Usb Encryption
The Packet Squirrel supports optional encryption of USB storage devices for increased security.
The Packet Squirrel uses the Linux full-disk encryption system (luks); USB devices encrypted on the Packet Squirrel will typically only be readable on another Linux system (but a VM may be sufficient).
Preparing the drive
This should only be done once - this will permanently erase the contents of the USB drive you target!
These preparatory commands can be run either in a shell on the Packet Squirrel directly (via the web UI shell or via ssh
) or on a Linux computer or Linux VM with USB passthrough.
Remember - only perform these setup instructions once per disk! Read on for how to script a payload which automatically mounts the disk!
Unmount the USB drive
If the USB drive has an existing formatted partition, it will be automatically mounted. To configure encryption, we need to first unmount this drive.
root@squirrel~# umount /usb
Prepare the partition for encryption
We’ll assume the USB drive has one primary partition, the first one. If necessary you may need to repartition the USB drive using fdisk
or a partition tool on a Linux computer.
root@squirrel:~# cryptsetup luksFormat /dev/sda1 --type=luks1
This will add the encryption metadata to the partition. You will need to confirm that this will erase the device, and you will need to set a password. DO NOT FORGET THIS PASSWORD as your data will be unrecoverable without it!
For example:
root@squirrel:~# cryptsetup luksFormat /dev/sda1 --type=luks1
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda1: Demodemo
Verify passphrase: Demodemo
Activate the partition
This opens the encrypted partition and creates the virtual encrypted disk.
root@squirrel:~# cryptsetup open /dev/sda1 dm-0
You will be prompted to enter the password you created above. For example:
root@squirrel:~# cryptsetup open /dev/sda1 dm-0
Enter passphrase for /dev/sda1: Demodemo
Format the virtual encrypted disk
Finally, we need to create a filesystem on the encrypted disk. We suggest using ext4
: It is a fast, Linux-native filesystem. As there is no way to read the encrypted disk without a Linux system, using a Linux filesystem does not make it any more difficult.
root@squirrel:~# mkfs.ext4 /dev/dm-0
For example:
root@squirrel:~# mkfs.ext4 /dev/dm-0
Creating filesystem with 15141648 4k blocks and 3785488 inodes
Filesystem UUID: 9899cd3c-6964-4e97-b6b1-dfb50d23f8b0
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424
Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done
Close the encrypted disk
This step is optional, but returns the encrypted disk to the closed state where we can then mount it as expected from a payload.
root@squirrel:~# cryptsetup close /dev/dm-0
Enabling encrypted storage from a payload
To enable automatic mounting of encrypted storage in a payload, you’ll need to add the cryptsetup
commands to your payload script.
In the demonstration payloads, this requires you to place the encryption password in your payload script. For more complex payloads, you may be able to implement other mechanisms for retrieving the password, such as fetching it from a HTTPS
server on boot.
Even with the password stored in the internal Packet Squirrel flash, the USB storage is still encrypted at rest, and the password can be erased via a factory reset or the SELFDESTRUCT
payload command.
Example encrypted payload
This example payload unlocks the encrypted USB partition, waits for it to become available, and changes the LED:
#!/bin/bash
#
# Description: Wait for an encrypted USB device to become available
NETMODE NAT
LED B SINGLE
# Use the password we set before and open /dev/sda1
echo "Demodemo" | cryptsetup open /dev/sda1 dm-0
# Wait for USB to become available
NO_LED=1 USB_WAIT
# The encrypted USB device is now mounted
LED G SOLID