Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Encrypted filesystem on loop file
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Sun, 1 Oct 2006 18:55:07 +0200 (CEST)
  • Message-id: <Pine.LNX.4.64.0610011852250.17467@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Sunday 2006-09-24 at 17:59 +0200, Roman Pindela wrote:

> Hello there
> I see you're a little surprised because of that "small" change in SU10, aren't
> you ? It's is about docs you should check first man page of << losetup >>
> command.

Well, man pages are useful information, but often they assume you know
something about the subject. They don't explain "how" should I use it,
even less how to combine the different commands or possibilities. They
usually are a simply list of command options. They are no substitute for
"documentation" as in a howto.

In fact, I have just noticed there is one "Disk-Encryption-HOWTO". I'm
reading it now. It seems to refer to kernel 2.4, though: it mentions a
2GB limit that doesn't apply now (I use 4.4G encrypted filesystems, for
instance).
[...]
No, that howto is no good for my purpose. It is about having the whole
system encrypted with a usb keychain as key. I'm not interested in
that for the moment.


> But before that fallowing steps will led you to setup manually encrypted file
> system on your partition:
> 1. create loop device with additional optional that says it's encrypted (USE:
> losetup), for example :
> # losetup -e aes-256 /dev/loop0 /dev/hda9
> (or)
> # losetup -e aes-256 /dev/loop2 /mnt/encrfs.raw
> 2. make file system you want file/partition had (USE: mkfs.xxx), for example:
> # mkfs.ext3 /dev/hda9
> (or)
> # mkfs.ext3 /mnt/encrfs.raw
> 3. you can mount now you partition of encrypted file with file system (USE:
> mount), for example:
> # mount -o loop0 --encryption=aes-256 -t ext3 /dev/hda9 /mnt/encrpart
> (or)
> # mount -o loop2 --encryption=aes-256 -t ext3 /mnt/encrfs.raw /mnt/encrfs


That's a starting point, thanks :-)

I managed to create an encrypted filesystem on file of the type done by
Yast easily. And I think I now can fsck it as well. Let me see, I did:

dd if=/dev/zero of=crypta.bck.file3 bs=1M count=4482
losetup -e twofish256 /dev/loop5 crypta.bck.file3

Unfortunately, it only asks once for the password - ah, no, the -T option.

losetup -T -e twofish256 /dev/loop5 crypta.bck.file3

nimrodel:/biggy # mke2fs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5
mke2fs 1.38 (30-Jun-2005)
mke2fs: invalid blocks count - /dev/loop5

Now, that error is absurd. I'm not telling it the block count, but the
device. It doesn't see the device.

mkfs -L "EncriptedBackup" -Eacl,user_xattr -t ext2 /dev/loop5
mke2fs 1.38 (30-Jun-2005)
mkfs.ext2: invalid blocks count - /dev/loop5

- ---

nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup" -E acl,user_xattr /dev/loop5
mke2fs 1.38 (30-Jun-2005)

Bad options specified.

Extended options are separated by commas, and may take an argument which
is set off by an equals ('=') sign.

Valid extended options are:
stride=<stride length in blocks>
resize=<resize maximum size in blocks>


- ---

nimrodel:/biggy # mkfs -t ext2 -Eacl,user_xattr -L EncriptedBackup /dev/loop5
mke2fs 1.38 (30-Jun-2005)
mkfs.ext2: invalid blocks count - /dev/loop5

- ---

nimrodel:/biggy # mkfs -t ext2 -L "EncriptedBackup" /dev/loop5
mke2fs 1.38 (30-Jun-2005)
warning: 512 blocks unused.

Filesystem label=EncriptedBackup
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
574560 inodes, 1146880 blocks
57369 blocks (5.00%) reserved for the super user
First data block=0
35 block groups
32768 blocks per group, 32768 fragments per group
16416 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 33 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
nimrodel:/biggy #


I can't find a way to make it accept both volume label and extended
options... Weird.

And 512 blocks unused... thats 2 MiB, no? That's acceptable, but I don't
know where they come from.


At this point, it can be fsck-ed:

nimrodel:/biggy # fsck /dev/loop5
fsck 1.38 (30-Jun-2005)
e2fsck 1.38 (30-Jun-2005)
EncriptedBackup (/dev/loop5): clean, 11/574560 files, 18046/1146880 blocks

I didn't know how to run fsck on an encrypted filesystem... good :-)



mount -t ext2 /dev/loop5 /mnt/tmp


nimrodel:~ # df -h /mnt/tmp
Filesystem Size Used Avail Use% Mounted on
/dev/loop5 4.4G 20K 4.1G 1% /mnt/tmp

I created it as ext2 to minimize the used size at startup. As ext3, it is
about 100MiB:

Filesystem Size Used Avail Use% Mounted on
/dev/loop5 4.4G 129M 4.0G 4% /mnt/tmp


If you observe, the file is the exact size to fit into a DVD ;-)

Undoing:

nimrodel:/biggy # umount /dev/loop5
nimrodel:/biggy # losetup -d /dev/loop5
nimrodel:/biggy # losetup -a



And the corresponding fstab line is:

/biggy/crypta.bck.file3 /mnt/crypta.3 ext2 noauto,loop=/dev/loop5,encryption=twofish256 0 0

Testing the result:

nimrodel:/biggy # mount /mnt/crypta.3
Password:

nimrodel:/biggy # df -h /mnt/crypta.3
Filesystem Size Used Avail Use% Mounted on
/biggy/crypta.bck.file3
4.4G 20K 4.1G 1% /mnt/crypta.3


Fantastic! Your help has allowed me to find out how to do it without Yast
and fsck it :-)



> ...that's it ! you should now enjoy because of your protected encryption
>
> TIP: If you don't want encrypt all partition (device fs), you have opportunity
> to encrypt choosen folder, using << encfs >> command. Of course, if you don't
> know what it can do for you should check its man page or search internet
> sources.

That one is new for me.


> TIP: if you want encrypt only specified file you can use << gpg >> command.

Yes, I know that one. But encrypting a partition is easier to use and it
offers reasonable protection for my needs.

- --
Cheers,
Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFH/LvtTMYHG2NR9URAgrwAJ4wKJqBxwhhB+0ild3IeVZRSHY2dQCffAgH
YXJpNu69OmyuslGt6k5NMJM=
=iXh6
-----END PGP SIGNATURE-----


< Previous Next >
This Thread
  • No further messages