Encryption with DM_CRYPT in WSL2

howto.md

Encrypted Volumes in WSL2

Description

This is a quick guide on how to setup dm_crypt under WSL2 for working with encrypted volumes. I use an encrypted volume to store things like password recovery codes and 2nd factor backup codes etc. I recently switched over to using WSL2 and wanted to figure out how to enable this functionality there. This is the distilled howto for getting it to work.

Guide

First thing you have to do is create a custom WSL2 kernel. Inside your already installed and running WSL2 (ubuntu) installation:

• Install some required packages.

$ sudo apt install build-essential flex bison libssl-dev libelf-dev libncurses5-dev git

• Find out current kernel version

$ uname -r
5.4.72-microsoft-standard-WSL2+

• Clone the same kernel version from WSL2 kernel repository (replacing "linux-msft-5.4.72" to match the kernel version)

$ git clone --depth=1 --branch=linux-msft-5.4.72 https://github.com/microsoft/WSL2-Linux-Kernel.git
$ cd WSL2-Linux-Kernel

• Export the current (running) kernel configuration

$ cat /proc/config.gz | gunzip > .config

• Enable dm-crypt

$ make menuconfig

  Device Drivers
  -> Multiple devices driver support (RAID and LVM)
    -> Device mapper support
      [*] Crypt target support

  [*] Cryptographic API
    (add some ciphers if needed)

• Compile the kernel

$ make
$ sudo make modules_install

• Copy the resulting kernel image out to your Windows Drive

$ cp ./arch/x86_64/boot/bzImage /mnt/c/Users/<your username>

• Create a .wslconfig

$ vim /mnt/c/Users/<your user name>/.wslconfig

[wsl2]
   kernel=C:\\Users\\<your user name>\\bzImage

• Exit and Restart WSL2 (In powershell)

PS C:\Users\<your user name>\wsl --shutdown

Using the New Feature

Now you should be able to create open and close encrypted disks

• Create an encrypted disk image file

$ fallocate -l 1024M mysecrets.img
$ sudo cryptsetup -y luksFormat mysecrets.img

• Open the newly created disk image

 $ sudo cryptsetup open mysecrets.img mysecrets

• give the new disk a filesystem (you only have to do this once)

 $ sudo mkfs.ext4 /dev/mapper/mysecrets

• Mount the new disk image

  $ mkdir -p ~/mysecrets
  $ sudo mount -t ext4 /dev/mapper/mysecrets ~/mysecrets

• When you are done using the encrypted disk

$ sudo umount ~/mysecrets
$ sudo cryptsetup close mysecrets

When you want to use it again just open and mount it again.

Thanks for the useful gist. I can confirm that this works for me.

To access a a physical disk in Windows, see this document.

In a nutshell:

wmic diskdrive list brief
wsl --mount \\.\PHYSICALDRIVE1 --bare # depends on your path
wsl # in bash now

lsblk
sudo cryptsetup open /dev/sdc1 foo
mkdir /tmp/bar
sudo mount /dev/mapper/foo /tmp/bar

Note that dm-crypt is enabled in WSL2 kernels since 5.4.91 (and the 5.10 branch), so recompiling the kernel will not be needed anymore in the near future.

@jdoe1024 Thanks for the update. Works out of the box without compiling the kernel.

Btw. (if someone will still have the need to compile the kernel) they changed naming of their branches.
You need to append -wsl so a branch name now becomes: linux-msft-wsl-5.10.16.3

@jdoe1024 @gthieleb is it working for you without kernel compilation AND without the -m=nokernelcrypto flag?

In my case, without having done the recompilation yet:

╰─$  uname -r
5.15.90.1-microsoft-standard-WSL2

when I don't use the -m=nokernelcrypto flag, I get error:

Error: device-mapper: create ioctl on veracrypt1  failed: Device or resource busy

With the flag it works, but its not using the CPU and it is (rough estimate) 3-4 times slower, plus its eating up a lot of CPU for I/O.

Im not sure if my kernel is properly crypto enabled - if I issue

─$ cryptsetup benchmark                                                                                                                    1 ↵
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       553046 iterations per second for 256-bit key
PBKDF2-sha256     712347 iterations per second for 256-bit key
PBKDF2-sha512     571119 iterations per second for 256-bit key
PBKDF2-ripemd160  278284 iterations per second for 256-bit key
PBKDF2-whirlpool  270809 iterations per second for 256-bit key
argon2i       4 iterations, 831175 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      4 iterations, 874395 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b        99.6 MiB/s       111.6 MiB/s
    serpent-cbc        128b               N/A               N/A
    twofish-cbc        128b               N/A               N/A
        aes-cbc        256b        83.9 MiB/s        91.6 MiB/s
    serpent-cbc        256b               N/A               N/A
    twofish-cbc        256b               N/A               N/A
        aes-xts        256b       108.4 MiB/s       111.4 MiB/s
    serpent-xts        256b               N/A               N/A
    twofish-xts        256b               N/A               N/A
        aes-xts        512b        92.2 MiB/s        93.8 MiB/s
    serpent-xts        512b               N/A               N/A
    twofish-xts        512b               N/A               N/A

which seems very slow compared to my VC on Windows (or native linux):

Also, I see this comment on original gist and I think I have to recompile the kernel after all.

Could you please shed some light? It would really help me!

Update: I recompiled the kernel, but VeraCrypt still fails without the -m=nokernelcrypto flag:

╰─$ veracrypt -t -k "" --pim=0 --protect-hidden=no /mnt/e/projects.vc /mnt/projects
Enter password for /mnt/e/projects.vc:
Error: device-mapper: create ioctl on veracrypt1  failed: Device or resource busy
Command failed.

Copying a large file, from Windows Host, into WSL via \$wsl.localhost\ubuntu22.04\mnt\projects which is the mounted VC, was ridiculously slow!

The writing speed fell to 20, 10, 5 and even to 2Mb/Sec as the copy was progressing..! My PC has a really fast Samsung M2 SSD and a CPU that can sustain speeds of 300Mb/Sec writing into windows native VeraCrypt mounts (AES).

Also, the CPU of the host PC jumps to 30-40 and the VM VeraCrypt takes a whopping 50% of the CPU. What's even worse, the CPU was kept to 40-50% MINUTES after the copy from Windows had supposedly finished. If I didn't know and had wsl --terminate, I would have definitely lost data!

I suspect that without the hardware acceleration in the Kernel, it falls back to Software Encryption/Decryption which renders it almost unusable.

I haven't tried the cryptsetup part (I will), but it is VeraCrypt that I need...