Encryption with DM_CRYPT in WSL2

howto.md

Encrypted Volumes in WSL2

Description

This is a quick guide on how to setup dm_crypt under WSL2 for working with encrypted volumes. I use an encrypted volume to store things like password recovery codes and 2nd factor backup codes etc. I recently switched over to using WSL2 and wanted to figure out how to enable this functionality there. This is the distilled howto for getting it to work.

Guide

First thing you have to do is create a custom WSL2 kernel. Inside your already installed and running WSL2 (ubuntu) installation:

• Install some required packages.

$ sudo apt install build-essential flex bison libssl-dev libelf-dev libncurses5-dev git

• Find out current kernel version

$ uname -r
5.4.72-microsoft-standard-WSL2+

• Clone the same kernel version from WSL2 kernel repository (replacing "linux-msft-5.4.72" to match the kernel version)

$ git clone --depth=1 --branch=linux-msft-5.4.72 https://github.com/microsoft/WSL2-Linux-Kernel.git
$ cd WSL2-Linux-Kernel

• Export the current (running) kernel configuration

$ cat /proc/config.gz | gunzip > .config

• Enable dm-crypt

$ make menuconfig

  Device Drivers
  -> Multiple devices driver support (RAID and LVM)
    -> Device mapper support
      [*] Crypt target support

  [*] Cryptographic API
    (add some ciphers if needed)

• Compile the kernel

$ make
$ sudo make modules_install

• Copy the resulting kernel image out to your Windows Drive

$ cp ./arch/x86_64/boot/bzImage /mnt/c/Users/<your username>

• Create a .wslconfig

$ vim /mnt/c/Users/<your user name>/.wslconfig

[wsl2]
   kernel=C:\\Users\\<your user name>\\bzImage

• Exit and Restart WSL2 (In powershell)

PS C:\Users\<your user name>\wsl --shutdown

Using the New Feature

Now you should be able to create open and close encrypted disks

• Create an encrypted disk image file

$ fallocate -l 1024M mysecrets.img
$ sudo cryptsetup -y luksFormat mysecrets.img

• Open the newly created disk image

 $ sudo cryptsetup open mysecrets.img mysecrets

• give the new disk a filesystem (you only have to do this once)

 $ sudo mkfs.ext4 /dev/mapper/mysecrets

• Mount the new disk image

  $ mkdir -p ~/mysecrets
  $ sudo mount -t ext4 /dev/mapper/mysecrets ~/mysecrets

• When you are done using the encrypted disk

$ sudo umount ~/mysecrets
$ sudo cryptsetup close mysecrets

When you want to use it again just open and mount it again.

Update: I recompiled the kernel, but VeraCrypt still fails without the -m=nokernelcrypto flag:

╰─$ veracrypt -t -k "" --pim=0 --protect-hidden=no /mnt/e/projects.vc /mnt/projects
Enter password for /mnt/e/projects.vc:
Error: device-mapper: create ioctl on veracrypt1  failed: Device or resource busy
Command failed.

Copying a large file, from Windows Host, into WSL via \$wsl.localhost\ubuntu22.04\mnt\projects which is the mounted VC, was ridiculously slow!

The writing speed fell to 20, 10, 5 and even to 2Mb/Sec as the copy was progressing..! My PC has a really fast Samsung M2 SSD and a CPU that can sustain speeds of 300Mb/Sec writing into windows native VeraCrypt mounts (AES).

Also, the CPU of the host PC jumps to 30-40 and the VM VeraCrypt takes a whopping 50% of the CPU. What's even worse, the CPU was kept to 40-50% MINUTES after the copy from Windows had supposedly finished. If I didn't know and had wsl --terminate, I would have definitely lost data!

I suspect that without the hardware acceleration in the Kernel, it falls back to Software Encryption/Decryption which renders it almost unusable.

I haven't tried the cryptsetup part (I will), but it is VeraCrypt that I need...