README.md (3223B)
1 # mbr-decrypt-and-hide 2 3 ***WARNING WARNING WARNING*** 4 5 **This program messes around with raw partitions and the MBR. They can REALLY EASILY destroy data. This code is to be treated as sample code, not a working application. There is weak error handling, and may make a lot of dangerous assumptions. Author assumes NO liability for their usage** 6 7 The imagined use case for this code is to temporarily conceal the existence of data on a block device. It encrypts the partition data into nonsensical random bytes, but also hides the fact that there was a partition there in the first place. The data and scripts required to restore the data partition are embedded in the encrypted blob itself. 8 9 It only works with MBR, _not_ with extended partitions. 10 11 # hide 12 13 First, manually make a note of the partition start sector and sector size. If this numbers are lost, the data cannot be recovered: 14 15 ``` 16 fdisk -l <device> 17 18 eg. 19 20 ]$ sudo fdisk -l /dev/sda 21 Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors 22 Units: sectors of 1 * 512 = 512 bytes <==================================== sector size is here 23 Sector size (logical/physical): 512 bytes / 512 bytes 24 I/O size (minimum/optimal): 512 bytes / 512 bytes 25 Disklabel type: dos 26 Disk identifier: 0x6ca35cb5 27 28 Device Boot Start End Sectors Size Id Type 29 /dev/sda1 2048 41945087 41943040 20G 83 Linux 30 /dev/sda2 * 41945088 41947135 2048 1M 4 FAT16 <32M 31 /dev/sda3 41947136 50335743 8388608 4G 82 Linux swap / Solaris 32 /dev/sda4 50335744 234441647 184105904 87.8G 83 Linux 33 34 ^========================= start sector is here 35 ``` 36 37 Then invoke the script: 38 39 40 ``` 41 w.sh <device> <partition number> 42 43 eg. 44 45 w.sh /dev/sda 4 46 ``` 47 48 The procedure will: 49 50 * dump and encrypt a partition 51 * dump the partition table entry for that partition 52 * create an ext4 fs with the two scripts, plus device/partition information, the data offset, encryption password and size of data, and encrypt it 53 - this fs will be 1000 times the sector size. When encrypted 32 magic ccrypt bytes will be prepended. 54 * write this data to the start sector pos of the partition, immediately following each other: 55 - the encrypted script/data fs 56 - the partition table entry 57 - the encrypted partition data itself 58 * shred and remove data and password from disk, and optionally scripts aswell. 59 60 # reveal 61 62 ``` 63 dd if=<device> bs=1 count=$(((<sector size>*1000)+32)) | ccrypt -d -c > <fsfile> 64 mount <fsfile> <mntpnt> 65 cd <mntpnt> 66 sh r.sh 67 ``` 68 69 The procedure will: 70 71 * Read the device, partition number, the absolute data offset and the encryption password from the stored data file. 72 * calculates the data size from the LBA size field in the stored partition entry 73 * writes the partition entry to the partition table 74 * decrypts and dumps the data to a temporary file 75 * writes the data back to the original sector offset on the partition 76 * shreds and deletes the data file, and optionally copies the script files (back) to a desired location 77 78 # requirements 79 80 This code has been known to successfully run using: 81 82 - linux 4.15.13 (ARCH) 83 - bash 4.4.19 84 - coreutils 8.29 (dd, shred ...) 85 - utils-linux 2.31.1 (fdisk, blockdev, hexdump) 86 - ccrypt 1.10