View previous topic :: View next topic |
Author |
Message |
samx n00b
Joined: 02 Apr 2004 Posts: 12 Location: Germany
|
Posted: Tue Apr 20, 2004 12:09 pm Post subject: HOWTO: Encrypt a filesystem in a loopback file via dm_crypt |
|
|
HOWTO: Encrypt a filesystem in a loopback file via dm_crypt
Note: Thanks to the dm_crypt tutorial: https://forums.gentoo.org/viewtopic.php?t=143301 (sorry if I copy some things from there)
But it took me a while to figure out how to setup a loopback file (okay, I'm still n00b) so I thought it would be a good idea to write this short tutorial
The Goal:
Having an encrypted file system which is stored in one file
Introduction
I didn't like the idea of storing all my private files in my home-directory, because you might forget to lock your screen, go away and somebody can take a quick look at them... Beside that, they are stored clearly on the harddisk, so if someone has your harddrive, he has all your private files.
I stumbled over dm_crypt and yeah - that's it! I didn't like cryptoloop, because it seams that it will be replaced soon (http://kerneltrap.org/node/view/2433)
Also I didn't find it useful to encrypt my whole root filesystem - it's quite dangerous and 99% of my system are public available - so why encrypt them? If I have a small (say perhaps 200 MB) file, I can store all my private files and can backup them easily and savely (just burn the encrypted file and even the CIA won't recover your files without the passphrase )
Let's start
At first, you need at least a 2.6.4 kernel for device mapping and dm_crypt support. Make sure you have these options enabled:
Device Drivers->Multi-device support (RAID and LVM)->
Code: | [*] Multiple devices driver support (RAID and LVM)
<M> Device mapper support
<M> Crypt target support |
Device Drivers->Block-devices->
Code: | <M> Loopback device support |
Cryptographic options->
Code: | <M> AES cipher algorithms |
Of course you can use a different algorithm, but I chose aes because it's said to be quite safe. I recommend to compile these things as modules.
After that, you have to create a loopback file. (This will create a 100 MB file at the location /home/secret)
Code: | dd if=/dev/zero of=/home/secret bs=1M count=100 |
Setup this as a loop device:
Code: | losetup /dev/loop0 /home/secret |
Install cryptsetup
You'll need dev-libs/popt, sys-libs/device-mapper, >=dev-libs/libgcrypt-1.1.42 (you'll need an ACCEPT_KEYWORDS="~arch"!) to compile it
Setup the crypt-device:
Code: | modprobe dm_crypt
cryptsetup -c aes -y create secret /dev/loop0 |
(You might add dm_crypt and dm_mod to /etc/modules.autoload.d/kernel-2.6)
So... now your encrypted device is available at /dev/mapper/secret, so let's create a filesystem (I chose ext3):
Code: | mke2fs -j /dev/mapper/secret |
Mount it:
Code: | mount /dev/mapper/secret /mnt/secret |
You might add a line to your /etc/fstab:
Code: | #/etc/fstab
/dev/mapper/secret /mnt/secret ext3 noauto,noatime 0 0 |
That's it!
Now you can store your data there and after that just Code: | umount /mnt/secret
cryptsetup remove secret |
If you don't call cryptsetup remove, everybody can remount it without typing the passphrase!
Next time, you'll only have to type:
Code: | losetup /dev/loop0 /home/secret
cryptsetup create secret /dev/loop0
mount /mnt/secret |
Remarks
You might encrypt your whole /home/user directory, but that has disadvantages: You'll have mounted it all time when you sit in front of your computer, so if you leave it without locking it... then the best encryption is useless!
So I have a separate directory which I mount only when I need it, copy my files there and when I don't need it anymore, I unmount it.
For questions about dm_crypt, look at: http://www.saout.de/misc/dm-crypt/
Hope this tutorial is useful, if I'm wrong somewhere please correct me. |
|
Back to top |
|
|
icywolf n00b
Joined: 19 Jul 2003 Posts: 52
|
Posted: Tue Apr 20, 2004 8:38 pm Post subject: |
|
|
Thank I was searching for something like that for my usb key |
|
Back to top |
|
|
Redeeman l33t
Joined: 25 Sep 2003 Posts: 958 Location: Portugal
|
Posted: Tue Apr 20, 2004 8:44 pm Post subject: |
|
|
ehrm... well.. i thought you didnt need the losetup with dm-crypt, you can do all this without dm-crypt, and just mount /dev/loop0 directly |
|
Back to top |
|
|
samx n00b
Joined: 02 Apr 2004 Posts: 12 Location: Germany
|
Posted: Tue Apr 20, 2004 9:43 pm Post subject: |
|
|
Hm... I don't really know how you mean that (I'm a n00b happy about having an encrypted filesystem )
But if you want to do it without dm-crypt, than you mean using cryptoloop??? It was one goal to do it with dm-crypt because this seams to be the future of linux encryption!
And before you can mount /dev/loop0, you must setup /dev/loop0 (because you can't mount the /home/secret file directly) and this is being done by losetup, isn't it?
I'm not familiar with cryptoloop, but I think the main difference in mounting an encrypted file are (of course the system internals are quite different!):
With cryptoloop you would type something like this:
Code: | losetup -e aes /dev/loop0 /home/secret
mount /dev/loop0 /mnt/secret |
With dm_crypt you have to type this:
Code: | losetup /dev/loop0 /home/secret
cryptsetup create secret /dev/loop0
mount /dev/mapper/secret /mnt/secret |
With dm_crypt, the /dev/loop0 device is the raw access to your file - it's quite useless, because it's the same like you open your file with an editor - only encrypted Hexdata. The de-/encryption is handled between /dev/loop0 and the device mapping (only a mapping!) /dev/mapper/secret.
Okay, if you do this with dm_crypt, you have one more line to type, but hopefully this will change with future versions of cryptsetup, which will handle this for you.
It's possible that future versions of mount will do all this for you, so that you only have to type one line, but right now, you have to type these three lines or write a script.
I hope this was right? |
|
Back to top |
|
|
nero n00b
Joined: 08 Aug 2002 Posts: 66
|
Posted: Wed Apr 21, 2004 1:56 am Post subject: |
|
|
I'd like to see a script for this that would monitor IO on that file and then automatically unmount it and destroy the loop device. I have a terrible history of forgetting to do things like this.
/me leaves to figure out how to monitor the file IO...
--sean |
|
Back to top |
|
|
nero n00b
Joined: 08 Aug 2002 Posts: 66
|
Posted: Thu Apr 22, 2004 12:50 am Post subject: |
|
|
I have given it a shot, but for some reason when a file is accessed through a loopback device, none of its stats are updated. You can create a file on the loopback partition, then ls -l the encrypted filesystem image, and the modification data will not have changed at all!!
So I guess an auto unmount feature is impossible without a kernel mod |
|
Back to top |
|
|
samx n00b
Joined: 02 Apr 2004 Posts: 12 Location: Germany
|
Posted: Thu Apr 22, 2004 11:09 am Post subject: |
|
|
I think this is not very elegant, but I think it could work (I haven't tried it yet):
You could write a cronjob, that tries to Code: | umount /mnt/secret
cryptsetup remove secret |
every ten minutes. If it's not mounted, nothing will happen and if you have mounted it, but it's still busy, nothing will happen, too.
And when you don't need it anymore (if you haven't any open files), it will be unmounted in the next ten minutes.
The alternative would be to write a special daemon, but I think that's not worth it... |
|
Back to top |
|
|
nero n00b
Joined: 08 Aug 2002 Posts: 66
|
Posted: Fri Apr 23, 2004 12:42 am Post subject: |
|
|
You could, but that way you could not justify using forced unmount. Like if you were to have a shell or something that is currently in that directory. Without being able to tell if it active or not, a forced unmount could result in the loss of critical data. |
|
Back to top |
|
|
S_aIN_t Guru
Joined: 11 May 2002 Posts: 488 Location: Ottawa
|
Posted: Fri Apr 23, 2004 7:33 am Post subject: |
|
|
Looks pretty interesting.. thanks.. i'll give it a shot. :) _________________ "That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com |
|
Back to top |
|
|
davidc n00b
Joined: 30 Nov 2003 Posts: 60
|
Posted: Wed May 12, 2004 11:22 pm Post subject: |
|
|
Thanks for this tutorial, it is very useful. However, if I make a reiserfs file using mkreiserfs it has 33M used even before I've written anything to it. Is there any specific reason for this? |
|
Back to top |
|
|
Nate_S Guru
Joined: 18 Mar 2004 Posts: 414
|
Posted: Thu May 13, 2004 4:54 am Post subject: |
|
|
reiserfs is a journeled filesystem. I'm guessing that the 33MB is the journel. If it's a very small filesystem, you might go with ext2, as journeling doesn't make as much sense (though can't hurt other than taking extra space) on smaller filesystems, as the whole thing can be checked fairly quickly anyways. I use it on /boot myself, and I'm thinking I'm going to put it on my usb stick as well. |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Sun Jun 06, 2004 1:53 am Post subject: |
|
|
I followed the instructions in this thread and it works like a charm - so long as I'm root. How do you mount this encrypted filesystem as a user? I tried adding ",users" to the fstab options, and chown on both the /home/secret file, the /mnt/secret directory, and /dev/mapper/secret. When I try to mount it as a user, it says "only root can do that".
EDIT: I succeeded in mounting it as a user with the fstab line:
Code: | /dev/mapper/secret /mnt/private ext3 noauto,noatime,user 0 0 |
But when mounted, anyone else logged in can read it also. It seems like it should have the additional option ",usmask=077" but it won't mount when I try that.
It doesn't seem like a good idea to have your secret encrypted directory mounted with standard read privileges for other users. Any idea how to get around this?
-Jeff |
|
Back to top |
|
|
soulwarrior Guru
Joined: 21 Oct 2002 Posts: 331
|
Posted: Mon Jun 07, 2004 10:34 am Post subject: |
|
|
Thanks for this tutorial Have been using loop-aes on our server for quite some time (seems to be very stable for us) but I am now planing to convert to dm-crypt. I am right now testing dm-crypt on my development computer.
Has anyone had till now any problems with dm-crypt?
Maybe you could submit your tutorial also to the dm-crypt wiki? |
|
Back to top |
|
|
samx n00b
Joined: 02 Apr 2004 Posts: 12 Location: Germany
|
Posted: Thu Jun 17, 2004 7:20 am Post subject: |
|
|
jkcunningham wrote: | But when mounted, anyone else logged in can read it also. It seems like it should have the additional option ",usmask=077" but it won't mount when I try that. |
The option umask is only for fat filesystems (on other fs types mount will ignore it, read man mount) which can't store the owner and rights information (it's no Unix filesystem...) So you can set the default rights for mounted fat partitions with umask, uid and gid.
But ext3 does save owner and rights information - all you have to do is to change the permissions in the mounted partition for example with
Code: | chmod -R g-rwx,o-rwx /path/to/mountpoint/ |
so that nobody else can read the data.
If other users still can list the files in your mounted folder, just change the owner for the mountpoint:
Code: | chown yourusername:root /path/to/mountpoint
chmod o-rwx /path/to/mountpoint |
Now nobody (except root...) should be able to read files or even list the files in this folder.
Here are just two little scripts I wrote to make things a little easier, but of course you'll need to sudo these scripts.
secretup
Code: | # !/bin/bash
/sbin/losetup /dev/loop0 /home/secret
/sbin/modprobe dm_crypt
/usr/bin/cryptsetup create secret /dev/loop0
/bin/mount /mnt/secret |
secretdown
Code: | # !/bin/bash
/bin/umount /mnt/secret
/usr/bin/cryptsetup remove secret
/sbin/losetup -d /dev/loop0 |
Another advantage: you'll never forget the cryptsetup remove |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Thu Jun 17, 2004 2:04 pm Post subject: |
|
|
samx wrote: | The option umask is only for fat filesystems (on other fs types mount will ignore it, read man mount) which can't store the owner and rights information (it's no Unix filesystem...) So you can set the default rights for mounted fat partitions with umask, uid and gid. |
Actually, umask applies to most filesystems. Go back and check man mount and read a little further. Unfortunately, it doesn't work with loopback filesystems apparently.
I have tried the approach of changing the permissions. The problem with that is it only acts on existing files. Any new files you create have the default permissions (644) that come with the default umask. That's why I was hoping to be able to override it with the mount command - it would have solved the problem.
Your script approach may be the best one can do - but I think this is a weak point in the encrypted loopback filesystem approach. At work (a MS Windows environment) everyone is setup with an encrypted directory for proprietary work, using some third party software. All they have to do is drop files in that directory and they are encrypted.
Thanks.
-Jeff |
|
Back to top |
|
|
samx n00b
Joined: 02 Apr 2004 Posts: 12 Location: Germany
|
Posted: Thu Jun 17, 2004 3:26 pm Post subject: |
|
|
Sorry, but I think you muddled something here... I hope I can explain it right...
The single and only purpose of the umask= option is to control the default permissions when mounting a fs that doesn't know file permissions (for example fat)
man mount wrote: | umask=value
Set the umask (the bitmask of the permissions that are not present). The default is the umask of the current process. The value is given in octal. |
Because the FAT filesystem doesn't have file permissions, the kernel has to assign some. You can only set the permissions for all files on the partition at once. The only thing you can do is to set different permissions for all directories (dmask=) and files (fmask=). Per default it uses 0777 with the umask of the current process. With umask=0022 (a common one), all files have the permission rwxr-xr-x
You can't change file permissions for only some files or directories on fat fs later because fat isn't capble of storing them - the permissions will remain the same until you unmount the partition.
That's different to the umask command, which sets the umask for the current process. That umask specifies what permissions new files created by that process will have. Therefore, you can't specify different umasks for different partitions or something like that, only for different processes. That's why mount will fail if you try to mount a fs like ext,reiser,... with -o umask=
I'm quite sure that mounting a loop file doesn't make any difference to mounting a "real" partition (only some different kernel drivers)
jkcunningham wrote: | All they have to do is drop files in that directory and they are encrypted. |
That's exactly the same with an encrypted loopback file! The data is never stored unencrypted on the harddisk. As long as you keep it mounted, you can access your data (the kernel does the "magic" for you)
I can't see any weeknesses - the only weekness is that you might forget to unmount it when you leave the computer, but that's the same when you use some proprietary software with windows!
The only weekness is the human being in front |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
|
Back to top |
|
|
bld l33t
Joined: 26 Mar 2003 Posts: 759 Location: Outter Space
|
Posted: Tue Jun 22, 2004 2:17 am Post subject: nice paper |
|
|
Really interesting paper, I'll do something like this right away.. but I was thinking that the best thing is to make impossible for users:
(a) To read "mount" output and see that root has /dev/loop0 mounted
(b) To make the file /home/secret visible to others.
I use reiserfs, I dont know if it has some option to hide files from normal users, or possibly hide the file from the users and the root too..
to explain this.. If someone boots with a liveCD he is "root" on your system, but if the file cannot be listed (ls) by the root either.. then you're much more secure. _________________ A happy GNU/Linux user!! |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Fri Jun 25, 2004 11:38 pm Post subject: |
|
|
i hope some one make an ebuild for cryptsetup _________________ |
|
Back to top |
|
|
makuk66 n00b
Joined: 19 Nov 2002 Posts: 11
|
Posted: Mon Jul 26, 2004 10:17 am Post subject: |
|
|
linux_girl: There is an ebuild for cryptsetup in bugzilla: Bug 44347. |
|
Back to top |
|
|
afabco Guru
Joined: 24 Feb 2004 Posts: 380
|
Posted: Fri Aug 06, 2004 12:44 am Post subject: production deployment? |
|
|
How would one set this up for a production environment, given an arbitrary number of users with arbitrary usernames that may or may not be logged in at any given time? |
|
Back to top |
|
|
zimzum n00b
Joined: 26 Jul 2004 Posts: 14
|
Posted: Mon Aug 09, 2004 9:01 pm Post subject: |
|
|
hey..I did a few things differently...I'm using the slightly newer SHA512 hash algorithm with AES-256 and I decided to try it using a live partition instead so there is no loopback device:
Code: |
cryptsetup -c aes -h sha512 -y create vault /dev/sda2
mount -t ext3 /dev/mapper/vault /vault
|
and the kernel messages are like this:
Code: |
Aug 9 16:30:16 gargoyle kjournald starting. Commit interval 5 seconds
Aug 9 16:30:16 gargoyle EXT3 FS on dm-0, internal journal
Aug 9 16:30:16 gargoyle EXT3-fs: mounted filesystem with ordered data mode.
|
so far so good with this. Badass howto! Too bad you can't configure dm_crypt into fstab like with loopback crypto tho ;(
pz
zim |
|
Back to top |
|
|
alwin n00b
Joined: 04 Apr 2004 Posts: 10 Location: Germany
|
Posted: Mon Sep 20, 2004 12:51 pm Post subject: |
|
|
snip
Last edited by alwin on Tue Feb 28, 2006 8:06 pm; edited 2 times in total |
|
Back to top |
|
|
michaelkuijn n00b
Joined: 28 Sep 2003 Posts: 72 Location: The Netherlands
|
Posted: Tue Sep 21, 2004 7:06 pm Post subject: |
|
|
People, if you are going to use it, please please don't forget to unmount the encrypted filesystem when you are not using it! When the system freezes/crashes/behaves mysteriously disastrous (like what happened with me) YOU'RE SCREWED REAL BAD!
I lost 800 mb of emotionally very important data. I know what you're thinking... I should have made a backup.
HOMO SAPIENS NON URINAT IN VENTUM |
|
Back to top |
|
|
asiobob Veteran
Joined: 29 Oct 2003 Posts: 1375 Location: Bamboo Creek
|
Posted: Sat Sep 25, 2004 8:07 am Post subject: |
|
|
zimzum wrote: | hey..I did a few things differently...I'm using the slightly newer SHA512 hash algorithm with AES-256 and I decided to try it using a live partition instead so there is no loopback device:
Code: |
cryptsetup -c aes -h sha512 -y create vault /dev/sda2
mount -t ext3 /dev/mapper/vault /vault
|
and the kernel messages are like this:
Code: |
Aug 9 16:30:16 gargoyle kjournald starting. Commit interval 5 seconds
Aug 9 16:30:16 gargoyle EXT3 FS on dm-0, internal journal
Aug 9 16:30:16 gargoyle EXT3-fs: mounted filesystem with ordered data mode.
|
so far so good with this. Badass howto! Too bad you can't configure dm_crypt into fstab like with loopback crypto tho ;(
pz
zim |
is this working well? |
|
Back to top |
|
|
|