This one's further to my two previous posts concerning losetup
1. Virtual Drives on Linux
2. Playing with mount and loopback devices
Here we try to create encrypted file-systems using the dm_crypt modules.
These are the wikipedia links for cryptoloop and it's successor dm_crypt.
In the earlier cases, we have a file-resident filesystem. We interface it with a loopback device to access it as a device, and the mount it to access it.
Now, we incorporate one more block; one which acts as our encryption layer.
Ok, that's enough of the theory; lets roll up our sleeves and get our hands dirty.
So first, we create a 100 mb file for our filesystem
Note that in the above, -y option will cause the passphrase to be asked twice for verification. The above command will result in /dev/loop0 being mapped post encryption to the device /dev/mapper/secret.
The command is the same each time you need to mount the loop device; only, the first time you give the passphrase, it becomes _the_ passphrase.
(Internally, cryptsetup doesn't seem to care if your passphrase matches what you used earlier. It just dumbly setups up the encryption layer with the passphrase you provde. So, if you give the correct passphrase second time and every subsequent times, you can access what you already have on the device. If you give a wrong passphrase, you can't. Eitherways, cryptsetup doesn't care! But then, if your passphrase is wrong on second and subsequent times, mount won't work as it can't make sense out of the superblock)
Also, to use a native partition as the encrypted filesystem, instead of a file-resident-filesystem, use the appropriate device name instead of /dev/loop0. In such a case, the previous steps can be omitted.
Next, you make a filesystem on the device; We'll use ext2. Note that you do this only the first time. Subsequent times, you can just skip this step as you already have the filesystem set up.
Once you are done, you need to clean up
Unmount the device secret
The dm_crypt wiki for further details: http://www.saout.de/tikiwiki/tiki-index.php
Likewise, if you need to use a physical drive / partition rather than a flat file, you will need to know the device that linux maps it to. Use the command
--------- --------- --------- --------- --------- --------- --------- ---------
Friday, 2008-03-28 22:59 UTC+5:30
Additional to that
1. My friend had to
2. to change password of the encrypted device (say /dev/loop0 )
[1] http://forums.gentoo.org/viewtopic.php?t=163762
.
1. Virtual Drives on Linux
2. Playing with mount and loopback devices
Here we try to create encrypted file-systems using the dm_crypt modules.
These are the wikipedia links for cryptoloop and it's successor dm_crypt.
In the earlier cases, we have a file-resident filesystem. We interface it with a loopback device to access it as a device, and the mount it to access it.
Now, we incorporate one more block; one which acts as our encryption layer.
Ok, that's enough of the theory; lets roll up our sleeves and get our hands dirty.So first, we create a 100 mb file for our filesystem
Next, we attach that to a loopback devicedd if=/dev/zero of=testfile bs=512k count=200
Now, we add our encryption layerlosetup /dev/loop0 testfile
Or you might use aes-cbc-essiv:sha256 for encryption layer.cryptsetup -c aes -y create secret /dev/loop0
Note that in the above, -y option will cause the passphrase to be asked twice for verification. The above command will result in /dev/loop0 being mapped post encryption to the device /dev/mapper/secret.
The command is the same each time you need to mount the loop device; only, the first time you give the passphrase, it becomes _the_ passphrase.
(Internally, cryptsetup doesn't seem to care if your passphrase matches what you used earlier. It just dumbly setups up the encryption layer with the passphrase you provde. So, if you give the correct passphrase second time and every subsequent times, you can access what you already have on the device. If you give a wrong passphrase, you can't. Eitherways, cryptsetup doesn't care! But then, if your passphrase is wrong on second and subsequent times, mount won't work as it can't make sense out of the superblock)
Also, to use a native partition as the encrypted filesystem, instead of a file-resident-filesystem, use the appropriate device name instead of /dev/loop0. In such a case, the previous steps can be omitted.
Next, you make a filesystem on the device; We'll use ext2. Note that you do this only the first time. Subsequent times, you can just skip this step as you already have the filesystem set up.
Now, we mount the devicemkfs -t ext2 /dev/mapper/secret
mount -t ext2 /dev/mapper/secret {mount-point}
Once mounted, you can use the device just like any other device. The encryption and decryption are transparent to you.Once you are done, you need to clean up
Unmount the device secret
umount {mount-point}
Disassociate the crypto layerYou need to atleast do the above cleanup steps to prevent the misuse of your encrypted filesystem, and to preserve its integrity. This next step of disassociating the loopback device is optional, unless you need to reuse the loopback device for something else.cryptsetup remove secret sync
There are many other options other than "cbc" for the encryption algorithm. Please refer to the cryptsetup manpage and to various related online pages for the options and their advantages.losetup -d /dev/loop0
The dm_crypt wiki for further details: http://www.saout.de/tikiwiki/tiki-index.php
Likewise, if you need to use a physical drive / partition rather than a flat file, you will need to know the device that linux maps it to. Use the command
dmesg | tail
to find the device corresponding to the removable drive you plugged in.--------- --------- --------- --------- --------- --------- --------- ---------
Friday, 2008-03-28 22:59 UTC+5:30
Additional to that
1. My friend had to
before this would work for himmodprobe dm_crypt modprobe dm_mod
2. to change password of the encrypted device (say /dev/loop0 )
# create a device mapping using the old password
# remember to use old password here
cryptsetup -c aes -y create secret-old /dev/loop0
# create another device mapping using the new password
# remember, this will be your password hereafter
cryptsetup -c aes -y create secret-new /dev/loop0
# now copy block-by-block from old mapping to new mapping
dd bs={block-size} if=/dev/mapper/secret-old of=/dev/mapper/secret-new
# cleanup
# Actually you can remove the old mapping and continue using the
# new mapping if you'd like
cryptsetup remove secret-old
cryptsetup remove secret-new
References[1] http://forums.gentoo.org/viewtopic.php?t=163762
.
No comments:
Post a Comment