Let’s face it: Everyone has something to hide. Be it your bank and credit card PINs, business trade secrets or other, let’s say, “sensitive information” [wink wink], there’s a big chance you have files in your hard-drive you’d rather keep hidden from curious eyes.
The answer to the problem is strong cryptography, and in this article, we’ll discuss a way to not only encrypt individual files, but whole filesystems.
Like many other Linux articles in this site, this one is a little “Debian centric”. The procedures should be applicable to other distributions without many modifications. Make sure you have the equivalent packages if you use a different distribution of Linux.
For our purposes, we’ll be using the AES encryption and a modified version of the “loop” module with AES support. We’ll also be using modified versions of mount, umount and losetup.
What you need
You’ll need the following packages (again, if you’re not using Debian, your mileage may vary):
loop-aes-utils: This package contains modified versions of mount(8), umount(8), swapon(8), swapoff(8) and losetup(8) from util-linux. Installing it should create a diversion from your ‘util-linux’ packages.loop-aes-source: This package contains a version of the ‘loop’ device with embedded AES cryptography.The source code for your kernel installed and properly configured.
Installation
The first step is to create the appropriate modules.
The loop-aes-source package will install a tar.gz file under /usr/src
containing the source code for the AES crypto module. Unpack this file under
/usr/src. This will create a new module directory under /usr/src/modules.
It’s now time to create a new kernel module. Change your directory to
/usr/src/linux and type make-kpkg modules_image. If everything works
well, you’ll end up with a “.deb” file for the AES module under your
/usr/src directory. Install this file with “dpkg -i filename.deb”.
Usage
The first step is to create a “container” for our encrypted filesystem. In our example, we’ll create it as a file inside your regular filesystem. You can also use a partition, if your hard-drive has unallocated space.
To create a 10MB AES encrypted file:
dd if=/dev/urandom of=/tmp/crypto.img bs=1k count=10k
losetup -e aes /dev/loop0 /tmp/crypto.img
mke2fs /dev/loop0
losetup -d /dev/loop0
Enter a 20 character password to protect this encrypted volume. This is an annoying limitation, and we’ll discuss a better way to do things further down.
The steps above should be executed only once. Note that executing these steps on a file or partition containing data will cause loss of information. Be careful!
Once the encrypted container has been created, we need to mount it before we
can use it. In our case, let’s use /mnt/crypt:
losetup -e aes /dev/loop0 /tmp/crypto.img
mount /dev/loop0 /mnt/crypt
Note that losetup only establishes the algorithm and password used to access
the loop device. If you supply the incorrect password and try to mount the
device, bad things will happen. No checking is done.
To “turn off” your encrypted device:
umount /dev/loop0
losetup -d /dev/loop0
Using GPG to store the keys
Instead of typing a long password every time you start the program, you can instruct losetup to read the password from a file encrypted to you using GPG. This allows you to use a bigger and safer password for your volume, and eliminates the need to remember one more password.
The first step in that direction is to create a GPG encrypted file containing the password for your volume. As you won’t need to type this password, you can use the following trick to create a “random” password that is very difficult to guess:
ls -l /tmp | md5sum | awk '{ print $1 }' |
gpg -er 'youremail@yourdomain.com' >/tmp/crypto.img.gpg
And then, pass the “-K” command line option to losetup, such as:
losetup -e aes -K /tmp/crypto.img.gpg /dev/loop0 /tmp/crypto.img
Note that the “Password:” prompt from “losetup” looks exactly the same as before, but this time losetup is requesting your private GPG passphrase, not the encrypted volume password as before.
For a more “permanent” setup, you may wish to use a disk partition instead of
a file, and mount the filesystem automatically after boot. Be careful not to
mount this filesystem automatically from /etc/fstab, as you first need to
run losetup to activate the encrypted volume!
Keywords: Linux, aes, encrypted, cryptography, filesystem
[Permalink] |
![[Digg Me]](/images/digg.png)
|
![[Add to del.icio.us]](/images/delicious.png)
|
![[Submit to reddit]](/images/reddit.png)
|
![[Submit to ma.gnolia.com]](/images/magnoliacom.png)
|
![[Submit to FURL]](/images/furl.png)
