HOW TO - Use luks encrypted filesystems with Mandriva 2008.0 (or newer).

  1. Introduction
  2. Preparation
  3. Creating an encrypted filesystem
  4. Mounting an encrypted filesystem at boot time.
  5. Mounting an encrypted filesystem at user login. (using scripts)
    1. Create the script to mount the encrypted filesystem.
    2. Modify ~/.bash_profile to mount the encrypted filesystem, at login.
    3. Create the script to unmount and close the encrypted filesystem.
    4. Modify ~/.bash_logout to close the encrypted filesystem, at logout.
  6. Changelog.

1. Introduction

Previously, lo-setup was the preferred method of mounting encrypted file systems. As per
http://wiki.mandriva.com/en/Releases/Mandriva/2008.0/Notes#Support_for_loopback-based_encrypted_filesystems
this is being deprecated, in favour of luks encryption, due to a known plaintext weakness.

Using luks encryption has the side affect, of allowing mounted encrypted filesystems, to be automatically remounted (without re-entering the encryption passphrase), on resuming from a suspend to disk, Some people consider this to be good. I do not. I consider it a potential security risk, hence the following warning.

WARNING. Keep in mind, that after resuming from a suspend to disk, THE FILESYSTEM WILL BE ACCESSIBLE, WITHOUT RE-ENTERING THE PASSPHRASE, and the encryption key (not the passphrase) will be on disk, in the swap.

While your regular login password will still be required, this may not be what you want. If this is not what you want, use shutdown, instead of suspend to disk, or unmount and close the encrypted filesystem, before suspending to disk.
For example, if your spouse has access to your computer, and an account with su, or sudo access, they can use ALT+F2, to get a console login, and then use su or sudo, to access your encrypted file system.
As the actual encryption key (not the passphrase), will now be on disk, in the swap. (If the swap were encrypted, the resume from disk wouldn't work), anyone with read access to the swap could grab a copy of the encryption key, until after that part of the swap has been overwritten.

2. Preparation

Run "urpmi cryptsetup luks-tools" as root, to install the packages.
Add these modules to /etc/modprobe.preload ...

aes
dm-mod
dm-crypt

Reboot, or run "modprobe -v aes", "modprobe -v dm-mod", and modprobe -v dm-crypt".

If you do not add them to modprobe.preload, /etc/rc.d/rc.sysinit will ask for the passphrase twice, failing the first time, and also printing a message that the /dev/mapper/filesystemname could not be found, for mounting.

When using a loop device, losetup was used to assign a device such as /dev/loop0, to be used to create the unencrypted device, which then contained a normal filesystem. The device /dev/loop0 would be used in fsck, and to represent the device, in a mount command.

When using luks, a user chosen name will be used with cryptsetup to create a device such as /dev/mapper/userchosenname, which will also be used for fsck, and the mount command.

3. Creating an encrypted filesystem

Create a partition, to store the encrypted filesystem. The partition type field does not seem to matter. To avoid possible problems with other operating systems, I suggest using type 83 - Linux Native.

Save the following to a file. Modify the BaseDevice, MapperName, and MountPoint. The BaseDevice will be the location you've chosen to store the encrypted filesystem. The MapperName will be any name you want, that doesn't already exist under /dev/mapper. As usual, the MountPoint will be the directory used to access the data on the encrypted filesystem, when mounted.

If you want the partition mounted a boot time, see the next section before running this script.

As root run "bash whateveryoucalledit" You'll be asked for the passphrase three times. Twice for the luksFormat, and once for the luksOpen.

#!/bin/bash

# WIPES DATA in an existing partition. Changes it to a luks encrypted partition,

BaseDevice=/dev/sda13
MapperName=luksdata
MountPoint=/home/dave/data
fsType=xfs
Label="-L 91-data"
/sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat $BaseDevice
/sbin/cryptsetup luksOpen $BaseDevice $MapperName
/sbin/mkfs.$fsType $Label /dev/mapper/$MapperName
/sbin/cryptsetup luksClose $MapperName

4. Mounting an encrypted filesystem at boot time.

Note, that this should only be used where only one person will be using the system, as anyone who doesn't know the passphrase, will have difficulty during boot.

Append the following two lines to the script used to create the encrypted filesystem.

echo "$MapperName $BaseDevice" >> /etc/crypttab
echo "/dev/mapper/$MapperName $MountPoint $fsType defaults 1 2" >> /etc/fstab

Note that it is the addition of the entry to /etc/crypttab, that will cause /etc/rc.d/rc.sysinit to setup the dev/mapper file, which will be used to access the decrypted filesystem.

That's it. Now, everytime you restart the system, you'lll be prompted for the passphrase, for mounting the encrypted filesystem.

5. Mounting an encrypted filesystem at user login. (using scripts)

5.1. Create the script to mount the encrypted filesystem.

Save the following to a file in ~/bin. Modify the BaseDevice, MapperName, and MountPoint. Let's assume it's called /home/dave/myluksmount.

#!/bin/bash
# Script called by ~/.bash_profile, to mount the users data filesystem.
# Note: no entries present in /etc/fstab
# The following entries in /etc/sudoers allows access without root password
# dave ALL = (root) NOPASSWD: /sbin/cryptsetup
# dave ALL = (root) NOPASSWD: /sbin/fsck
# dave ALL = (root) NOPASSWD: /bin/mount
# dave ALL = (root) NOPASSWD: /bin/umount

BaseDevice=/dev/sda13
MapperName=luksdata
MountPoint=/home/dave/data

if  [[ $(grep "/dev/mapper/$MapperName" /proc/mounts) ]]; then
    echo "/dev/mapper/$MapperName already mounted"
    exit
fi

PinEntryPgm=pinentry-qt4
[ -z "$DISPLAY" ] && PinEntryPgm=pinentry-curses

# Set up and send commands to pinentry to get the password, and then
# send the password to cryptsetup to open the encrypted device,
# which then contains the real filesystem.
PinEntryDesc="About to open $MapperName on $BaseDevice"
PinEntryPrompt="Please enter passphrase "
luksOpencmd="sudo /sbin/cryptsetup luksOpen $BaseDevice $MapperName"
PinEntryTTY=`tty`
phrase=`echo "SETDESC $PinEntryDesc
SETPROMPT $PinEntryPrompt
GETPIN" | $PinEntryPgm --lc-ctype="UTF-8" --ttyname="$PinEntryTTY" | sed '/^D/s/^D \(.*\)$/\1/g;/^OK/d' `
echo "$phrase" |$luksOpencmd

sudo /sbin/fsck -a /dev/mapper/$MapperName
rc=$?

if [ $rc -gt 3 ]; then
    echo "Failed to check filesystem. Switch to another console, and run\n"
    echo "fsck on /dev/mapper/$MapperName with appropriate options. (beware, you can lose data)\n"
    read answer
    KEYS=`gprintf "yY"`
fi

sudo /bin/mount -v -t xfs -o defaults,user,exec,dev,suid,atime,logbufs=8,logbsize=256k /dev/mapper/$MapperName $MountPoint

5.3. Modify ~/.bash_profile to mount the encrypted filesystem, at login.

Add the following line to ~/.bash_profile

/home/dave/bin/myluksmount

Be sure to use the correct mountpoint, and path/filename. Place it before any attempt to access, files on the encrypted filesystem. For example, if you have the directory ~/.keychain symlinked to a directory, on the encrypted filesystem, place the above line, before the check, for the existence, of the .keychain directory.

5.4. Create the script to unmount and close the encrypted filesystem.

Save the following to a file in ~/bin. Modify the MapperName, and MountPoint, and use "chmod u+x", to make the file executable. Let's assume it's called /home/dave/myluksclose.

#!/bin/bash

MapperName=luksdata
MountPoint=/home/dave/data

umount $MountPoint
/sbin/cryptsetup luksClose $MapperName

5.5. Modify ~/.bash_logout to close the encrypted filesystem, at logout.

Add the following line to ~/.bash_profile

sudo /home/dave/bin/mylukclose

Be sure to use the correct path/filename. Place it after anything that needs to access, files on the encrypted filesystem (if any).

6. Changelog

Valid XHTML 1.0 Strict