Problems? See this thread at archive.org.
Hi guys,
Anyone here, who could share some experience with encrypting on linux and perhaps even dare to mention some windows app? This is what i found and done:
I was asked by my HR manager (particularly very persuasive female person) if i could be of service by helping her keep her sensitive data secure. Since i never done that (beyond the 'usual' stuff like rights, acl and selinux) i was a bit intrigued. I turned out, i missed a lot.
I found out, howto encrypt linux FS's, partitions and also a very, very nice Windows app based on linux encryption tools.
If someone is paranoid about passwd files etc. (like me) and interested - read on
Encryption on LINUX
helpful urls:
http://code.google.com/p/cryptsetup/
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptHomeDirUsingLUKS
http://feraga.com/library/howto_use_cryptsetup_with_luks_support_0
helpful man:
man mount
man losetup
man cryptsetup
man mkfs
On linux is used 'cryptsetup-luks' command (cryptsetup with luks extension). The cryptsetup command use device-mapper modul called dm-crypt (part of kernel) to do the job.
-install:
[root@orionis /]# yum install cryptsetup-luks
[root@orionis /]# yum list installed | grep -i cryptsetup-luks
cryptsetup-luks.i386 1.0.3-5.el5 installed
cryptsetup-luks.x86_64 1.0.3-5.el5 installed
-usage (no gui, only for hardcore 1337 linux haX0rz
1. I haven't done whole partition (like /dev/sda1), just prepared file, that will act like encrypted FS:
[root@orionis opt]# dd if=/dev/urandom of=enigma_file bs=1M count=100
[root@orionis opt]# ls -al
total 134696
drwxr-xr-x 8 root root 4096 Feb 7 09:54 .
drwxr-xr-x 28 root root 4096 Feb 7 04:04 ..
-rw-r--r-- 1 root root 104857600 Feb 7 09:55 enigma_file
2. loopback mount of the created file (little similar to mounting .iso files in linux -e.g. mount -o loop=/dev/loop0 -t iso9660 someisofile.iso /mnt/mntiso):
[root@orionis opt]# losetup /dev/loop0 enigma_file
[root@orionis opt]#
btw. the device name 'loop' can be dependant on the distro - just check what you have in the /dev
[root@orionis opt]# losetup -a
/dev/loop0: [fd00]:30411266 (enigma_file)
(just checking if its mounted and if there are any other mounted things through loop)
3. the 'fake' partition (in our case file) initialization:
[root@orionis opt]# cryptsetup luksFormat /dev/loop0
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
[root@orionis opt]#
(btw. if you forget your passphrase in future, you're screwed :-D)
4. open the LUKS partition <device> and sets up a mapping <name>:
[root@orionis opt]# cryptsetup luksOpen /dev/loop0 enigma_file
Enter LUKS passphrase for /dev/loop0:
key slot 0 unlocked.
Command successful.
[root@orionis opt]#
5. format it (just only after creation, not when you got some data already there)
[root@orionis opt]# mkfs.ext2 /dev/mapper/enigma_file
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
25480 inodes, 101884 blocks
5094 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
1960 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
6. mount formated FS:
[root@orionis opt]# mkdir -p /mnt/mntcrypto
[root@orionis opt]# mount /dev/mapper/enigma_file /mnt/mntcrypto
[root@orionis opt]#
simple check:
[root@orionis opt]# df -m
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/mapper/rootvg-rootlv
188868 137822 41297 77% /
/dev/sda2 479 110 345 25% /boot
tmpfs 1984 0 1984 0% /dev/shm
/dev/mapper/enigma_file
97 2 90 2% /mnt/mntcrypto
DONE.
Now, we can copy files to our new encrypted 'fake' FS.
CLOSING THE ENCRYPTED FS (this must be done before reboot, or shutdown, or you might face problems!)
1. umount mounted FS
[root@orionis opt]# umount /mnt/mntcrypto
2. now remove an existing mapping <name>:
[root@orionis opt]# cryptsetup luksClose /dev/mapper/enigma_file
3. delete loop
[root@orionis opt]# losetup -d /dev/loop0
OPENING THE ENCRYPTED FS
1. [root@orionis opt]# losetup /dev/loop0 enigma_file
2. [root@orionis opt]# cryptsetup luksOpen /dev/loop0 enigma_file
Enter LUKS passphrase for /dev/loop0:
key slot 0 unlocked.
Command successful.
3. [root@orionis opt]# mount /dev/mapper/enigma_file /mnt/mntcrypto/
######################################
Encryption on WINDOWS:
urls: http://www.freeotfe.org/
This is very, very nice app to use on windows - basically the same like on linux, but blah!, all can be done with just easy single mouse 'click' - nothing for true '1337' linux geek :-D.
1. download
2. install
3. run
That's all.
It knows how to mount the linux created encrypted FS also. As i said, nice app, nice FAQ, nice manual.
gl&hf
-
-
Thanks for the tip, gonna look at it right away!
keep your sensitive files encrypted and secure
Discussion in 'Linux Compatibility and Software' started by helikaon, Feb 7, 2010.
