Docs/SysAdmin/Security/EncryptedFilesystems

From Mandriva Community Wiki

Jump to: navigation, search

Contents

Types of encrypted filesystems

(This needs to be expanded, for now I am just linking to other documents which describe this sufficiently)

Setting up encrypted filesystems

Cryptoloop

Cryptoloop is supported by diskdrake, from the options for the filesystem, check the 'encrypted' checkbox, and you will be prompted for the details required to setup cryptoloop.

As of 2009.1, cryptoloop is deprecated, and cryptoloop encrpyted filesystems will no lounger be mounted automatically. If you have any filesystems like this, you should migrate them to LUKS. You can still mount manually via a process such as this (not tested on a partition created by drakcrypt):

# cryptsetup create /dev/hdXY foo
# mount /dev/mapper/foo /path/to/mount

For a file-backed encrypted volume, you will need to use losetup to create a loopback block device first:

# losetup /dev/loop0 /path/to/file.img

and after removing the cryptsetup mapping (with cryptsetup remove foo) you should remove the loopback device with:

# losetup -d /dev/loop0

LUKS

initscripts supports mounting of LUKS encrypted filesystems at boot, however you will have to create the encrypted volumes manually.

In recent releases of Mandriva (2009.0 and later?), diskdrake supports creation of LUKS based encrypted volumes, including during installation. Screenshots should be added here.

This section covers the (easy) task of just encrypting the /home partition. Encrypting the root partition is more complex.

Note that this was done with an LVM volume set aside for /home, if you are not using LVM, replace all occurrences of /dev/mapper/VGsys-home or /dev/VGsys/home with the partition you are using (e.g. /dev/hda6).

Creating an encrypted volume

You should be able to do this with diskdrake, either during or after installation (as of 2009.0). The command-line method was documented here before this, and is retained for completeness.

Firstly, ensure you aren't accessing the block device you are going to create the encrypted filesystem on, otherwise you will receive funny error messages.

Install the necessary software

urpmi cryptsetup-luks

Create the encrypted volume (in this case an LV)

cryptsetup -h sha256 -c twofish-cbc-essiv:sha256 -s 256 luksFormat /dev/mapper/VGsys-home

or, to use the defaulst (aes-cbc-essiv:sha256):

cryptsetup luksFormat /dev/mapper/VGsys-home

Test that you can open the encrypted volume

cryptsetup luksOpen /dev/mapper/VGsys-home cryptohome

This should have created a new block device as /dev/mapper/cryptohome, which is the unencrypted version of /dev/mapper/VGsys-home

Create the filesystem

mkfs.ext3 /dev/mapper/VGsys-home

Close the volume

cryptsetup luksClose /dev/mapper/VGsys-home

Mounting the filesystem manually

Assuming the volume was closed, open it again:

cryptsetup luksOpen /dev/mapper/VGsys-home cryptohome

Mount the unencrypted version:

mount /dev/mapper/cryptohome /home

Mounting the filesystem at boot

To ensure the filesystem is mounted at boot, you now need to make two changes:

Edit /etc/fstab, and change the entry for /home, in my case it was from:

/dev/mapper/VGsys-home /home ext3 noatime 0 0

to

/dev/mapper/cryptohome /home ext3 noatime 0 0

Now, initscripts needs to know how to run the 'cryptsetup luksOpen' command, it does this by reading /etc/crypttab, add an entry like this:

cryptohome /dev/mapper/VGsys-home

Mounting the filesystem at login

It should be possible to mount the filesystem at login using pam_mount (in contrib), just install using:

urpmi pam_mount

Removable Devices

HAL apparently has support for LUKS encrypted devices. However, on Mandriva 2007.1 under GNOME, while inserting a flash disk with a LUKS-encrypted filesystem prompts for the passphrase, entering the correct passphrase does not result in it being mounted. Under KDE4 (4.1 and later I think), click on the "Volume (crypto_LUKS)" entry in either the hardware notifier, or the "Places" panel in Dolphin, and you should get a dialog prompting you for your passphrase. Once you enter a correct passphrase, new volumes will appear (in the device notifier plasmoid and the Places panel in Dolphin). Click them to mount the filesystem. Under KDE3, no dialog appears at all. However, it can be mounted quite easily with pmount:

[bgmilne@comanche ~]$ pmount /dev/sda1
Enter LUKS passphrase:
[bgmilne@comanche ~]$ mount|grep sda1
/dev/mapper/_dev_sda1 on /media/sda1 type vfat  (rw,noexec,nosuid,nodev,quiet,shortname=mixed,uid=500,gid=500,umask=077,iocharset=utf8)

Encrypted SWAP

While it is possible to have the SWAP partition encrypted with a random key on every boot ... what happens to resuming from suspend-to-disk ? Since encrypted partitions are usually more useful on laptops ... and so is suspending ... it seems it may not really be practical. But, in the end, if someone has stolen your laptop, the chances of them recovering data off your /home are *much* better than them being able to reconstruct documents from your swap partition (IMHO).

Creating an encrypted file acting as a partition (using loopback)

Most documentation is about creating a luks partition but most people can't afford creating new partitions and would like to use a single file holding all encrypted data instead.

Basically, you need to associate this file with a loopback device (/dev/loopX), then create a LUKS device associated to the loopback and finally, create whatever filesystem you like on the LUKS device.

You can create such an encrypted file, mounted as a partition by using the following script.

You need to specify three arguments:

  • Filename of the encrypted file to be created
  • Size of this file (in the end, approximately the size of filesystem : you won't be able to go beyond)
  • Mountpoint of your new encrypted filesystem : the script will mount your partition in this folder

Media:Create_luks_encrypted_file.sh

Note that you need to close the volume (with cryptsetup lukeClose /dev/loopX) and remove the loopback mapping (with losetup -d /dev/loopX) before shutting down, or the filesystem the file resides on will not be unmounted cleanly.

Realcrypt

Note that Realcrypt has been removed from the distribution, as the license is non-free and could result in legal action from TrueCrypt. You should consider using LUKS instead.

Realcrypt is Mandriva's version of truecrypt. In Realcrypt package description we read "RealCrypt is just a rebrand to allow for normal modifications needed for distribution to take place, functionality remains the same. The TrueCrypt license does not allow even trivially modified versions to be distributed under the name TrueCrypt."

Warning ! Truecrypt changed the terms of its license so that it it is not considered free for distribution. For this reason, Mandriva will no longer be shipped with realcrypt, or any derivative work from truecrypt, and the software will only remain available for versions before 2009.0. Mandriva is considering removing realcrypt from all repositories, even for versions before 2009.0. For more information, see Image:bug_small.png Bug #44860, why the package has been removed from Fedora repositories and this discussion.

If you must use TrueCrypt, you may find packages here

The advantages of Realcrypt are:

  • it allows for hidden volumes,
  • it is portable,
  • it allows for encrypted files that can be stored on removable media and opened on many operating systems,
  • it is open source,
  • ...

Realcrypt by default uses GUI. However, the Realcrypt version 6.0a, used by Mandriva 2009.0, does not allow for full GUI operation. In particular, it is probably not possible to create encrypted volume with ext3 filesystem using GUI.

Below is the description how to create encrypted partition using Realcrypt's text mode. The author attempted to create a hidden partition also, but is not sure whether this attempt was proper.

Creating encrypted volume

Suppose you have a partition /dev/sdd1 to be encrypted. To create encrypted volume using this partition, without the filesystem within, issue:

realcrypt -t -c --filesystem=none /dev/sdd1

You will be asked to type in some number of characters at random, and to enter the path to key file (press Enter to accept no key file). Also, if the partition is large, it may take considerable time to create encrypted volume as creation involves filling the volume with random data.

To mount freshly created volume, type:

realcrypt -t --filesystem=none /dev/sdd1

You will be asked for your password - don't forget it as there is no way to restore it!

To confirm the volume has been created and mounted issue:

realcrypt -t -l

If the answers is similar to "/dev/sdd1 /dev/mapper/realcrypt1" you have done it!

Creating filesystem on encrypted volume

To create ext3 filesystem on encrypted volume you have just created type:

mkfs.ext3 /dev/mapper/realcrypt1

Now you can mount the filesystem as usual:

mount /dev/mapper/realcrypt1 /mnt

Unmounting encrypted volumes

To unmount all encrypted volumes type:

realcrypt -t -d

Mounting encrypted volumes with filesystems

Once ext3 filesystem is created on encrypted volume, you can mount it with:

realcrypt -t /dev/sdd1

Creating hidden volumes

(to be written soon)

References

Linux Unified Key Setup - dmcrypt

Linux/Fedora: Encrypt /home and swap over RAID with dm-crypt

LUKS Encrypted Root

FileSystem Encryption without ROOT

How to Setup a Secure, Encrypted, Anonymized Hosting Service

Truecrypt - Free Open-Source On-The-Fly Disc Encryption Software

Personal tools