Difference between revisions of "LoopCrypt"

Latest revision as of 21:05, 12 April 2007

Cryptsetup & LUKS

To encrypt the swap

apt-get install cryptsetup
cf /usr/share/doc/cryptsetup/CryptoSwap.HowTo
The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.

To encrypt disks

Creation

cryptsetup luksFormat /dev/hdaX
cryptsetup luksOpen /dev/hdaX hdaX
mkfs.ext3 /dev/mapper/hdaX
cryptsetup luksClose hdaX

Usage

cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/
umount /mnt && cryptsetup luksClose hdaX

Loopcrypt

Should work with the Knoppix

As root:

Make a mount point for the encrypted filesystem as follows:

mkdir /mnt/crypt

Edit '/etc/fstab', adding an entry for your mount point as follows:

/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0

Create your encrypted file as follows:

dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10

This creates a 10M encryption "container" in /etc called cryptfile.
You can adjust size, location, and name to your preferences.

Next, run losetup as follows:

losetup -e aes /dev/loop0 /etc/cryptfile

You only have one chance to enter the 20 character password, be careful. Note: optional test If you want to double-check your password, use the command:

losetup -d /dev/loop0

to deactivate your loop device. Next you will run losetup again to test your password, as follows:

losetup -e aes /dev/loop0 /etc/cryptfile

end optional test

Make your ext2 filesystem as follows:

mkfs -t ext2 /dev/loop0

Now you can mount the encrypted filesystem with:

mount -t ext2 /dev/loop0 /mnt/crypt

When you're done, you can unmount and protect your filesystem as follows:

umount /dev/loop0
losetup -d /dev/loop0

The above works fine for the root user, but I wanted something where "joe user" could mount, unmount, and read / write to the encrypted container.
After a little trial and effort, here is what I have come up with...

This example shows how to create an ext2 file system on encrypted file.
This example creates a 5 MB file (/mnt/msdos/scratch/cryptfile) for storage and a directory (/mnt/crypt) as a mount point.

A couple of notes: This example is intentionally simple to help you understand basic loop encryption, but is also vulnerable to optimized dictionary attacks.
Also, the "losetup -e" command asks for a 20 character encryption password, make up one and don't forget it.

Execute the following commands (as root), modifying paths and filenames for your purposes:

dd if=/dev/zero of=/mnt/msdos/scratch/cryptfile bs=4k count=1280
losetup -e AES128 -T /dev/loop1 /mnt/msdos/scratch/cryptfile
mkfs -t ext2 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/crypt
cd /mnt/crypt
chown knoppix.knoppix *
chown knoppix.knoppix .
chown knoppix.knoppix ..
cd ..
chown knoppix.knoppix crypt

Next, add this to your /etc/fstab file (all one line):

/mnt/msdos/scratch/cryptfile /mnt/crypt ext2 noauto,users,exec,loop=/dev/loop1,encryption=AES128 0 0

Exit the root account, to your joe user account (knoppix in this example).

Now regular users should be able to mount the file system as follows (after answering the password prompt correctly).

mount /mnt/crypt

The can then unmount it like this:

umount /mnt/crypt

Attempt to recover old loopcrypts

apt-get install hashalot

@@ Line 5: / Line 5: @@
 * cf /usr/share/doc/cryptsetup/CryptoSwap.HowTo
 * The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.
+=== To encrypt disks ===
+Creation
+* cryptsetup luksFormat /dev/hdaX
+* cryptsetup luksOpen /dev/hdaX hdaX
+* mkfs.ext3 /dev/mapper/hdaX
+* cryptsetup luksClose hdaX
+Usage
+* cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/
+* umount /mnt && cryptsetup luksClose hdaX
 ==Loopcrypt==