Message

Crypto Filesystems

Details
Category: How-To's

Crypto'ed filesystems are an easy means to secure data, especially with all the extra processor power available in PCs today. I have used the following method for enabling crypto on a few of my filesystems, and this method is usable on both windows and Linux.

 

 

The following method uses LUKS which in a nutshell uses passwords/files to unlock the master key to unlock the filesystem. There is a wealth of info out there on this topic so we will focus on the actual process. I suggest if you are converting storage disks over that double check your backup as this is a DESTRUCTIVE process, and I'm not responsible. So read on and get to cryptoing..

#write random to disk for security
#there are dozens of ways to write random data, the following is the easiest to get a good balance of proc/io

cryptsetup create random_sdx /dev/sdb -d /dev/urandom
dd if=/dev/zero of=/dev/mapper/random_sdx bs=1M

#REBOOT and use cfdisk/fdisk  make new partiton, type does not matter.
#Then we move on to setting up the LUKS disk


cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sdb1 /mnt/usbstick1/storage-key

cryptsetup --key-file=/mnt/usbstick1/storage-key luksOpen /dev/sdb1 cryptostorage

cryptsetup --key-file=/boot/storage-key luksAddKey /dev/sdb1   <-- add a backup PSK if you like, but not necissary

#cryptsetup luksClose/luksOpen cryptostorage  <-- would be a good idea to test

mkfs.ext3 /dev/mapper/cryptostorage

#little step to remove reserverd root space I always use on non / disks
tune2fs  -m 0  /dev/mapper/cryptostorage

#edit sysconfigs

#fstab:
/dev/mapper/cryptostorage /storage ext3 defaults 0 1

#crypttab:

cryptostorage /dev/sdb1 /mnt/usbstick1/storage-key

The following is an example keyscript that will mount the USB stick, I would suggest this run at the start of your sysinit script.
#keyscript

#!/bin/sh
modprobe usb-storage 1>&2
sleep 5
mkdir /mnt/usb 1>&2
mount -t vfat -o ro,umask=077 /dev/sdc1 /mnt/usb 1>&2
#cat /mnt/usb/key
#umount /mnt/usb 1>&2

modify rc.sysinit to run script as follows
#after this line                                if $CS isLuks $csrc 2>/dev/null; then
/root/scripts/keyscript.sh
That is it in a nutshell, you do need to make sure you have all appropriate modules compiled/loaded. There are a few good sites that will get more in detail as to what is needed. For windows use I may format a disk with ntfs and create a small 100M unencrypted partition and put a copy of OTFE on it so I can mount my disks anywhere.



 

 




Joomla templates by a4joomla