Previously, lo-setup was the preferred method of mounting encrypted file
systems. As per
http://wiki.mandriva.com/en/Releases/Mandriva/2008.0/Notes#Support_for_loopback-based_encrypted_filesystems
this is being deprecated, in favour of luks encryption, due to a known
plaintext weakness.
Using luks encryption has the side affect, of allowing mounted encrypted filesystems, to be automatically remounted (without re-entering the encryption passphrase), on resuming from a suspend to disk, Some people consider this to be good. I do not. I consider it a potential security risk, hence the following warning.
WARNING. Keep in mind, that after resuming from a suspend to disk, THE FILESYSTEM WILL BE ACCESSIBLE, WITHOUT RE-ENTERING THE PASSPHRASE, and the encryption key (not the passphrase) will be on disk, in the swap.
While your regular login password will still be required, this may not be
what you want. If this is not what you want, use shutdown, instead of suspend
to disk, or unmount and close the encrypted filesystem, before suspending to
disk.
For example, if your spouse has access to your computer, and an account with
su, or sudo access, they can use ALT+F2, to get a console login, and then use
su or sudo, to access your encrypted file system.
As the actual encryption key (not the passphrase), will now be on disk, in
the swap. (If the swap were encrypted, the resume from disk wouldn't work),
anyone with read access to the swap could grab a copy of the encryption key,
until after that part of the swap has been overwritten.
Run "urpmi cryptsetup luks-tools" as root, to install the packages.
Add these modules to /etc/modprobe.preload ...
aes dm-mod dm-crypt |
Reboot, or run "modprobe -v aes", "modprobe -v dm-mod", and modprobe -v dm-crypt".
If you do not add them to modprobe.preload, /etc/rc.d/rc.sysinit will ask for the passphrase twice, failing the first time, and also printing a message that the /dev/mapper/filesystemname could not be found, for mounting.
When using a loop device, losetup was used to assign a device such as /dev/loop0, to be used to create the unencrypted device, which then contained a normal filesystem. The device /dev/loop0 would be used in fsck, and to represent the device, in a mount command.
When using luks, a user chosen name will be used with cryptsetup to create a device such as /dev/mapper/userchosenname, which will also be used for fsck, and the mount command.
Create a partition, to store the encrypted filesystem. The partition type field does not seem to matter. To avoid possible problems with other operating systems, I suggest using type 83 - Linux Native.
Save the following to a file. Modify the BaseDevice, MapperName, and MountPoint. The BaseDevice will be the location you've chosen to store the encrypted filesystem. The MapperName will be any name you want, that doesn't already exist under /dev/mapper. As usual, the MountPoint will be the directory used to access the data on the encrypted filesystem, when mounted.
If you want the partition mounted a boot time, see the next section before running this script.
As root run "bash whateveryoucalledit" You'll be asked for the passphrase
three times. Twice for the luksFormat, and once for the luksOpen.
#!/bin/bash # WIPES DATA in an existing partition. Changes it to a luks encrypted partition, BaseDevice=/dev/sda13 MapperName=luksdata MountPoint=/home/dave/data fsType=xfs Label="-L 91-data" /sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat $BaseDevice /sbin/cryptsetup luksOpen $BaseDevice $MapperName /sbin/mkfs.$fsType $Label /dev/mapper/$MapperName /sbin/cryptsetup luksClose $MapperName |
Note, that this should only be used where only one person will be using
the system, as anyone who doesn't know the passphrase, will have difficulty
during boot.
Append the following two lines to the script used to create the encrypted
filesystem.
echo "$MapperName $BaseDevice" >> /etc/crypttab echo "/dev/mapper/$MapperName $MountPoint $fsType defaults 1 2" >> /etc/fstab |
Note that it is the addition of the entry to /etc/crypttab, that will
cause /etc/rc.d/rc.sysinit to setup the dev/mapper file, which will be used
to access the decrypted filesystem.
That's it. Now, everytime you restart the system, you'lll be prompted for the
passphrase, for mounting the encrypted filesystem.
Save the following to a file in ~/bin. Modify the BaseDevice, MapperName, and MountPoint. Let's assume it's called /home/dave/myluksmount.
#!/bin/bash
# Script called by ~/.bash_profile, to mount the users data filesystem.
# Note: no entries present in /etc/fstab
# The following entries in /etc/sudoers allows access without root password
# dave ALL = (root) NOPASSWD: /sbin/cryptsetup
# dave ALL = (root) NOPASSWD: /sbin/fsck
# dave ALL = (root) NOPASSWD: /bin/mount
# dave ALL = (root) NOPASSWD: /bin/umount
BaseDevice=/dev/sda13
MapperName=luksdata
MountPoint=/home/dave/data
if [[ $(grep "/dev/mapper/$MapperName" /proc/mounts) ]]; then
echo "/dev/mapper/$MapperName already mounted"
exit
fi
PinEntryPgm=pinentry-qt4
[ -z "$DISPLAY" ] && PinEntryPgm=pinentry-curses
# Set up and send commands to pinentry to get the password, and then
# send the password to cryptsetup to open the encrypted device,
# which then contains the real filesystem.
PinEntryDesc="About to open $MapperName on $BaseDevice"
PinEntryPrompt="Please enter passphrase "
luksOpencmd="sudo /sbin/cryptsetup luksOpen $BaseDevice $MapperName"
PinEntryTTY=`tty`
phrase=`echo "SETDESC $PinEntryDesc
SETPROMPT $PinEntryPrompt
GETPIN" | $PinEntryPgm --lc-ctype="UTF-8" --ttyname="$PinEntryTTY" | sed '/^D/s/^D \(.*\)$/\1/g;/^OK/d' `
echo "$phrase" |$luksOpencmd
sudo /sbin/fsck -a /dev/mapper/$MapperName
rc=$?
if [ $rc -gt 3 ]; then
echo "Failed to check filesystem. Switch to another console, and run\n"
echo "fsck on /dev/mapper/$MapperName with appropriate options. (beware, you can lose data)\n"
read answer
KEYS=`gprintf "yY"`
fi
sudo /bin/mount -v -t xfs -o defaults,user,exec,dev,suid,atime,logbufs=8,logbsize=256k /dev/mapper/$MapperName $MountPoint
|
Add the following line to ~/.bash_profile
/home/dave/bin/myluksmount |
Be sure to use the correct mountpoint, and path/filename. Place it before any attempt to access, files on the encrypted filesystem. For example, if you have the directory ~/.keychain symlinked to a directory, on the encrypted filesystem, place the above line, before the check, for the existence, of the .keychain directory.
Save the following to a file in ~/bin. Modify the MapperName, and MountPoint, and use "chmod u+x", to make the file executable. Let's assume it's called /home/dave/myluksclose.
#!/bin/bash MapperName=luksdata MountPoint=/home/dave/data umount $MountPoint /sbin/cryptsetup luksClose $MapperName |
Add the following line to ~/.bash_profile
sudo /home/dave/bin/mylukclose |
Be sure to use the correct path/filename. Place it after anything that needs to access, files on the encrypted filesystem (if any).