Encrypted filesystem on loop file
Hi, I'm trying to create an encrypted filesystem via Yast partitioner in SuSE 10.1, using a file mounted via the loop device. I have done this before, in fact I have two such things created under 9.3 running; but I can't (couldn't) with 10.1, it is creating a plain non encrypted filesystem instead. Or so it seemed. Looking carefully again, after several runs, I noticed that it was mounting the filesystem as plain non encrypted, but it was in fact creating an encrypted one with the appropriate entry en /etc/cryptotab instead of in /etc/fstab - whereas in 9.3 it created then in /etc/fstab instead, and in 8.x they were created in /etc/cryptotab. This criteria change is very confusing. Perhaps Yast could ask where the user wanted to define it - feature request, perhaps? It's not only a config file difference; an encrypted filesystem defined in /etc/fstab can be mounted with the command mount, but one defined in /etc/cryptotab is mounted via the command "/etc/init.d/boot.crypto start", which is less comfortable for manual mount after boot (and it mounts all devices listed, even if already mounted). /etc/cryptotab sample line: /dev/loop3 /file3 /crypta3 ext3 twofish256 acl,user_xattr /etc/fstab, the equivalent sample line: /file3 /crypta3 ext3 noauto,acl,user_xattr,loop=/dev/loop3,encryption=twofish256 0 0 Both work with the same file, I tried. I'll stay with the second one. But in 9.3 the fstab line was instead (incompatible): /file2 /crypta2 ext3 noauto,acl,user_xattr,loop=/dev/loop2,encryption=twofish256,phash=sha512,itercountk=100 Comments? Also, how would I create the equivalent encrypted filesystem manually; docus, howtos? Tks. -- Cheers, Carlos Robinson
On Sunday 24 September 2006 16:35, Carlos E. R. wrote:
Hi,
I'm trying to create an encrypted filesystem via Yast partitioner in SuSE 10.1, using a file mounted via the loop device. I have done this before, in fact I have two such things created under 9.3 running; but I can't (couldn't) with 10.1, it is creating a plain non encrypted filesystem instead.
Or so it seemed.
Looking carefully again, after several runs, I noticed that it was mounting the filesystem as plain non encrypted, but it was in fact creating an encrypted one with the appropriate entry en /etc/cryptotab instead of in /etc/fstab - whereas in 9.3 it created then in /etc/fstab instead, and in 8.x they were created in /etc/cryptotab. This criteria change is very confusing. Perhaps Yast could ask where the user wanted to define it - feature request, perhaps?
It's not only a config file difference; an encrypted filesystem defined in /etc/fstab can be mounted with the command mount, but one defined in /etc/cryptotab is mounted via the command "/etc/init.d/boot.crypto start", which is less comfortable for manual mount after boot (and it mounts all devices listed, even if already mounted).
/etc/cryptotab sample line:
/dev/loop3 /file3 /crypta3 ext3 twofish256 acl,user_xattr
/etc/fstab, the equivalent sample line:
/file3 /crypta3 ext3 noauto,acl,user_xattr,loop=/dev/loop3,encryption=twofish256 0 0
Both work with the same file, I tried. I'll stay with the second one. But in 9.3 the fstab line was instead (incompatible):
/file2 /crypta2 ext3 noauto,acl,user_xattr,loop=/dev/loop2,encryption=twofish256,phash=sha512,it ercountk=100
Comments?
Also, how would I create the equivalent encrypted filesystem manually; docus, howtos?
Tks.
-- Cheers, Carlos Robinson
Hello there I see you're a little surprised because of that "small" change in SU10, aren't you ? It's is about docs you should check first man page of << losetup >> command. But before that fallowing steps will led you to setup manually encrypted file system on your partition: 1. create loop device with additional optional that says it's encrypted (USE: losetup), for example : # losetup -e aes-256 /dev/loop0 /dev/hda9 (or) # losetup -e aes-256 /dev/loop2 /mnt/encrfs.raw 2. make file system you want file/partition had (USE: mkfs.xxx), for example: # mkfs.ext3 /dev/hda9 (or) # mkfs.ext3 /mnt/encrfs.raw 3. you can mount now you partition of encrypted file with file system (USE: mount), for example: # mount -o loop0 --encryption=aes-256 -t ext3 /dev/hda9 /mnt/encrpart (or) # mount -o loop2 --encryption=aes-256 -t ext3 /mnt/encrfs.raw /mnt/encrfs ...that's it ! you should now enjoy because of your protected encryption TIP: If you don't want encrypt all partition (device fs), you have opportunity to encrypt choosen folder, using << encfs >> command. Of course, if you don't know what it can do for you should check its man page or search internet sources. TIP: if you want encrypt only specified file you can use << gpg >> command. Greetings from PoLaNd and gOOd lUCK
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-09-24 at 17:59 +0200, Roman Pindela wrote:
Hello there I see you're a little surprised because of that "small" change in SU10, aren't you ? It's is about docs you should check first man page of << losetup >> command.
Well, man pages are useful information, but often they assume you know something about the subject. They don't explain "how" should I use it, even less how to combine the different commands or possibilities. They usually are a simply list of command options. They are no substitute for "documentation" as in a howto. In fact, I have just noticed there is one "Disk-Encryption-HOWTO". I'm reading it now. It seems to refer to kernel 2.4, though: it mentions a 2GB limit that doesn't apply now (I use 4.4G encrypted filesystems, for instance). [...] No, that howto is no good for my purpose. It is about having the whole system encrypted with a usb keychain as key. I'm not interested in that for the moment.
But before that fallowing steps will led you to setup manually encrypted file system on your partition: 1. create loop device with additional optional that says it's encrypted (USE: losetup), for example : # losetup -e aes-256 /dev/loop0 /dev/hda9 (or) # losetup -e aes-256 /dev/loop2 /mnt/encrfs.raw 2. make file system you want file/partition had (USE: mkfs.xxx), for example: # mkfs.ext3 /dev/hda9 (or) # mkfs.ext3 /mnt/encrfs.raw 3. you can mount now you partition of encrypted file with file system (USE: mount), for example: # mount -o loop0 --encryption=aes-256 -t ext3 /dev/hda9 /mnt/encrpart (or) # mount -o loop2 --encryption=aes-256 -t ext3 /mnt/encrfs.raw /mnt/encrfs
That's a starting point, thanks :-) I managed to create an encrypted filesystem on file of the type done by Yast easily. And I think I now can fsck it as well. Let me see, I did: dd if=/dev/zero of=crypta.bck.file3 bs=1M count=4482 losetup -e twofish256 /dev/loop5 crypta.bck.file3 Unfortunately, it only asks once for the password - ah, no, the -T option. losetup -T -e twofish256 /dev/loop5 crypta.bck.file3 nimrodel:/biggy # mke2fs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5 mke2fs 1.38 (30-Jun-2005) mke2fs: invalid blocks count - /dev/loop5 Now, that error is absurd. I'm not telling it the block count, but the device. It doesn't see the device. mkfs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5 mke2fs 1.38 (30-Jun-2005) mkfs.ext2: invalid blocks count - /dev/loop5 - --- nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup" -E acl,user_xattr /dev/loop5 mke2fs 1.38 (30-Jun-2005) Bad options specified. Extended options are separated by commas, and may take an argument which is set off by an equals ('=') sign. Valid extended options are: stride=<stride length in blocks> resize=<resize maximum size in blocks> - --- nimrodel:/biggy # mkfs -t ext2 -Eacl,user_xattr -L EncriptedBackup /dev/loop5 mke2fs 1.38 (30-Jun-2005) mkfs.ext2: invalid blocks count - /dev/loop5 - --- nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup" /dev/loop5 mke2fs 1.38 (30-Jun-2005) warning: 512 blocks unused. Filesystem label=EncriptedBackup OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 574560 inodes, 1146880 blocks 57369 blocks (5.00%) reserved for the super user First data block=0 35 block groups 32768 blocks per group, 32768 fragments per group 16416 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 33 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. nimrodel:/biggy # I can't find a way to make it accept both volume label and extended options... Weird. And 512 blocks unused... thats 2 MiB, no? That's acceptable, but I don't know where they come from. At this point, it can be fsck-ed: nimrodel:/biggy # fsck /dev/loop5 fsck 1.38 (30-Jun-2005) e2fsck 1.38 (30-Jun-2005) EncriptedBackup (/dev/loop5): clean, 11/574560 files, 18046/1146880 blocks I didn't know how to run fsck on an encrypted filesystem... good :-) mount -t ext2 /dev/loop5 /mnt/tmp nimrodel:~ # df -h /mnt/tmp Filesystem Size Used Avail Use% Mounted on /dev/loop5 4.4G 20K 4.1G 1% /mnt/tmp I created it as ext2 to minimize the used size at startup. As ext3, it is about 100MiB: Filesystem Size Used Avail Use% Mounted on /dev/loop5 4.4G 129M 4.0G 4% /mnt/tmp If you observe, the file is the exact size to fit into a DVD ;-) Undoing: nimrodel:/biggy # umount /dev/loop5 nimrodel:/biggy # losetup -d /dev/loop5 nimrodel:/biggy # losetup -a And the corresponding fstab line is: /biggy/crypta.bck.file3 /mnt/crypta.3 ext2 noauto,loop=/dev/loop5,encryption=twofish256 0 0 Testing the result: nimrodel:/biggy # mount /mnt/crypta.3 Password: nimrodel:/biggy # df -h /mnt/crypta.3 Filesystem Size Used Avail Use% Mounted on /biggy/crypta.bck.file3 4.4G 20K 4.1G 1% /mnt/crypta.3 Fantastic! Your help has allowed me to find out how to do it without Yast and fsck it :-)
...that's it ! you should now enjoy because of your protected encryption
TIP: If you don't want encrypt all partition (device fs), you have opportunity to encrypt choosen folder, using << encfs >> command. Of course, if you don't know what it can do for you should check its man page or search internet sources.
That one is new for me.
TIP: if you want encrypt only specified file you can use << gpg >> command.
Yes, I know that one. But encrypting a partition is easier to use and it offers reasonable protection for my needs. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFH/LvtTMYHG2NR9URAgrwAJ4wKJqBxwhhB+0ild3IeVZRSHY2dQCffAgH YXJpNu69OmyuslGt6k5NMJM= =iXh6 -----END PGP SIGNATURE-----
participants (2)
-
Carlos E. R. -
Roman Pindela