[opensuse] encrypted usb drives - fixed mount points
Hi, All. I have been using an external WD 120GB USB drive, and have just added a WD320 MyBook. To upgrade my overall security, I formatted the latter as an encrypted drive using the SUSE partition manager. I like it, and am thinking of getting a matching drive so I can have a data drive and a backup - WD320A and WD320B. The problem I have is that I cannot anticipate where the different drives will be attached during boot up - /dev/sda1, /dev/sdb1. If these change, and they do, my mount points become useless. For unencrypted drives, I have found that one can mount by label in /etc/fstab, e.g., LABEL=WD320A, and can set the label using the SUSE partitioning program. I cannot, however, find a similar procedure for encrypted partitions - you cannot, apparently, specify a label for an encrypted drive/partition with the provided partition program. I have searched a bit, but can find no solution on the web or news groups. To summarize, I would like to either force the mounting of encrypted partitions on external USB drives to /dev/sda1, etc. Or, would like to be able to mount encrypted drives correctly without regard to their /dev/sdxx. Does anyone have a solution to this problem? Can someone point me toward a relevant discussion? OS: SUSE 10.0 TIA -- Dennis E. Slice Department of Anthropology University of Vienna ======================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Dennis E. Slice
To summarize, I would like to either force the mounting of encrypted partitions on external USB drives to /dev/sda1, etc. Or, would like to be able to mount encrypted drives correctly without regard to their /dev/sdxx.
Does anyone have a solution to this problem? Can someone point me toward a relevant discussion?
I have a number of FireWire drives attached to my laptop and have encountered the same issue with them. What I do is to mount by the drive ID like so (actual example entry from fstab): /dev/disk/by-id/ieee1394-00050003e00121a4:0:0-part5 /q xfs noauto,noatime,nodiratime 0 0 BTW, the "/dev/disk/by-id/*" entries are symlinks to the actual "/dev/sd*" entries. You can also use the "/dev/disk/by-uuid/" links which are analogous to the above but use the filesystem UUID instead. Don't know if this will work with encrypted drives, though. The "by-id" entries are more persistent anyway since they are based on the hardware ID of the disk drive itself, not some transient information recorded on the disk. One way to determine the hardware ID of the drive is via the command: lsscsi -dgv which will give you that and more information on the drive and where it has been mounted via the hotplug system. Plugging in the drives one at a time will help disambiguate which drive is which since both of yours are identical models. Hope this helps! Phil -- Philip Amadeo Saeli SUSE Linux 10.1 psaeli@zorodyne.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Huzzah, it works! I just changed the relevant (currently only) cryptotab line from: /dev/loop0 /dev/sda1 /media/usbdisk320 reiserfs twofish256 acl,user_xat to: /dev/loop0 /dev/disk/by-id/usb-WD_3200JB_External_xxx-part1 /media/usbdisk320 reiserfs twofish256 acl,user_xattr where usb-WD_3200JB_External_xxx-part1 is the disk id found by ls /dev/disk/by-id when the disk is mounted. The xxx stands for the long string of numbers that identify the drive. With more than one identical drive, one could get the correct numbers by unplugging drives as previously suggested. I only have one encrypted drive at this point, but this should work when I add another. Thanks to all, ds PS: I also made a similar change in the fstab to mount my unencrypted 120GB drive. That would have mounted uniquely using the partition label, but I prefer the direct ID method since that works for both encrypted and unencrypted drive partitions. -ds Philip Amadeo Saeli wrote:
* Dennis E. Slice
[2007-01-07 18:32]: To summarize, I would like to either force the mounting of encrypted partitions on external USB drives to /dev/sda1, etc. Or, would like to be able to mount encrypted drives correctly without regard to their /dev/sdxx.
Does anyone have a solution to this problem? Can someone point me toward a relevant discussion?
I have a number of FireWire drives attached to my laptop and have encountered the same issue with them. What I do is to mount by the drive ID like so (actual example entry from fstab):
/dev/disk/by-id/ieee1394-00050003e00121a4:0:0-part5 /q xfs noauto,noatime,nodiratime 0 0
BTW, the "/dev/disk/by-id/*" entries are symlinks to the actual "/dev/sd*" entries.
You can also use the "/dev/disk/by-uuid/" links which are analogous to the above but use the filesystem UUID instead. Don't know if this will work with encrypted drives, though. The "by-id" entries are more persistent anyway since they are based on the hardware ID of the disk drive itself, not some transient information recorded on the disk.
One way to determine the hardware ID of the drive is via the command:
lsscsi -dgv
which will give you that and more information on the drive and where it has been mounted via the hotplug system. Plugging in the drives one at a time will help disambiguate which drive is which since both of yours are identical models.
Hope this helps!
Phil
-- Dennis E. Slice Department of Anthropology University of Vienna ======================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-01-07 at 13:31 -0500, Dennis E. Slice wrote:
For unencrypted drives, I have found that one can mount by label in /etc/fstab, e.g., LABEL=WD320A, and can set the label using the SUSE partitioning program.
There are two places for mounting encrypted partitions in linux. One is the "/etc/cryptotab" file. The other one is directly in /etc/fstab - and in there I think you can use labels. At least, try, it might work.
OS: SUSE 10.0
I'm using 10.1 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFoWJBtTMYHG2NR9URArsZAJ9AnopWoeHOZh6pRAhsSYv8yhv5fgCfYAhz FFbaRh0CoeFZi12UaarqiPQ= =djlv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Well, I have my system the way I want it. Thought I would post a summary that might help others. CPU: Dell gx240 OS: SUSE 10.0 I bought a Western Digital 320GB mybook to replace/augment a WD120GB drive. Liked it, so I bought another. Basically, I connected the drives and used YAST2|System|Partitioner to delete the FAT32 partition that came with the drive, then created a single encrypted reiserfs partition on each drive. For unencrypted drives, an entry with something like /dev/sda1 is entered into the fstab. For encrypted ones, a similar entry is made in /etc/cryptotab. To specify where each drive is mounted (you can't know if it will be sda, sdb, etc.) reference the drive by its entry in /dev/disk/by-id/ (see below). I.e., simply replace /dev/sda or whatever with the approprite /dev/disk/by-id/... There are two entries in this directory for each drive - one with and one without the -parti. The one without is the physical drive, the one with is the partition on that drive. I suppose other -partis would appear if you had more partitions. You can unplug drives to figure out which is which if you are working with identical drives. File contents (<snip> was a long serial number of the drive): In /etc/fstab... /dev/disk/by-id/usb-WD_1200BB_<snip>-part1 /media/USB120 reiserfs user,noauto,acl 0 0 In /etc/cryptotab... /dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_0 reiserfs twofish256 acl,user_xattr /dev/loop1 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_1 reiserfs twofish256 acl,user_xattr NOTE: If you work with one drive at a time, the partitioner will put multiple /dev/loop0s in the cryptotab. You have to give each a unique number. These encrypted drives don't automatically mount AFAIK, so I have a little script I run as su when I (re)boot the computer. Something like: script: usbmount... umount /dev/sda1 umount /dev/sdb1 umount /dev/sdc1 /etc/init.d/boot.crypto start mount /media/wd120 There are some leftovers in this script: the encrypted drives (in /etc/cryptotab) don't automatically mount. The umount commands were there to unmount the unencrypted USB120 when I was transferring files - it needed to be remounted for performance. The encrypted partitions are mounted by the "/etc/init.d/boot.crypto start" line and you are asked for the password for the encrypted volumes. One thing to note. My system had USB1.1, so I bought a cheap USB 2.0 PCI card. For unencrypted drives, that improved performance 20X, but only around 10X for encrypted volumes. That is, there is about a 50% performance hit due to running encryption, but it is not really noticable to me in use. Hope this helps someone. Ciao and thanks to all who helped me. Dennis E. Slice wrote:
Hi, All.
I have been using an external WD 120GB USB drive, and have just added a WD320 MyBook. To upgrade my overall security, I formatted the latter as an encrypted drive using the SUSE partition manager. I like it, and am thinking of getting a matching drive so I can have a data drive and a backup - WD320A and WD320B.
The problem I have is that I cannot anticipate where the different drives will be attached during boot up - /dev/sda1, /dev/sdb1. If these change, and they do, my mount points become useless.
For unencrypted drives, I have found that one can mount by label in /etc/fstab, e.g., LABEL=WD320A, and can set the label using the SUSE partitioning program.
I cannot, however, find a similar procedure for encrypted partitions - you cannot, apparently, specify a label for an encrypted drive/partition with the provided partition program.
I have searched a bit, but can find no solution on the web or news groups.
To summarize, I would like to either force the mounting of encrypted partitions on external USB drives to /dev/sda1, etc. Or, would like to be able to mount encrypted drives correctly without regard to their /dev/sdxx.
Does anyone have a solution to this problem? Can someone point me toward a relevant discussion?
OS: SUSE 10.0
TIA
-- Dennis E. Slice Department of Anthropology University of Vienna ======================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-01-16 at 13:15 -0500, Dennis E. Slice wrote: ...
For unencrypted drives, an entry with something like /dev/sda1 is entered into the fstab. For encrypted ones, a similar entry is made in /etc/cryptotab.
As I mentioned previously, you can also use fstab for encrypted partitions. For instance, one of mine: /device_or_file /mnt/crypto xfs noauto,loop=/dev/loop4,encryption=twofish256 0 0 I doubt labels could be used here, but I assume dev-ids would - I never thought of that till reading this thread ;-)
These encrypted drives don't automatically mount AFAIK, so I have a little script I run as su when I (re)boot the computer. Something like:
They would mount if available at boot time, if the service is enabled: nimrodel:~ # chkconfig boot.crypto boot.crypto on and the device is available at that time. It prompts for a password during boot up.
script: usbmount...
umount /dev/sda1 umount /dev/sdb1 umount /dev/sdc1 /etc/init.d/boot.crypto start mount /media/wd120
If you define them in fstab instead, a simple "mount /mnt/crypto" works. Easier typing ;-)
One thing to note. My system had USB1.1, so I bought a cheap USB 2.0 PCI card. For unencrypted drives, that improved performance 20X, but only around 10X for encrypted volumes. That is, there is about a 50% performance hit due to running encryption, but it is not really noticable to me in use.
sync/nosunc? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFroDptTMYHG2NR9URAkA3AKCVl5CccVEXgyoBLbCC+MADXbNZKQCfZICI TxKplK/JaPRkCQ2cuS972MU= =MOwI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
[Sorry for the formatting. I wanted to reorder the comments.] My system works fine, but I was very interested in Carlos' suggestions. Here are my observations:
They would mount if available at boot time, if the service is enabled:
nimrodel:~ # chkconfig boot.crypto boot.crypto on
and the device is available at that time. It prompts for a password during boot up.
boot.crypto tries, but fails to find the partitions at boot time. In fact, it fails without delay. The relevant line from the boot.msg is: Activating crypto devices using /etc/cryptotab ...failed actually, while booting, there are messages to the effect that the specified partitions are not available. Later in the file is: System Boot Control: The system has been set up Failed features: boot.crypto It does try to start the USB system and waits 3 seconds before attempting to mount the encrypted drives. The drive lights are on. (These are MyBooks that power up/down with the computer.)
As I mentioned previously, you can also use fstab for encrypted partitions. For instance, one of mine:
/device_or_file /mnt/crypto xfs noauto,loop=/dev/loop4,encryption=twofish256 0 0
I doubt labels could be used here, but I assume dev-ids would - I never thought of that till reading this thread ;-)
Right, there is no way to label an encrypted partition as far as I can tell. I moved the specs to fstab, but no go. At boot, the system doesn't seem to know about encryption and just says: mount: going to use the loop device /dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1: No such file or directory mount: failed setting up loop device for each drive. Here, the drive lights are not yet on. Subsequently, trying to manually mount the partitions as root gives: ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (256 bits) not supported by kernel I am curious as to why the initial boot.crypto fails, why booting with the specs in fstab doesn't invoke boot.crypto, and why my kernel doesn't support 256 bit encryptions. Actually, I guess I just didn't specify something about the latter when I installed, but I'm not going to reinstall the kernel at this time - everything does work as originally described.
sync/nosunc?
Not sure the relevance here for encrypted partitions. I am running with whatever the default is and previous discussions seemed tp focus on FAT32 files systems and such. Best, ds Carlos E. R. wrote: ...<snip> -- Dennis E. Slice Department of Anthropology University of Vienna ======================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-01-17 at 21:54 -0500, Dennis E. Slice wrote:
[Sorry for the formatting. I wanted to reorder the comments.]
No problem, I do that sometimes.
My system works fine, but I was very interested in Carlos' suggestions. Here are my observations:
They would mount if available at boot time, if the service is enabled:
nimrodel:~ # chkconfig boot.crypto boot.crypto on
and the device is available at that time. It prompts for a password during boot up.
boot.crypto tries, but fails to find the partitions at boot time. In fact, it fails without delay.
Not very surprising in your case, as it is an USB device, so it is not available.
As I mentioned previously, you can also use fstab for encrypted partitions. For instance, one of mine:
/device_or_file /mnt/crypto xfs noauto,loop=/dev/loop4,encryption=twofish256 0 0
I doubt labels could be used here, but I assume dev-ids would - I never thought of that till reading this thread ;-)
Right, there is no way to label an encrypted partition as far as I can tell. I moved the specs to fstab, but no go. At boot, the system doesn't seem to know about encryption and just says:
mount: going to use the loop device /dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1: No such file or directory mount: failed setting up loop device
Maybe because usb is not setup yet.
for each drive. Here, the drive lights are not yet on.
Subsequently, trying to manually mount the partitions as root gives:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (256 bits) not supported by kernel
Mmm, that's funny!
I am curious as to why the initial boot.crypto fails,
I believe because usb is not fully up, or if not, the partitions IDs have not appeared yet. I can not test it.
why booting with the specs in fstab doesn't invoke boot.crypto,
No, that's by design. The fstab way is a different way: choose one or the other for each device (I have one method of one device, and the other for another).
and why my kernel doesn't support 256 bit encryptions.
Well, that's "funny", and I don't understand it. If your encrypted partition can be mounted manually using boot.crypto, it must work via fstab as well.
Actually, I guess I just didn't specify something about the latter when I installed, but I'm not going to reinstall the kernel at this time - everything does work as originally described.
I don't think so. The twofish256 method is the one used by Yast, so SuSE kernels support it by default. It has to be something else. Hold on, you are using 10.0 and I am on 10.1... no, it shouldn't be that. I know there were big changes in 9.x, but not in 10.0 I'm not sure... Anyway, if you are using the encryption method that Yast uses when creating encrypted partitions, you should have no problems. Maybe your fstab line is incorrect. Let me see, in cryptotab you have (from a previous post): /dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_0 reiserfs twofish256 acl,user_xattr /dev/loop1 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_1 reiserfs twofish256 acl,user_xattr Then your fstab lines would be: /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_0 reiserfs noauto,loop=/dev/loop0,encryption=twofish256,acl,user_xattr 0 0 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_1 reiserfs noauto,loop=/dev/loop1,encryption=twofish256,acl,user_xattr 0 0 You see, the lines are very similar to the cryptotab file, but in a different order. They have the "noauto" option so that boot doesn't try to mount them. Also, the fsck digit is "0" so that it doesn't try to run fsck on them; even "thinking" about it and not finding the disk will make the boot.localfs stop while booting and request you run a manual fsck. Quite confusing.
sync/nosync?
Not sure the relevance here for encrypted partitions. I am running with whatever the default is and previous discussions seemed tp focus on FAT32 files systems and such.
It does have relevance for other partition types, but I'm not sure about encrypted ones. By the way, when an encrypted partition fails to mount, the messages it gives are confusing. Looking at the output of dmesg may help. I'll write here my procedure for testing. I use xfs partitions, so don't take the commands literally. Also, I'm using a file instead of a partition, so there are some differences. * Creation procedure (equivalent to what yast does): For files, first you need to create an empty file: dd if=/dev/zero of=crypta.bck bs=1MB count=4700 (note: 1MB = 1e6 bytes; 1MiB = 2^20 bytes) The peculiar size is for later burning dvds. For partitions, you simply create the partition (fdisk). Then, you activate the loop device on it, choosing the encryption type: losetup -T -e twofish256 /dev/loop1 crypta.bck The "-T" is to make it ask for the password twice (crucial when creating! ;-) ). There are many encryption methods, and I don't fully understand them, but "twofish256" is what Yast is using in SuSE 10.1. Then, you format or create a filesystem: mkfs -V -t xfs -L CryptoBackup /dev/loop1 or mkfs -t ext3 /dev/loop1 as you wish. Or reiserfs, or whatever. Finally, "losetup -d /dev/loop1" will detach the loop device. The "-a" will show what is attached. * manual mount - easier to see where the problem is: losetup -e twofish256 /dev/loop1 crypta.bck mount -t xfs /dev/loop1 /mnt/tmp umount: umount /dev/loop1 losetup -d /dev/loop1 losetup -a * running a fsck: losetup -T -e twofish256 /dev/loop1 crypta.bck fsck /dev/loop1 because fsck is run before mounting a device. * backup to dvd: Burn the umounted crypta.bck file to dvd as an image (not iso!), via the preferred method. I use: growisofs -dvd-compat -Z /dev/hdc=crypta.bck Actually, I have a little script that checks the file is not mounted, burns, and finally compares the result. Those are my notes... I hope not to have mistyped things. O:-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFr3fgtTMYHG2NR9URAvsUAJ9fYvZvE84PkEDT/T9utxSR0CtoGACbBNjG OFGoxiKWskKT0VoaI7weMDw= =4kGt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Wednesday 2007-01-17 at 21:54 -0500, Dennis E. Slice wrote:
[Sorry for the formatting. I wanted to reorder the comments.]
No problem, I do that sometimes.
My system works fine, but I was very interested in Carlos' suggestions. Here are my observations:
They would mount if available at boot time, if the service is enabled:
nimrodel:~ # chkconfig boot.crypto boot.crypto on
and the device is available at that time. It prompts for a password during boot up. boot.crypto tries, but fails to find the partitions at boot time. In fact, it fails without delay.
Not very surprising in your case, as it is an USB device, so it is not available.
I suppose it might have been better to just mount a regular partition and use encrypted files. But, what's done is done and works. Curiously, though, USB comes up and the drive lights are on before the attempt to mount.
As I mentioned previously, you can also use fstab for encrypted partitions. For instance, one of mine:
/device_or_file /mnt/crypto xfs noauto,loop=/dev/loop4,encryption=twofish256 0 0
I doubt labels could be used here, but I assume dev-ids would - I never thought of that till reading this thread ;-) Right, there is no way to label an encrypted partition as far as I can tell. I moved the specs to fstab, but no go. At boot, the system doesn't seem to know about encryption and just says:
mount: going to use the loop device /dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1: No such file or directory mount: failed setting up loop device
Maybe because usb is not setup yet.
Yup. The lights are off.
for each drive. Here, the drive lights are not yet on.
Subsequently, trying to manually mount the partitions as root gives:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (256 bits) not supported by kernel
Mmm, that's funny!
I am curious as to why the initial boot.crypto fails,
I believe because usb is not fully up, or if not, the partitions IDs have not appeared yet. I can not test it.
why booting with the specs in fstab doesn't invoke boot.crypto,
No, that's by design. The fstab way is a different way: choose one or the other for each device (I have one method of one device, and the other for another).
and why my kernel doesn't support 256 bit encryptions.
Well, that's "funny", and I don't understand it. If your encrypted partition can be mounted manually using boot.crypto, it must work via fstab as well.
Actually, I guess I just didn't specify something about the latter when I installed, but I'm not going to reinstall the kernel at this time - everything does work as originally described.
I don't think so. The twofish256 method is the one used by Yast, so SuSE kernels support it by default. It has to be something else.
Hold on, you are using 10.0 and I am on 10.1... no, it shouldn't be that. I know there were big changes in 9.x, but not in 10.0
I'm not sure...
Anyway, if you are using the encryption method that Yast uses when creating encrypted partitions, you should have no problems.
All part of life's mysteries, I guess.
Maybe your fstab line is incorrect. Let me see, in cryptotab you have (from a previous post):
/dev/loop0 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_0 reiserfs twofish256 acl,user_xattr /dev/loop1 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_1 reiserfs twofish256 acl,user_xattr
Then your fstab lines would be:
/dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_0 reiserfs noauto,loop=/dev/loop0,encryption=twofish256,acl,user_xattr 0 0 /dev/disk/by-id/usb-WD_<snip>-part1 /media/USB320_1 reiserfs noauto,loop=/dev/loop1,encryption=twofish256,acl,user_xattr 0 0
You see, the lines are very similar to the cryptotab file, but in a different order. They have the "noauto" option so that boot doesn't try to mount them. Also, the fsck digit is "0" so that it doesn't try to run fsck on them; even "thinking" about it and not finding the disk will make the boot.localfs stop while booting and request you run a manual fsck. Quite confusing.
Yes, I modified the fstab lines according to your example. Typos were duly reported as "bad lines", but when correct it tried, but gave the 256 error. Auto mounting failure wasn't too surprising since the drives weren't up an running when it tried to mount.
sync/nosync?
Not sure the relevance here for encrypted partitions. I am running with whatever the default is and previous discussions seemed tp focus on FAT32 files systems and such.
It does have relevance for other partition types, but I'm not sure about encrypted ones.
By the way, when an encrypted partition fails to mount, the messages it gives are confusing. Looking at the output of dmesg may help.
Thanks. The following instructions should be useful.
I'll write here my procedure for testing. I use xfs partitions, so don't take the commands literally. Also, I'm using a file instead of a partition, so there are some differences.
* Creation procedure (equivalent to what yast does):
For files, first you need to create an empty file:
dd if=/dev/zero of=crypta.bck bs=1MB count=4700
(note: 1MB = 1e6 bytes; 1MiB = 2^20 bytes)
The peculiar size is for later burning dvds. For partitions, you simply create the partition (fdisk). Then, you activate the loop device on it, choosing the encryption type:
losetup -T -e twofish256 /dev/loop1 crypta.bck
The "-T" is to make it ask for the password twice (crucial when creating! ;-) ). There are many encryption methods, and I don't fully understand them, but "twofish256" is what Yast is using in SuSE 10.1.
Then, you format or create a filesystem:
mkfs -V -t xfs -L CryptoBackup /dev/loop1
or
mkfs -t ext3 /dev/loop1
as you wish. Or reiserfs, or whatever.
Finally, "losetup -d /dev/loop1" will detach the loop device. The "-a" will show what is attached.
* manual mount - easier to see where the problem is:
losetup -e twofish256 /dev/loop1 crypta.bck mount -t xfs /dev/loop1 /mnt/tmp
umount:
umount /dev/loop1 losetup -d /dev/loop1 losetup -a
* running a fsck:
losetup -T -e twofish256 /dev/loop1 crypta.bck fsck /dev/loop1
because fsck is run before mounting a device.
* backup to dvd:
Burn the umounted crypta.bck file to dvd as an image (not iso!), via the preferred method. I use:
growisofs -dvd-compat -Z /dev/hdc=crypta.bck
Actually, I have a little script that checks the file is not mounted, burns, and finally compares the result.
Those are my notes... I hope not to have mistyped things. O:-)
Again, thanks. -ds
-- Dennis E. Slice Department of Anthropology University of Vienna ======================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos E. R.
-
Dennis E. Slice
-
Philip Amadeo Saeli