mirror of https://codeberg.org/shufflecake/shufflecake-c.git synced 2026-01-06 19:15:38 -05:00

Full C implementation of Shufflecake. Shufflecake is a plausible deniability (hidden storage) layer for Linux. https://www.shufflecake.net/

Find a file

Tommaso Gagliardoni e630144de7 doc:Edited README.md		2023-07-13 14:22:00 +02:00
dm-sflc	refactor(release):Prepare v0.3.0	2023-07-11 00:12:10 +02:00
resources/images/badges	doc:Edited README.md	2023-07-13 14:22:00 +02:00
shufflecake-userland	doc:Edited comment in crypto.h	2023-07-13 14:15:22 +02:00
.gitignore	Fix:ignore Eclipse project files in top-level	2023-07-09 18:39:42 +02:00
AUTHORS	refactor:Unified Makefiles	2023-06-06 11:50:19 +02:00
CHANGELOG.md	refactor:Change License to GPLv2+	2023-07-11 00:25:20 +02:00
COPYING	Add basic files for license, copyright, etc	2022-12-02 00:59:24 +01:00
COPYRIGHT	refactor:Unified Makefiles	2023-06-06 11:50:19 +02:00
LICENSE	Initial commit	2022-12-01 23:49:53 +00:00
Makefile	fix:Fix make clean	2023-07-10 00:48:32 +02:00
README.md	doc:Edited README.md	2023-07-13 14:22:00 +02:00
SECURITY.md	refactor(release): Create release v0.1.0	2023-04-17 23:57:57 +02:00

README.md

Shufflecake - Full C Implementation

Shufflecake is a plausible deniability (hidden storage) layer for Linux. You can consider Shufflecake a spiritual successor of tools like TrueCrypt and VeraCrypt, but vastly improved, both in terms of security and functionality. Official website: https://www.shufflecake.net.

This repository contains the kernel module and userland tool used to correctly manage the creation, opening, and closing of Shufflecake volumes.

WARNING: Shufflecake is still experimental software, please do not rely on its security or stability.

Overview
Installation
- Tests
Usage
Changelog
Bugs
Maintainers
Copyright

Overview

In the context of Shufflecake, a device, or cake, is the underlying raw block device (e.g., a disk) that is formatted to contain hidden data, while a volume, or layer, is the logical, encrypted and hidden "partition" within a device. The device can be a whole USB stick (or disk), a partition, a file-backed loop device, etc. (you likely find it under /dev).

The two operating principles of Shufflecake are:

1 device = multiple volumes
1 volume = 1 password = 1 "secrecy level"

Volumes are password-protected, and embedded in the underlying device as data slices which are indistinguishable from random noise without the proper password. Headers are also indistinguishable from random when not decrypted.

Up to 15 ordered Shufflecake volumes can be created on a single device, with the implicit assumption that "lower-order" volumes (e.g. layer 0) are less secret than "higher-order" ones (e.g. layer 3). The Shufflecake header is designed in such a way that it chains volumes in a backwards-linked list: volume i "points to" (contains the key of) volume i-1. This way, providing the key of volume M allows this tool to traverse the list and also automatically open volumes 0 through M-1 (besides volume M).

Opened volumes appear as block devices of the form sflc_N_M in /dev/mapper. It is up to the user to format them with an appropriate filesystem and mounting them before use. It is recommended to always unlock the most sensitive volume for daily use ("home alone" scenario), even if that volume is not being used or even mounted. Only open a subset of volumes (with a "decoy password") if under coercion. This is due to the high possibility of corrupting hidden volumes otherwise.

For security and consistency reasons, you cannot init/open/close nested volumes within the same device one at a time; the tool only allows to perform these operations on all the volumes in a device at the same time.

Installation

This implementation of Shufflecake consists of two components: a module for the Linux kernel (dm-sflc), and a shufflecake userland tool. Both are necessary in order to use Shufflecake. They have been tested on the 6.1 Linux kernel. The following instructions are given for Debian/Ubuntu and similar derivatives.

First of all, you need the kernel headers, device-mapper userspace library, and libgcrypt to compile the source. Use:

sudo apt install linux-headers-$(uname -r) libdevmapper-dev libgcrypt-dev

Important: you have to make sure to install an up-to-date version of libgcrypt that supports the Argon2id KDF algorithm. You need the 1.10.1 or later version, which might not be available in your local repositories (for example, Ubuntu 22.04 LTS), in which case you should find a workaround (either install manually or override your repositories by pinning an up-to-date package). You can check your current version with:

libgcrypt-config --version

After that, just run make. All the compilation artifacts will go in the respective subdirectories, and a copy of the kernel module dm_sflc.ko and the userland tool shufflecake will appear in the root directory. You can clean (delete) all these artifacts with make clean.

Tests

Limited tests are provided in the test directory: they currently only test the cryptography layer. Run make test to compile and run them.

Usage

The shufflecake tool requires that the dm-sflc kernel module is already loaded. Therefore, first of all you must load the kernel module with:

sudo insmod dm-sflc.ko

At this point you can run the shufflecake command as shufflecake <action> <block_device>.

When finished, you can remove the module with

sudo rmmod dm_sflc

You can only do this if no Shufflecake volume is open.

Initializing Device

sudo ./shufflecake init <block_device>

This command creates N volume headers on the given device, each sealed by the respective provided password, by properly formatting and encrypting the first N volume header slots. The number of desired volumes N and the related N passwords will be interactively asked at prompt. Alternatively, you can pass N by command line with:

sudo ./shufflecake --num-volumes=N init <block_device>

WARNING: If the device is not empty, you will lose all data stored therein. Also, you cannot add additional volumes after initialisation.

This command does not open the volumes (it does not create the virtual devices under /dev/mapper/), it only overwrites the device with randomness and formats the headers.

Opening Volumes

sudo ./shufflecake open <block_device>

A password will be required. If this is the password for volume M, then this command will open the first M volumes on the device. These will appear as virtual devices under /dev/mapper/, named sflc_<devID>_0 through sflc_<devID>_(M-1), where devID is a Shufflecake-unique numeric ID assigned by the kernel module (dm_sflc) to the block device.

Notice that this command does not mount the volumes, you have to do it manually. Also notice that at the beginning these volumes will be unformatted; in order to use them to store files, you must first format them with an appropriate filesystem.

Closing Volumes

sudo ./shufflecake close <block_device>

Closes all the volumes currently open on a device, removing them from /dev/mapper/.

The command only asks for the block device name, i.e., it will close all volumes provided by that device at once, by first forcing a write on disk of any pending changes. However, in order to avoid any risk of data loss, it is always advisable to first umount any mounted open volume.

Changelog

Please see the file CHANGELOG.md for a detailed history of changes.

[v0.3.0] - 2023-07-11

License changed from GPLv3+ to GPLv2+.
Unified code repository from dm-sflc and shufflecake-userland into a single shufflecake-c complete codebase.
CLI is now built with argp.h using correct GNU standards. In particular, most interaction from the action commands has been removed or made optional.
Using SemVer starting at release v0.3.0.
Switched from Scrypt to Argon2id as a KDF.
One global salt for deriving keys for all headers in order to not slow down too much opening. This allows us to avoid a difficult choice between insecurity against brute-force attacks and unacceptably slow opening time.
Added a 1-block offset to accommodate for header format change.
Test routines available with make test, for now limited to low-level crypto operations.

[v0.2.0] - 2023-04-17

This is a major rewrite of Shufflecake, with heavy internal refactoring, bug fixes, etc.

Bugs

Bugs and other issues are tracked at https://codeberg.org/shufflecake/shufflecake-c/issues, please report new bugs by submitting new issues there. Alternatively, you can send an email to bugs@shufflecake.net.

Outstanding known bugs:

Password is asked in clear rather than through a secure interface. This is undesired behaviour and it will be fixed in the future.
The random slice selection algorithm gets slower and slower as the disk gets filled up. This will change to the more efficient reference allocation algorithm.
There is no garbage collection currently implemented, so slices remain flagged as used even if the data therein is deleted. Work is in progress to fix this.

Maintainers

Elia Anzuoni <elianzuoniATgmail.com>

Tommaso "Tomgag" Gagliardoni <tommasoATgagliardoni.net>

Copyright

See the AUTHORS file at the top-level directory of this distribution and at https://www.shufflecake.net/permalinks/shufflecake-c/AUTHORS.

The program shufflecake-c is part of the Shufflecake Project. Shufflecake is a plausible deniability (hidden storage) layer for Linux. See https://www.shufflecake.net.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.