Docs/SysAdmin/Security/EncryptedFilesystems

From Mandriva Community Wiki

Contents 1 Types of encrypted filesystems 2 Setting up encrypted filesystems 2.1 Cryptoloop 2.2 LUKS 2.2.1 Creating an encrypted volume 2.2.2 Mounting the filesystem manually 2.2.3 Mounting the filesystem at boot 2.2.4 Mounting the filesystem at login 2.2.5 Removable Devices 2.2.6 Encrypted SWAP 2.2.7 Creating an encrypted file acting as a partition (using loopback) 3 References

[edit] Types of encrypted filesystems

(This needs to be expanded, for now I am just linking to other documents which describe this sufficiently)

[edit] Setting up encrypted filesystems

[edit] Cryptoloop

Cryptoloop is supported by diskdrake, from the options for the filesystem, check the 'encrypted' checkbox, and you will be prompted for the details required to setup cryptoloop.

[edit] LUKS

initscripts supports mounting of LUKS encrypted filesystems at boot, however you will have to create the encrypted volumes manually.

This section covers the (easy) task of just encrypting the /home partition. Encrypting the root partition is more complex.

Note that this was done with an LVM volume set aside for /home, if you are not using LVM, replace all occurrences of /dev/mapper/VGsys-home or /dev/VGsys/home with the partition you are using (e.g. /dev/hda6).

[edit] Creating an encrypted volume

Firstly, ensure you aren't accessing the block device you are going to create the encrypted filesystem on, otherwise you will receive funny error messages.

Install the necessary software

urpmi cryptsetup-luks

Create the encrypted volume (in this case an LV)

cryptsetup -h sha256 -c twofish-cbc-essiv:sha256 -s 256 luksFormat /dev/mapper/VGsys-home

or, to use the defaulst (aes-cbc-essiv:sha256):

cryptsetup luksFormat /dev/mapper/VGsys-home

Test that you can open the encrypted volume

cryptsetup luksOpen /dev/mapper/VGsys-home cryptohome

This should have created a new block device as /dev/mapper/cryptohome, which is the unencrypted version of /dev/mapper/VGsys-home

Create the filesystem

mkfs.ext3 /dev/mapper/VGsys-home

Close the volume

cryptsetup luksClose /dev/mapper/VGsys-home

[edit] Mounting the filesystem manually

Assuming the volume was closed, open it again:

cryptsetup luksOpen /dev/mapper/VGsys-home cryptohome

Mount the unencrypted version:

mount /dev/mapper/cryptohome /home

[edit] Mounting the filesystem at boot

To ensure the filesystem is mounted at boot, you now need to make two changes:

Edit /etc/fstab, and change the entry for /home, in my case it was from:

/dev/mapper/VGsys-home /home ext3 noatime 0 0

to

/dev/mapper/cryptohome /home ext3 noatime 0 0

Now, initscripts needs to know how to run the 'cryptsetup luksOpen' command, it does this by reading /etc/crypttab, add an entry like this:

cryptohome /dev/mapper/VGsys-home

[edit] Mounting the filesystem at login

It should be possible to mount the filesystem at login using pam_mount (in contrib), just install using:

urpmi pam_mount

[edit] Removable Devices

HAL apparently has support for LUKS encrypted devices. However, on Mandriva 2007.1 under GNOME, while inserting a flash disk with a LUKS-encrypted filesystem prompts for the passphrase, entering the correct passphrase does not result in it being mounted. Under KDE, no dialog appears at all. However, it can be mounted quite easily with pmount:

[bgmilne@comanche ~]$ pmount /dev/sda1
Enter LUKS passphrase:
[bgmilne@comanche ~]$ mount|grep sda1
/dev/mapper/_dev_sda1 on /media/sda1 type vfat  (rw,noexec,nosuid,nodev,quiet,shortname=mixed,uid=500,gid=500,umask=077,iocharset=utf8)

[edit] Encrypted SWAP

While it is possible to have the SWAP partition encrypted with a random key on every boot ... what happens to resuming from suspend-to-disk ? Since encrypted partitions are usually more useful on laptops ... and so is suspending ... it seems it may not really be practical. But, in the end, if someone has stolen your laptop, the chances of them recovering data off your /home are *much* better than them being able to reconstruct documents from your swap partition (IMHO).

[edit] Creating an encrypted file acting as a partition (using loopback)

Most documentation is about creating a luks partition but most people can't afford creating new partitions and would like to use a single file holding all encrypted data instead.

Basically, you need to associate this file with a loopback device (/dev/loopX), then create a LUKS device associated to the loopback and finally, create whatever filesystem you like on the LUKS device.

You can create such an encrypted file, mounted as a partition by using the following script.

You need to specify three arguments:

• Filename of the encrypted file to be created
• Size of this file (in the end, approximately the size of filesystem : you won't be able to go beyond)
• Mountpoint of your new encrypted filesystem : the script will mount your partition in this folder

Media:Create_luks_encrypted_file.sh

[edit] References

Linux Unified Key Setup - dmcrypt

Linux/Fedora: Encrypt /home and swap over RAID with dm-crypt

LUKS Encrypted Root

FileSystem Encryption without ROOT

How to Setup a Secure, Encrypted, Anonymized Hosting Service