Encryption
From TheLinuxVault
Contents |
[edit] Linux and Encryption : Files, Directories, Disks
Note that (beginning from Etch) Debian GNU/Linux can encrypt your entire disk, including swap (except /boot), this can provide some interesting options when you are storing sensitive data. Setting up Encrypted Disks using 2.6 kernel:
[edit] Using LUKS to encrypt entire disks or partitions
The following uses LUKS (Linux Unified Key Setup and Device mapper, which is available with any 2.6 kernels (2.6.12 or newer may be better choice for access to some cryptosystems to be available)
Run fdisk and create partitions, the following is for a USB attached SATA disk (appears as /dev/sdb). The following works perfectly well with logical volumes (LVM). Ensure that lvm service is running (or restart it). In fact, I rarely use hard partitions nowadays and all my disks use LVMs only.
Prepare the partition first. Enter a complicated string as the passphrase when prompted.This step is needed only once per disk/partition
cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/sdb1 cryptsetup luksOpen /dev/sdb1 delta
where delta is any random name
root@ariesduo:~# ls -l /dev/mapper/ total 0 crw-rw---- 1 root root 10, 63 2006-09-06 09:31 control brw-rw---- 1 root disk 253, 0 2006-09-06 09:43 delta
mkfs.ext3 /dev/mapper/delta cryptsetup luksClose delta
Whenever the disk needs to be used,
cryptsetup luksOpen /dev/sdb1 cryptbkupdev mount /dev/mapper/cryptbkupdev /backups
and use it... After completing your work:
umount /backups cryptsetup luksClose cryptbkupdev
[edit] cryptsetup for older systems, such as CentOS 4.x or RHEL4
Note that due to absence of LUKS the commands and usage is quite different. Now I am rebooting the server: First create the encrypted volume:
[root@dualathlon32 ~]# cryptsetup create usbbbkupdrv /dev/sda2 Enter passphrase: [root@dualathlon32 ~]# ls /dev/mapper/ control usbbbkupdrv
Create an EXT3 filesystem and mount:
[root@dualathlon32 ~]# mkfs.ext3 /dev/mapper/usbbbkupdrv
[root@dualathlon32 ~]# mount /dev/mapper/usbbbkupdrv /mnt
Upon reboot the device will disappear. One needs to issue "create" command again to "open" the device. Unlike LUKS where we can issue close and open commands.
A correct password "opens" the device and is mountable immediately. A wrong password does not return any error but the EXT3 FS mount will fail.
Let us reboot.
Connection to 10.1.1.198 closed. anand@laptop-aries5672:~$ ssh root@10.1.1.198
The system is back and up, login via ssh:
root@10.1.1.198's password: Last login: Fri Jun 29 07:54:59 2007 from 10.1.1.33
Note that by default the device is not available
[root@dualathlon32 ~]# dmsetup ls No devices found [root@dualathlon32 ~]# ls /dev/mapper/ control
Create command "opens" an existing encrypted device if the right password is provided:
[root@dualathlon32 ~]# cryptsetup create usbbbkupdrv /dev/sda2 Enter passphrase: [root@dualathlon32 ~]# ls /dev/mapper/ control usbbbkupdrv [root@dualathlon32 ~]# mount /dev/mapper/usbbbkupdrv /mnt
Now the mount succeeds!
[root@dualathlon32 ~]# df -h|grep mnt
4.6G 42M 4.4G 1% /mnt
[root@dualathlon32 ~]#
Using GPG: Importing GPG Keys:
GPG: "lynx -source http://server/dir/person_key.asc | gpg --import -"
[edit] Using EncFS and FUSE
You will need encfs package to be installed. (eg: apt-get install encfs on debian/ubuntu systems). A user needing to use encfs must be part of fuse group (test using "id" command, use "sudo vigr" to add a user to fuse group)
As root:
modprobe fuse encfs ~/confidential/encrypted ~/confidential/unencrypted
First time you will be prompted for password, select Paranoid security setting. Note that encfs command work ONLY with full paths.
Mount the unencrypted dirs:
encfs ~/confidential/encrypted ~/confidential/unencrypted
After your work is finished, unmount:
fusermount -u ~/confidential/unencrypted
