Encrypted filesystem on loop file

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypted filesystem on loop file

Carlos E. R.-2

Hi,

I'm trying to create an encrypted filesystem via Yast partitioner in SuSE
10.1, using a file mounted via the loop device. I have done this before,
in fact I have two such things created under 9.3 running; but I can't
(couldn't) with 10.1, it is creating a plain non encrypted filesystem
instead.


Or so it seemed.

Looking carefully again, after several runs, I noticed that it was
mounting the filesystem as plain non encrypted, but it was in fact
creating an encrypted one with the appropriate entry en /etc/cryptotab
instead of in /etc/fstab - whereas in 9.3 it created then in /etc/fstab
instead, and in 8.x they were created in /etc/cryptotab. This criteria
change is very confusing. Perhaps Yast could ask where the user wanted to
define it - feature request, perhaps?

It's not only a config file difference; an encrypted filesystem defined in
/etc/fstab can be mounted with the command mount, but one defined in
/etc/cryptotab is mounted via the command "/etc/init.d/boot.crypto start",
which is less comfortable for manual mount after boot (and it mounts all
devices listed, even if already mounted).


/etc/cryptotab sample line:

  /dev/loop3   /file3   /crypta3   ext3   twofish256 acl,user_xattr


/etc/fstab, the equivalent sample line:

  /file3   /crypta3   ext3   noauto,acl,user_xattr,loop=/dev/loop3,encryption=twofish256     0 0


Both work with the same file, I tried. I'll stay with the second one. But
in 9.3 the fstab line was instead (incompatible):

  /file2   /crypta2   ext3  noauto,acl,user_xattr,loop=/dev/loop2,encryption=twofish256,phash=sha512,itercountk=100


Comments?


Also, how would I create the equivalent encrypted filesystem manually;
docus, howtos?


Tks.


--
Cheers,
       Carlos Robinson

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: Encrypted filesystem on loop file

Roman Pindela
On Sunday 24 September 2006 16:35, Carlos E. R. wrote:

> Hi,
>
> I'm trying to create an encrypted filesystem via Yast partitioner in SuSE
> 10.1, using a file mounted via the loop device. I have done this before,
> in fact I have two such things created under 9.3 running; but I can't
> (couldn't) with 10.1, it is creating a plain non encrypted filesystem
> instead.
>
>
> Or so it seemed.
>
> Looking carefully again, after several runs, I noticed that it was
> mounting the filesystem as plain non encrypted, but it was in fact
> creating an encrypted one with the appropriate entry en /etc/cryptotab
> instead of in /etc/fstab - whereas in 9.3 it created then in /etc/fstab
> instead, and in 8.x they were created in /etc/cryptotab. This criteria
> change is very confusing. Perhaps Yast could ask where the user wanted to
> define it - feature request, perhaps?
>
> It's not only a config file difference; an encrypted filesystem defined in
> /etc/fstab can be mounted with the command mount, but one defined in
> /etc/cryptotab is mounted via the command "/etc/init.d/boot.crypto start",
> which is less comfortable for manual mount after boot (and it mounts all
> devices listed, even if already mounted).
>
>
> /etc/cryptotab sample line:
>
>   /dev/loop3   /file3   /crypta3   ext3   twofish256 acl,user_xattr
>
>
> /etc/fstab, the equivalent sample line:
>
>   /file3   /crypta3   ext3  
> noauto,acl,user_xattr,loop=/dev/loop3,encryption=twofish256     0 0
>
>
> Both work with the same file, I tried. I'll stay with the second one. But
> in 9.3 the fstab line was instead (incompatible):
>
>   /file2   /crypta2   ext3
> noauto,acl,user_xattr,loop=/dev/loop2,encryption=twofish256,phash=sha512,it
>ercountk=100
>
>
> Comments?
>
>
> Also, how would I create the equivalent encrypted filesystem manually;
> docus, howtos?
>
>
> Tks.
>
>
> --
> Cheers,
>        Carlos Robinson

Hello there
I see you're a little surprised because of that "small" change in SU10, aren't
you ? It's is about docs you should check first man page of << losetup >>
command.
But before that fallowing steps will led you to setup manually encrypted file
system on your partition:
1. create loop device with additional optional that says it's encrypted (USE:
losetup), for example :
# losetup -e aes-256 /dev/loop0 /dev/hda9
(or)
# losetup -e aes-256 /dev/loop2 /mnt/encrfs.raw
2. make file system you want file/partition had (USE: mkfs.xxx), for example:
# mkfs.ext3 /dev/hda9
(or)
# mkfs.ext3 /mnt/encrfs.raw
3. you can mount now you partition of encrypted file with file system (USE:
mount), for example:
# mount -o loop0 --encryption=aes-256 -t ext3 /dev/hda9 /mnt/encrpart
(or)
# mount -o loop2 --encryption=aes-256 -t ext3 /mnt/encrfs.raw /mnt/encrfs

...that's it ! you should now enjoy because of your protected encryption

TIP: If you don't want encrypt all partition (device fs), you have opportunity
to encrypt choosen folder, using << encfs >> command. Of course, if you don't
know what it can do for you should check its man page or search internet
sources.

TIP: if you want encrypt only specified file you can use << gpg >> command.

Greetings from PoLaNd and gOOd lUCK

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: Encrypted filesystem on loop file

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Sunday 2006-09-24 at 17:59 +0200, Roman Pindela wrote:

> Hello there
> I see you're a little surprised because of that "small" change in SU10, aren't
> you ? It's is about docs you should check first man page of << losetup >>
> command.

Well, man pages are useful information, but often they assume you know
something about the subject. They don't explain "how" should I use it,
even less how to combine the different commands or possibilities. They
usually are a simply list of command options. They are no substitute for
"documentation" as in a howto.

   In fact, I have just noticed there is one "Disk-Encryption-HOWTO". I'm
   reading it now. It seems to refer to kernel 2.4, though: it mentions a
   2GB limit that doesn't apply now (I use 4.4G encrypted filesystems, for
   instance).
   [...]
   No, that howto is no good for my purpose. It is about having the whole
   system encrypted with a usb keychain as key. I'm not interested in
   that for the moment.
   

> But before that fallowing steps will led you to setup manually encrypted file
> system on your partition:
> 1. create loop device with additional optional that says it's encrypted (USE:
> losetup), for example :
> # losetup -e aes-256 /dev/loop0 /dev/hda9
> (or)
> # losetup -e aes-256 /dev/loop2 /mnt/encrfs.raw
> 2. make file system you want file/partition had (USE: mkfs.xxx), for example:
> # mkfs.ext3 /dev/hda9
> (or)
> # mkfs.ext3 /mnt/encrfs.raw
> 3. you can mount now you partition of encrypted file with file system (USE:
> mount), for example:
> # mount -o loop0 --encryption=aes-256 -t ext3 /dev/hda9 /mnt/encrpart
> (or)
> # mount -o loop2 --encryption=aes-256 -t ext3 /mnt/encrfs.raw /mnt/encrfs


That's a starting point, thanks :-)

I managed to create an encrypted filesystem on file of the type done by
Yast easily. And I think I now can fsck it as well. Let me see, I did:

  dd if=/dev/zero of=crypta.bck.file3 bs=1M count=4482
  losetup -e twofish256 /dev/loop5 crypta.bck.file3

Unfortunately, it only asks once for the password - ah, no, the -T option.

  losetup -T -e twofish256 /dev/loop5 crypta.bck.file3

  nimrodel:/biggy # mke2fs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5
  mke2fs 1.38 (30-Jun-2005)
  mke2fs: invalid blocks count - /dev/loop5

Now, that error is absurd. I'm not telling it the block count, but the
device. It doesn't see the device.

  mkfs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5
  mke2fs 1.38 (30-Jun-2005)
  mkfs.ext2: invalid blocks count - /dev/loop5

- ---

  nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup" -E acl,user_xattr /dev/loop5
  mke2fs 1.38 (30-Jun-2005)

  Bad options specified.

  Extended options are separated by commas, and may take an argument which
          is set off by an equals ('=') sign.

  Valid extended options are:
          stride=<stride length in blocks>
          resize=<resize maximum size in blocks>


- ---

  nimrodel:/biggy # mkfs -t ext2 -Eacl,user_xattr -L EncriptedBackup /dev/loop5
  mke2fs 1.38 (30-Jun-2005)
  mkfs.ext2: invalid blocks count - /dev/loop5

- ---

  nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup"  /dev/loop5
  mke2fs 1.38 (30-Jun-2005)
  warning: 512 blocks unused.

  Filesystem label=EncriptedBackup
  OS type: Linux
  Block size=4096 (log=2)
  Fragment size=4096 (log=2)
  574560 inodes, 1146880 blocks
  57369 blocks (5.00%) reserved for the super user
  First data block=0
  35 block groups
  32768 blocks per group, 32768 fragments per group
  16416 inodes per group
  Superblock backups stored on blocks:
          32768, 98304, 163840, 229376, 294912, 819200, 884736

  Writing inode tables: done                            
  Writing superblocks and filesystem accounting information: done

  This filesystem will be automatically checked every 33 mounts or
  180 days, whichever comes first.  Use tune2fs -c or -i to override.
  nimrodel:/biggy #


I can't find a way to make it accept both volume label and extended
options... Weird.

And 512 blocks unused... thats 2 MiB, no? That's acceptable, but I don't
know where they come from.


At this point, it can be fsck-ed:

  nimrodel:/biggy # fsck /dev/loop5
  fsck 1.38 (30-Jun-2005)
  e2fsck 1.38 (30-Jun-2005)
  EncriptedBackup (/dev/loop5): clean, 11/574560 files, 18046/1146880 blocks

I didn't know how to run fsck on an encrypted filesystem... good :-)



  mount -t ext2 /dev/loop5 /mnt/tmp


  nimrodel:~ # df -h /mnt/tmp
  Filesystem            Size  Used Avail Use% Mounted on
  /dev/loop5            4.4G   20K  4.1G   1% /mnt/tmp

I created it as ext2 to minimize the used size at startup. As ext3, it is
about 100MiB:

  Filesystem            Size  Used Avail Use% Mounted on
  /dev/loop5            4.4G  129M  4.0G   4% /mnt/tmp


If you observe, the file is the exact size to fit into a DVD ;-)

Undoing:

  nimrodel:/biggy # umount /dev/loop5
  nimrodel:/biggy # losetup -d /dev/loop5
  nimrodel:/biggy # losetup -a



And the corresponding fstab line is:

  /biggy/crypta.bck.file3   /mnt/crypta.3  ext2  noauto,loop=/dev/loop5,encryption=twofish256     0 0

Testing the result:

  nimrodel:/biggy # mount /mnt/crypta.3
  Password:

  nimrodel:/biggy # df -h /mnt/crypta.3
  Filesystem            Size  Used Avail Use% Mounted on
  /biggy/crypta.bck.file3
                        4.4G   20K  4.1G   1% /mnt/crypta.3


Fantastic!  Your help has allowed me to find out how to do it without Yast
and fsck it :-)



> ...that's it ! you should now enjoy because of your protected encryption
>
> TIP: If you don't want encrypt all partition (device fs), you have opportunity
> to encrypt choosen folder, using << encfs >> command. Of course, if you don't
> know what it can do for you should check its man page or search internet
> sources.

That one is new for me.


> TIP: if you want encrypt only specified file you can use << gpg >> command.

Yes, I know that one. But encrypting a partition is easier to use and it
offers reasonable protection for my needs.

- --
Cheers,
       Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFH/LvtTMYHG2NR9URAgrwAJ4wKJqBxwhhB+0ild3IeVZRSHY2dQCffAgH
YXJpNu69OmyuslGt6k5NMJM=
=iXh6
-----END PGP SIGNATURE-----


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here