Encrypting Files, Directories and partitions/LVMs
Thu, 08/19/2010 - 15:39 — vsaadmin
Note that (beginning from Etch) Debian GNU/Linux can encrypt your entire disk, including swap (except /boot), this can provide some interesting options when you are storing sensitive data.
Setting up Encrypted Disks using 2.6 kernel:
The following uses LUKS (Linux Unified Key Setup and Device mapper, which is available with any 2.6 kernels (2.6.12 or newer may be better choice for access to some cryptosystems to be available)
- Run fdisk and create partitions, the following is for a USB attached SATA disk (appears as /dev/sdb). The following works perfectly well with logical volumes (LVM). Ensure that lvm service is running (or restart it). In fact, I rarely use hard partitions nowadays and all my disks use LVMs only.
- Prepare the partition first. Enter a complicated string as the passphrase when prompted.This step is needed only once per disk/partition
cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/sdb1 cryptsetup luksOpen /dev/sdb1 delta where delta is any random name root@ariesduo:~# ls -l /dev/mapper/ total 0 crw-rw---- 1 root root 10, 63 2006-09-06 09:31 control brw-rw---- 1 root disk 253, 0 2006-09-06 09:43 delta mkfs.ext3 /dev/mapper/delta cryptsetup luksClose delta
Whenever the disk needs to be used,
cryptsetup luksOpen /dev/sdb1 cryptbkupdev mount /dev/mapper/cryptbkupdev /backups
and use it... After completing your work:
umount /backups cryptsetup luksClose cryptbkupdev
cryptsetup for older systems, such as CentOS 4.x or RHEL4
Note that due to absence of LUKS the commands and usage is quite different. Now I am rebooting the server: First create the encrypted volume:
[root@dualathlon32 ~]# cryptsetup create usbbbkupdrv /dev/sda2 Enter passphrase: [root@dualathlon32 ~]# ls /dev/mapper/ control usbbbkupdrv
Create an EXT3 filesystem and mount:
[root@dualathlon32 ~]# mkfs.ext3 /dev/mapper/usbbbkupdrv [root@dualathlon32 ~]# mount /dev/mapper/usbbbkupdrv /mnt
Upon reboot the device will disappear. One needs to issue "create" command again to "open" the device. Unlike LUKS where we can issue close and open commands. A correct password "opens" the device and is mountable immediately. A wrong password does not return any error but the EXT3 FS mount will fail. Let us reboot.
Connection to 10.1.1.198 closed. anand@laptop-aries5672:~$ ssh root@10.1.1.198
The system is back and up, login via ssh:
root@10.1.1.198's password: Last login: Fri Jun 29 07:54:59 2007 from 10.1.1.33
Note that by default the device is not available
[root@dualathlon32 ~]# dmsetup ls No devices found [root@dualathlon32 ~]# ls /dev/mapper/ control
Create command "opens" an existing encrypted device if the right password is provided:
[root@dualathlon32 ~]# cryptsetup create usbbbkupdrv /dev/sda2 Enter passphrase: [root@dualathlon32 ~]# ls /dev/mapper/ control usbbbkupdrv [root@dualathlon32 ~]# mount /dev/mapper/usbbbkupdrv /mnt
Now the mount succeeds!
[root@dualathlon32 ~]# df -h|grep mnt 4.6G 42M 4.4G 1% /mnt [root@dualathlon32 ~]#Using GPG:
Importing GPG Keys:
GPG: "lynx -source http://server/dir/person_key.asc | gpg --import -"Using EncFS and FUSE
modprobe fuse encfs ~/confidential/encrypted ~/confidential/unencrypted First time create the key etc. Mount the unencrypted dirs: encfs ~/confidential/encrypted ~/confidential/unencrypted After your work is finished, unmount: fusermount -u ~/confidential/unencrypted
All content (C) VSA Services Pte Ltd, except where noted. Please refer to the Terms & Conditions Page for details