I have made a file containing an encrypted loopback filesystem. I mount it, and can arrange my passwords and stuff in a logical manner inside of it.

Cryptsetup with LUKS

dm-crypt is the new kernel subsystem for encryption. luks is special header data which encodes the encryption parameters, and also allows there to be multiple passphrases and other advanced features. cryptsetup is the user interface to dm-crypt, and also has been extended to be a frontend to the luks extensions. cryptmount is another frontend to allow non-root users to mount filesystems.

Creating a device

dd if=/dev/urandom of=rkd/comp/encrypted.ext2.new bs=1M count=20
losetup /dev/loop1 rkd/comp/encrypted.ext2.new # use some free /dev/loopN device, check with `losetup -a`
cryptsetup luksFormat /dev/loop1
cryptsetup luksOpen /dev/loop1 rkd-encrypted-new

mkfs.ext2 /dev/mapper/rkd-encrypted-new
mount /dev/mapper/rkd-encrypted-new mnt/encrypted/
# Do whatever setup you would like.  Make sure the permissions on the filesystem root are sufficiently strict.

umount mnt/encrypted/
cryptsetup remove rkd-encrypted-new
losetup -d /dev/loop1

resizing

# unmounting maybe not required but do it anyway
cryptmount -u $fs_name
dd if=/dev/null of=$filesystem_image.ext2 seek=100 bs=1M
# mount again.  ext2/3/4 allows online resizing, but this could 
# be done later.  If you don't do this, you have to luksOpen 
# the filesystem yourself for the resize command, then un-open it.
cryptmount $fs_name
# ext2 only
sudo resize2fs /dev/mapper/$fs_name
df -h $fs_path
# done!

Mounting as root

losetup /dev/loop0 rkd/comp/encrypted.ext2.new # use some free /dev/loopN device, check with `losetup -a`
cryptsetup luksOpen /dev/loop1 rkd-encrypted
mount /dev/mapper/rkd-encrypted mnt/encrypted/

Tear-down:

umount mnt/encrypted/
cryptsetup remove rkd-encrypted
losetup -d /dev/loop0

Mounting it without root

The dm-crypt subsystem doesn't have good support for users being able to mount things, but the addon program cryptmount can help us here: First, edit /etc/cryptmount/cmtab and add

rkd-encrypted {
    keyformat=luks
    dev=/home/richard/rkd/comp/encrypted.ext2
    dir=/home/richard/mnt/encrypted/
}

Now, a user can mount by using

cryptmount -m rkd-encrypted

and unmount using

cryptmount -u rkd-encrypted

Cryptoloop

cryptoloop is removed from Linux starting in Debian squeeze. You should use cryptsetup instead.

In order to access old data, use this:

losetup /dev/loop0 rkd/comp/encrypted.ext2   # use a /dev/loopN that is free, check with `losetup -a`
cryptsetup create rkd-encrypted /dev/loop0 --readonly -c aes
mount /dev/mapper/rkd-encrypted mnt/tmp/

To tear down the setup:

umount mnt/tmp/
cryptsetup remove rkd-encrypted
losetup -d /dev/loop0

To make it

XXX undocumented and not explained

modprobe cryptoloop   # if not already done
losetup -f  # which device is avaliable
dd if=/dev/zero of=enc_file
losetup -e aes /dev/loopX enc_file  # type password here
dd if=/dev/urandom of=/dev/loopX
mke2fs -m 0 /dev/loopX  # -m 0 so that non-root users can use the 5% usually reserved for root
losetup -d /dev/loopX

then mount /dev/loopX.

Filling the device with junk from /dev/urandom is intended to prevent attackers from deducing things about the structure of the filesystem. (All they have to do is look at where enc_file is nonzero then use some elementary facts about the ext2 filesystem to deduce, with some uncertainty, how much data you have written to the disk since it was created.) Another workaround for this is to create enc_file directly from /dev/urandom instead of /dev/zero.

You might have to mess with user permissions some.

To mount it

modprobe cryptoloop   # if not already done
sudo mount -o loop,encryption=aes enc_file encrypted/

To automate it

You can automate the mount process by adding it to fstab. It'll ask for a password when it gets mounted. The way this example goes, the user can go "mount mnt/encrypted/" and do it without root access (but still needing the password

add cryptoloop to /etc/modules

add this to fstab:

/path/to/enc_file /path/to/encrypted auto loop,encryption=aes,user    0   0

You might want to change the permissions of the root directory of the filesystem (do it after you mount it)

Errors

Forgot password: hahaha

ioctl: LOOP_SET_STATUS: Invalid argument: modprobe cryptoloop

DebianNotes/EncryptedLoopback (last edited 2016-06-28 08:34:22 by dhcp-85-133)