to create and manage virtual
block devices that can be used for various purposes, such as LVM and
encryption.
6

7. DM-Crypt
DM-Crypt uses the Advanced Encryption Standard (AES) cipher with
Cipher Block Chaining (CBC) mode for encryption and the XTS block
cipher mode for the encryption of the disk sectors.
7

8. AES-CBC
In CBC mode, each plaintext block is XORed with the previous
ciphertext block before being encrypted with the block cipher.
The first plaintext block is XORed with an initialization vector (IV)
before being encrypted.
8

9. AES XTS mode
In XTS mode, the block cipher is applied to the plaintext sector in two
passes.
In the first pass, the plaintext is XORed with a tweak value that is derived
from the sector number and a key.
The result of the XOR operation is encrypted using the block cipher.
In the second pass, the encrypted block is again XORed with the same
tweak value, and the result is encrypted again using the block cipher.
The resulting ciphertext is then
stored on disk.
9

10. DM-Crypt
It also supports other encryption algorithms, such as Serpent and Twofish.
DM-Crypt provides a high level of security by encrypting all data on the disk or partition,
including the operating system, system files, and user data.
DM-Crypt is widely used in Linux distributions, such as Ubuntu, Fedora, Debian, and
others, and is also supported on other Unix-like operating systems.
It is considered a robust and reliable tool for protecting sensitive data on desktops,
laptops, and servers.
10

11. LUKS
LUKS (Linux Unified Key Setup) is a disk encryption specification that provides full disk
encryption using the DM-Crypt disk encryption tool in Linux.
It was developed as a standard for Linux disk encryption to provide an easy-to-use, flexible, and
secure way to encrypt hard drives or partitions.
11

12. LUKS
LUKS allows users to create a passphrase-protected container that can be mounted as a normal
block device.
The container can contain multiple partitions, each with its own passphrase.
It uses the same encryption algorithms as DM-Crypt, such as AES, Serpent, and Twofish, and
supports key sizes up to 512 bits.
12

13. LUKS
One of the key features of LUKS is that it provides a header that contains all the necessary
information for the encrypted disk or partition, including the encryption algorithm, key size, and
the encryption key itself.
This allows users to change the passphrase or key without having to re-encrypt the entire disk,
which can be time-consuming and resource-intensive.
13

14. LUKS versions
There are two versions of LUKS: LUKS1 and LUKS2.
 LUKS1 is the original version of LUKS and is widely used and supported on most Linux
distributions.
 LUKS2 is a newer version of LUKS that was introduced in 2016. It has several new features,
such as the ability to use more than one passphrase and the ability to use different
encryption algorithms for different parts of the disk. It also supports a wider range of hash
functions and key derivation algorithms. Additionally, LUKS2 allows for better support for
SSDs and other modern storage devices.
14

15. LUKS versions
Overall, LUKS2 offers several improvements over LUKS1, including better flexibility and stronger
security features.
However, LUKS2 may not be supported by all Linux distributions and may require newer versions
of software tools to work properly.
If you have the option to choose between LUKS1 and LUKS2, it is recommended to use LUKS2 for
its improved features and security.
15

16. (Lab 1) Disk Encryption Lab
(1) To use DM-Crypt in AlmaLinux, you can follow these general steps:
 Install the necessary packages: You will need the cryptsetup package to use DM-Crypt and
LUKS.
 You can install it by running the following command as root:
 yum install cryptsetup
16

17. (Lab 1) Disk Encryption Lab
(2) Create a partition for encryption: Before you can encrypt a partition, you will
need to create a partition to encrypt.
 You can use a tool like fdisk or parted to create a partition.
 Make sure that the partition you create is empty and does not contain any important data.
17

18. (Lab 1) Disk Encryption Lab
(3) Encrypt the partition: Once you have created the partition, you can encrypt it using the
cryptsetup command.
 For example, to encrypt the partition /dev/sdb1 with the name my_encrypted_partition, you can run
the following command as root:
 cryptsetup luksFormat /dev/sdb1 --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000
 This command will prompt you to enter a passphrase, which will be used to unlock the encrypted partition ( more
than 7 characters and it should pass dictionary check)
18

19. (Lab 1) Disk Encryption Lab
(4) Open the encrypted partition: After the partition is encrypted, you can open it using the
cryptsetup command.
 For example, to open the encrypted partition with the name “my_encrypted_partition”, you can run the
following command as root:
 cryptsetup luksOpen /dev/sdb1 my_encrypted_partition
19

20. (Lab 1) Disk Encryption Lab
(5) Create a file system on the encrypted partition: After the encrypted partition is opened, you
can create a file system on it using a tool like mkfs.
 mkfs.ext4 /dev/mapper/my_encrypted_partition
20

21. (Lab 1) Disk Encryption Lab
(6) Mount the encrypted partition: Once the file system is created, you can mount it like any
other file system using the mount command.
 For example, to mount the partition at /mnt/my_encrypted_partition, you can run the following
command as root:
 mount /dev/mapper/my_encrypted_partition /mnt/my_encrypted_partition
21

22. (Lab 2) LUKS During Installation
To install AlmaLinux using LUKS encryption, follow these steps:
Boot the system using the AlmaLinux installation media.
In the partitioning section, select "Custom" partitioning.
Create the Partition, then click modify and chose encrypt
22

23. TCrypt
TCrypt is a Linux kernel module that provides full disk encryption using the XTS (XEX-based
tweaked-codebook mode with ciphertext stealing) block cipher mode of operation.
It is built on top of the dm-crypt subsystem, which provides transparent disk encryption for
Linux.
23

24. TCrypt
TCrypt encrypts the entire disk or partition, including the root file system, and it requires the
user to enter a password during boot time to decrypt the disk and mount the root file system.
It uses the XTS block cipher mode, which provides strong encryption and integrity protection for
the encrypted data.
24

25. TCrypt
One of the key features of TCrypt is that it provides a high level of security and reliability, as it is
implemented in the kernel and is not dependent on user space tools or libraries.
It also supports various key sizes and encryption algorithms, including AES (Advanced Encryption
Standard) and Twofish.
25

26. TCrypt
TCrypt is available as a kernel module in some Linux distributions, such as Gentoo and Arch
Linux.
However, it is not included in the mainline Linux kernel, and its use may require additional
configuration and setup.
It is considered a robust and secure tool for full disk encryption in Linux, but it requires careful
consideration and planning before implementation.
26

27. FILES ENCRYPTION TOOLS
27

28. EncFS
EncFS is an open-source file-based encryption tool for Linux, FreeBSD, Mac OS X, and other
Unix-like operating systems.
It allows users to create encrypted folders or directories that can be mounted as a normal file
system.
The encrypted data is stored in the underlying file system in an encrypted form, and is
decrypted and presented to the user when the encrypted directory is mounted.
28

29. EncFS
EncFS uses the FUSE (Filesystem in Userspace) framework to create the encrypted file system,
and it encrypts data on a per-file basis using the AES (Advanced Encryption Standard) cipher
with a 256-bit key.
It supports multiple encryption modes, including CBC (Cipher Block Chaining), CFB (Cipher
Feedback), and OFB (Output Feedback), and can be configured to use different encryption
algorithms, such as Blowfish or Twofish.
29

30. EncFS
EncFS uses the FUSE (Filesystem in Userspace) framework to create the encrypted file system,
and it encrypts data on a per-file basis using the AES (Advanced Encryption Standard) cipher
with a 256-bit key.
It supports multiple encryption modes, including CBC (Cipher Block Chaining), CFB (Cipher
Feedback), and OFB (Output Feedback), and can be configured to use different encryption
algorithms, such as Blowfish or Twofish.
30

31. EncFS
One of the key features of EncFS is that it provides plausible deniability, which means that the
existence of the encrypted data cannot be proven.
This is achieved by allowing users to create hidden directories within an encrypted directory
that are encrypted with different keys or passwords.
When mounted with a specific key or password, the hidden directory is accessible, but if
mounted with a different key or password, the hidden directory is not visible.
31

32. encfs Lab (1)
Install the required Packages
◦ yum install epel-release
◦ yum install fuse-encfs
32

33. encfs Lab (2)
Mount Encrypted Directory
◦ encfs /opt/not-encrypted/ /opt/enc-mount-point/
33

34. ECRYPTFS
ECRYPTFS (Enterprise Cryptographic Filesystem) is an open-source file-based encryption tool for
Linux, which provides on-the-fly encryption for individual files or directories.
It is designed to be transparent to the user, allowing them to access and use encrypted files and
directories just like normal files and directories.
34

35. ECRYPTFS
ECRYPTFS encrypts files using a symmetric encryption algorithm, such as AES (Advanced
Encryption Standard), and then stores them in an encrypted form on disk.
The encryption key is generated based on a passphrase that the user provides, and is used to
encrypt and decrypt the files.
The passphrase is hashed using a secure hash function and is used as the key for the encryption
algorithm.
35

36. ECRYPTFS
ECRYPTFS uses a stacked file system architecture, which means that it is built on top of the
underlying file system, and encrypted files and directories are stored as regular files and
directories on the file system.
This allows users to access and use encrypted files and directories just like normal files and
directories, without the need for a separate encrypted file system.
36

37. ECRYPTFS
ECRYPTFS provides various advanced features, such as key revocation, key rotation, and
encrypted file name encryption, which provide additional security and flexibility.
It is widely used in Linux distributions, such as Ubuntu and Debian, and is considered a reliable
and secure encryption tool for file-based encryption in Linux.
37

38. Homework
(1)Install ecryptfs on your almalinux VM, and use it to encrypt a folder using your first name, and
use the decrypted folder using your last name
record the above steps in a short video
(2) Compare between encfs and ecryptfs
38