USB encryption

The Packet Squirrel supports optional encryption of USB storage devices for increased security.

The Packet Squirrel uses the Linux full-disk encryption system (luks); USB devices encrypted on the Packet Squirrel will typically only be readable on another Linux system (but a VM may be sufficient).

Preparing the drive

This should only be done once - this will permanently erase the contents of the USB drive you target!

These preparatory commands can be run either in a shell on the Packet Squirrel directly (via the web UI shell or via ssh) or on a Linux computer or Linux VM with USB passthrough.

Unmount the USB drive

If the USB drive has an existing formatted partition, it will be automatically mounted. To configure encryption, we need to first unmount this drive.

root@squirrel~# umount /usb

Prepare the partition for encryption

We'll assume the USB drive has one primary partition, the first one. If necessary you may need to repartition the USB drive using fdisk or a partition tool on a Linux computer.

root@squirrel:~# cryptsetup luksFormat /dev/sda1 --type=luks1

This will add the encryption metadata to the partition. You will need to confirm that this will erase the device, and you will need to set a password. DO NOT FORGET THIS PASSWORD as your data will be unrecoverable without it!

For example:

root@squirrel:~# cryptsetup luksFormat /dev/sda1 --type=luks1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda1: Demodemo
Verify passphrase: Demodemo

Activate the partition

This opens the encrypted partition and creates the virtual encrypted disk.

root@squirrel:~# cryptsetup open /dev/sda1 dm-0

You will be prompted to enter the password you created above. For example:

root@squirrel:~# cryptsetup open /dev/sda1 dm-0

Enter passphrase for /dev/sda1: Demodemo

Format the virtual encrypted disk

Finally, we need to create a filesystem on the encrypted disk. We suggest using ext4: It is a fast, Linux-native filesystem. As there is no way to read the encrypted disk without a Linux system, using a Linux filesystem does not make it any more difficult.

root@squirrel:~# mkfs.ext4 /dev/dm-0

For example:

root@squirrel:~# mkfs.ext4 /dev/dm-0
Creating filesystem with 15141648 4k blocks and 3785488 inodes
Filesystem UUID: 9899cd3c-6964-4e97-b6b1-dfb50d23f8b0
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424

Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done

Close the encrypted disk

This step is optional, but returns the encrypted disk to the closed state where we can then mount it as expected from a payload.

root@squirrel:~# cryptsetup close /dev/dm-0

Enabling encrypted storage from a payload

To enable automatic mounting of encrypted storage in a payload, you'll need to add the cryptsetup commands to your payload script.

In the demonstration payloads, this requires you to place the encryption password in your payload script. For more complex payloads, you may be able to implement other mechanisms for retrieving the password, such as fetching it from a HTTPS server on boot.

Even with the password stored in the internal Packet Squirrel flash, the USB storage is still encrypted at rest, and the password can be erased via a factory reset or the SELFDESTRUCT payload command.

Example encrypted payload

This example payload unlocks the encrypted USB partition, waits for it to become available, and changes the LED:

#!/bin/bash 

# Title: Demo encrypted USB
#
# Description: Wait for an encrypted USB device to become available 

NETMODE NAT 

LED B SINGLE

# Use the password we set before and open /dev/sda1
echo "Demodemo" | cryptsetup open /dev/sda1 dm-0 

# Wait for USB to become available 
NO_LED=1 USB_WAIT

# The encrypted USB device is now mounted
LED G SOLID