Thursday, March 30, 2006

how to Protect files using encryption in linux

Protecting Files Using Encrypted Containers

Prerequisites:

Kernel version 2.6.4-rc2 or higher.

KDE version 3.3 or higher must be installed (optional)

Read More

root access for initial setup.

System Configuration

Enable the device-mapper module - this lets you create new logical block devices from portions of existing devices. The block devices then are "mapped" to devices that for our use are treated like normal drive partitions.

Enable dm-crypt – (Crypt Target Support in the kernel configuration menu). dm-crypt is the kernel module used to handle the encryption/decryption using the crypto API available in the 2.6 version kernels.

To use an encrypted container for our files instead of an entire drive or partition, loopback device support also needs to be enabled in the kernel. The loopback device kernel module allows us to use ordinary files as if they were real block devices.

Compile or use module for the encryption type you want to use - AES encryption algorithm is used here but others are available.

Modules needed if compiling:
Device Drivers -> Multi-Device Support (RAID and LVM) -> Device Mapper Support
Device Drivers -> Multi-Device Support (RAID and LVM) -> Crypt Target Support
Device Drivers -> Block Devices -> Loopback Device Support
Cryptographic Options ->

Enable the required modules, compile the kernel and install it.
If you want to use modules dm-mod, dm-crypt and aes-i586
modprobe dm-mod
modprobe dm-crypt
modprobe aes

Now install these two sets of utitlites:
device-mapper utilities – if already installed then /dev/mapper and /dev/mapper/control will already exist.

cryptsetup utility - if the package is already installed /bin/cryptsetup will exist

Creating the Encrypted Container
Reboot with the new kernel (or make sure needed modules are loaded)

Create the container for your files and mount it.
Select a partition with enough space to create the container and make the container large enough for all the files you want in it (including new files!!) – it isn’t possible to increase the container size once created.

Use dd to create the container file
dd if=/dev/random of=/crypt/data.crypt bs=1M count=1024

bs is block size (1MB) and count is size in blocks (1GB 1024 X 1MB Blocks)

Source for the dd command is /dev/random - this makes it impossible to determine how much of the container is being used. It will be stored on /crypt

Create a loopback device using the container file.
If multiple containers are used you have to use a different /dev/loopX device (where X is a unique number)

losetup /dev/loop0 /crypt/data.crypt

Create the encrypted device
I used /dev/random to generate a 32-character random string password that I stored in a file named /home/crypt.key

cat /dev/random > /home/tkey (hit control-c after a second)
cat /home/tkey | cut -b 0-31 > /home/crypt.key
rm /home/tkey
cryptsetup -c aes -d /home/crypt.key create data.crypt /dev/loop0

To mount and use create a filesystem. This creates the ext2 filesystem (others can be used).
Once created mount like a normal drive partition.

mke2fs -j /dev/mapper/data.crypt
mkdir /mnt/encrypted
mount /dev/mapper/data.crypt /mnt/encrypted

Your encrypted device should act the same way that a normal drive partition does.

* You must remember to unmount the device and destroy the loopback setup when finished with the device!

umount /mnt/encrypted
cryptsetup remove data.crypt
losetup -d /dev/loop0

To recap – here’s how to remount the device:

losetup /dev/loop0 /crypt/data.crypt
cryptsetup -d /home/crypt.key create data.crypt /dev/loop0
mount /dev/mapper/data.crypt /mnt/encrypted

No comments: