| |
Protecting Files Using Encrypted Containers
Prerequisites:
Kernel version 2.6.4-rc2 or higher.
KDE version 3.3 or higher must be installed (optional)
Read More System Configuration Enable the device-mapper module - this lets you create new logical block devices from portions of existing devices. The block devices then are "mapped" to devices that for our use are treated like normal drive partitions. Enable dm-crypt – (Crypt Target Support in the kernel configuration menu). dm-crypt is the kernel module used to handle the encryption/decryption using the crypto API available in the 2.6 version kernels. To use an encrypted container for our files instead of an entire drive or partition, loopback device support also needs to be enabled in the kernel. The loopback device kernel module allows us to use ordinary files as if they were real block devices. Compile or use module for the encryption type you want to use - AES encryption algorithm is used here but others are available. Modules needed if compiling: Enable the required modules, compile the kernel and install it. Now install these two sets of utitlites: cryptsetup utility - if the package is already installed /bin/cryptsetup will exist Creating the Encrypted Container Create the container for your files and mount it. Use dd to create the container file bs is block size (1MB) and count is size in blocks (1GB 1024 X 1MB Blocks) Source for the dd command is /dev/random - this makes it impossible to determine how much of the container is being used. It will be stored on /crypt Create a loopback device using the container file. losetup /dev/loop0 /crypt/data.crypt Create the encrypted device cat /dev/random > /home/tkey (hit control-c after a second) To mount and use create a filesystem. This creates the ext2 filesystem (others can be used). mke2fs -j /dev/mapper/data.crypt Your encrypted device should act the same way that a normal drive partition does. * You must remember to unmount the device and destroy the loopback setup when finished with the device! umount /mnt/encrypted To recap – here’s how to remount the device: losetup /dev/loop0 /crypt/data.crypt
Device Drivers -> Multi-Device Support (RAID and LVM) -> Device Mapper Support
Device Drivers -> Multi-Device Support (RAID and LVM) -> Crypt Target Support
Device Drivers -> Block Devices -> Loopback Device Support
Cryptographic Options ->
If you want to use modules dm-mod, dm-crypt and aes-i586
modprobe dm-mod
modprobe dm-crypt
modprobe aes
device-mapper utilities – if already installed then /dev/mapper and /dev/mapper/control will already exist.
Reboot with the new kernel (or make sure needed modules are loaded)
Select a partition with enough space to create the container and make the container large enough for all the files you want in it (including new files!!) – it isn’t possible to increase the container size once created.
dd if=/dev/random of=/crypt/data.crypt bs=1M count=1024
If multiple containers are used you have to use a different /dev/loopX device (where X is a unique number)
I used /dev/random to generate a 32-character random string password that I stored in a file named /home/crypt.key
cat /home/tkey | cut -b 0-31 > /home/crypt.key
rm /home/tkey
cryptsetup -c aes -d /home/crypt.key create data.crypt /dev/loop0
Once created mount like a normal drive partition.
mkdir /mnt/encrypted
mount /dev/mapper/data.crypt /mnt/encrypted
cryptsetup remove data.crypt
losetup -d /dev/loop0
cryptsetup -d /home/crypt.key create data.crypt /dev/loop0
mount /dev/mapper/data.crypt /mnt/encrypted
No comments:
Post a Comment