PhilippeTeuwen: /* Cryptsetup & LUKS */

2007-04-12T20:05:44Z

Cryptsetup & LUKS

← Older revision		Revision as of 20:05, 12 April 2007
Line 5:		Line 5:
	* cf /usr/share/doc/cryptsetup/CryptoSwap.HowTo		* cf /usr/share/doc/cryptsetup/CryptoSwap.HowTo
	* The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.		* The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.
			=== To encrypt disks ===
			Creation
			* cryptsetup luksFormat /dev/hdaX
			* cryptsetup luksOpen /dev/hdaX hdaX
			* mkfs.ext3 /dev/mapper/hdaX
			* cryptsetup luksClose hdaX
			Usage
			* cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/
			* umount /mnt && cryptsetup luksClose hdaX

	==Loopcrypt==		==Loopcrypt==

PhilippeTeuwen at 21:53, 18 November 2006

2006-11-18T21:53:16Z

New page

==Cryptsetup & LUKS==

=== To encrypt the swap===
* apt-get install cryptsetup
* cf /usr/share/doc/cryptsetup/CryptoSwap.HowTo
* The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.

==Loopcrypt==

Should work with the Knoppix

As root:

Make a mount point for the encrypted filesystem as follows:
mkdir /mnt/crypt
Edit '/etc/fstab', adding an entry for your mount point as follows:
/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0
Create your encrypted file as follows:
dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10
This creates a 10M encryption "container" in /etc called cryptfile.
<br>You can adjust size, location, and name to your preferences.

Next, run losetup as follows:
losetup -e aes /dev/loop0 /etc/cryptfile
You only have one chance to enter the 20 character password, be careful.
''Note: optional test''
If you want to double-check your password, use the command:
losetup -d /dev/loop0
to deactivate your loop device. Next you will run losetup again to test your password, as follows:
losetup -e aes /dev/loop0 /etc/cryptfile
''end optional test''

Make your ext2 filesystem as follows:
mkfs -t ext2 /dev/loop0
Now you can mount the encrypted filesystem with:
mount -t ext2 /dev/loop0 /mnt/crypt
When you're done, you can unmount and protect your filesystem as follows:
umount /dev/loop0
losetup -d /dev/loop0

The above works fine for the root user, but I wanted something where "joe user" could mount, unmount, and read / write to the encrypted container.
<br>After a little trial and effort, here is what I have come up with...

This example shows how to create an ext2 file system on encrypted file.
<br>This example creates a 5 MB file (/mnt/msdos/scratch/cryptfile) for storage and a directory (/mnt/crypt) as a mount point.

A couple of notes: This example is intentionally simple to help you understand basic loop encryption, but is also vulnerable to optimized dictionary attacks.
<br>Also, the "losetup -e" command asks for a 20 character encryption password, make up one and don't forget it.

Execute the following commands (as root), modifying paths and filenames for your purposes:
dd if=/dev/zero of=/mnt/msdos/scratch/cryptfile bs=4k count=1280
losetup -e AES128 -T /dev/loop1 /mnt/msdos/scratch/cryptfile
mkfs -t ext2 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/crypt
cd /mnt/crypt
chown knoppix.knoppix *
chown knoppix.knoppix .
chown knoppix.knoppix ..
cd ..
chown knoppix.knoppix crypt
Next, add this to your /etc/fstab file (all one line):
/mnt/msdos/scratch/cryptfile /mnt/crypt ext2 noauto,users,exec,loop=/dev/loop1,encryption=AES128 0 0
Exit the root account, to your joe user account (knoppix in this example).

Now regular users should be able to mount the file system as follows (after answering the password prompt correctly).
mount /mnt/crypt
The can then unmount it like this:
umount /mnt/crypt
==Attempt to recover old loopcrypts==
* http://www.saout.de/misc/dm-crypt/
* http://clemens.endorphin.org/Cryptoloop_Migration_Guide
* http://glarson.org/files/loopaes
apt-get install hashalot

LoopCrypt - Revision history

PhilippeTeuwen: /* Cryptsetup & LUKS */

PhilippeTeuwen at 21:53, 18 November 2006