Skip to content

Instantly share code, notes, and snippets.

@d4v3y0rk
Created March 14, 2020 13:04
Show Gist options
  • Save d4v3y0rk/e19d346ec9836b4811d4fecc1e1d5d64 to your computer and use it in GitHub Desktop.
Save d4v3y0rk/e19d346ec9836b4811d4fecc1e1d5d64 to your computer and use it in GitHub Desktop.
Encryption with DM_CRYPT in WSL2

Encrypted Volumes in WSL2

Description

This is a quick guide on how to setup dm_crypt under WSL2 for working with encrypted volumes. I use an encrypted volume to store things like password recovery codes and 2nd factor backup codes etc. I recently switched over to using WSL2 and wanted to figure out how to enable this functionality there. This is the distilled howto for getting it to work.

Guide

First thing you have to do is create a custom WSL2 kernel. Inside your already installed and running WSL2 (ubuntu) installation:

  • Install some required packages.
$ sudo apt install build-essential flex bison libssl-dev libelf-dev libncurses5-dev git
  • Clone the WSL2 kernel
$ git clone https://github.com/microsoft/WSL2-Linux-Kernel.git
$ cd WSL2-Linux-Kernel
  • Export the current (running) kernel configuration
$ cat /proc/config.gz | gunzip > .config
  • Edit the .config file replacing...
#CONFIG_DM_CRYPT is not set

with 

CONFIG_DM_CRYPT=y
  • Compile the kernel
$ sudo make
$ sudo make modules_install
  • Copy the resulting kernel image out to your Windows Drive
$ cp ./arch/x86_64/boot/bzImage /mnt/c/Users/<your username>
  • Create a .wslconfig
$ vim /mnt/c/Users/<your user name>/.wslconfig

[wsl2]
   kernel=C:\\Users\\<your user name>\\bzImage
   swap=0
   localhostForwarding=true
  • Exit and Restart WSL2 (In powershell)
PS C:\Users\<your user name>\wsl --shutdown

Using the New Feature

Now you should be able to create open and close encrypted disks

  • Create an encrypted disk image file
$ fallocate -l 1024M mysecrets.img
$ sudo cryptsetup -y luksFormat mysecrets.img
  • Open the newly created disk image
 $ sudo cryptsetup open mysecrets.img mysecrets
  • give the new disk a filesystem (you only have to do this once)
 $ sudo mkfs.ext4 /dev/mapper/mysecrets
  • Mount the new disk image
  $ mkdir -p ~/mysecrets
  $ sudo mount -t ext4 /dev/mapper/mysecrets ~/mysecrets
  • When you are done using the encrypted disk
$ sudo umount ~/mysecrets
$ sudo cryptsetup close mysecrets

When you want to use it again just open and mount it again.

@jdoe1024
Copy link

Thanks for the howto, really useful ! A few remarks though:

  • you should compile the same kernel version as the one installed, rather than whatever (old) version the master branch is using.
  • using the --depth=1 switch when cloning the repository should reduce download time (there is no need to download the full history).
  • better use make menuconfig than editing the config file manually, as you might miss some config dependencies.
  • there is no need to use sudo for the first call to make. Also, modules_install is probably useless as no modules are compiled with the default kernel config for WSL2.

I did these changes in this revision. Feel free to use them.

@koutheir
Copy link

Unfortunately, this doesn't cover the use case of encrypted disks and partitions.

@Heimdall-sr
Copy link

Hi, after i use make, after long time i am got the following error:

make[2]: *** No rule to make target 'net/netfilter/xt_HL.o', needed by 'net/netfilter/built-in.a'. Stop.
make[1]: *** [scripts/Makefile.build:497: net/netfilter] Error 2
make: *** [Makefile:1822: net] Error 2

Screenshot_make_error_wsl2_crypt

@d4v3y0rk
Copy link
Author

Hi, after i use make, after long time i am got the following error:

make[2]: *** No rule to make target 'net/netfilter/xt_HL.o', needed by 'net/netfilter/built-in.a'. Stop.
make[1]: *** [scripts/Makefile.build:497: net/netfilter] Error 2
make: *** [Makefile:1822: net] Error 2

Screenshot_make_error_wsl2_crypt

I don’t think doing this is required anymore. I am pretty sure the config change was included in the kernel by default now. I had a PR opened into the kernel repo and it was commented on by a M$ person. They said the change would be incorporated into the default kernel.

@co60ca
Copy link

co60ca commented Dec 19, 2021

I'm not an expert on WSL but this worked against my pretty old WSL setup. Just wanted to say thanks.

@Vinfall
Copy link

Vinfall commented Sep 25, 2022

I don’t think doing this is required anymore. I am pretty sure the config change was included in the kernel by default now. I had a PR opened into the kernel repo and it was commented on by a M$ person. They said the change would be incorporated into the default kernel.

It's still relevant (for me and probably VeraCrypt users) as the config.wsl provided by M$ does not set a few crypto-related stuff (twofish, serpent, sha3 etc) and if the host system building the kernel does not have the crypto enabled (mostly no if building under WSL), some volumes won't get decrypted as the algos are unsupported by the kernel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment