rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:cryptfs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
doc:appunti:linux:sa:cryptfs [2011/02/21 09:55] – [Enc-fs] niccolodoc:appunti:linux:sa:cryptfs [2019/07/12 11:11] – [Reverse enc-fs] niccolo
Line 15: Line 15:
 ==== Cryptoloop ==== ==== Cryptoloop ====
  
-Kernel option''**CONFIG_BLK_DEV_CRYPTOLOOP**''+:!: **WARNING**: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.
- +
-WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.+
  
 Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks.
  
- +Kernel option: ''**CONFIG_BLK_DEV_CRYPTOLOOP**''.
- +
  
 ==== Dm-crypt ==== ==== Dm-crypt ====
Line 60: Line 56:
 modprobe dm-crypt modprobe dm-crypt
 modprobe twofish modprobe twofish
-cryptsetup isLuks /dev/md4+cryptsetup isLuks /dev/md4; echo $?
 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4
 cryptsetup luksDump /dev/md4 cryptsetup luksDump /dev/md4
Line 87: Line 83:
 max keysize  : 32 max keysize  : 32
 </code> </code>
 +
 +[[wp>Twofish]] was developed by indipendent cryptographers, leaded by [[wp>Bruce Schneier]]. [[wp>Advanced_Encryption_Standard|AES]] is instead approved by the U.S. [[wp>National Security Agency]] (NSA). 
  
 The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''. The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''.
Line 93: Line 91:
  
 <code> <code>
-cryptsetup luksOpen /dev/md4 mycryptdev+cryptsetup luksOpen /dev/md4 dm0
 ls -l /dev/mapper/ ls -l /dev/mapper/
-mkfs.ext3 -m0 /dev/mapper/mycryptdev +mkfs.ext3 -m0 /dev/mapper/dm0 
-mount /dev/mapper/mycryptdev /mnt+mount /dev/mapper/dm0 /mnt
 </code> </code>
  
Line 102: Line 100:
  
 <code> <code>
-cryptsetup status mycryptdev +cryptsetup status dm0 
-cryptsetup remove mycryptdev +cryptsetup remove dm0 
-cryptsetup luksClose mycryptdev; # Same as above!+cryptsetup luksClose dm0; # Same as above!
 </code> </code>
  
Line 110: Line 108:
  
 <file> <file>
-mycryptdev  /dev/md4  none  luks,tries=1,timeout=10+dm0  /dev/md4  none  luks,tries=1,timeout=10
 </file> </file>
  
 The passphrase will be asked only once with a 10 seconds timeout. The passphrase will be asked only once with a 10 seconds timeout.
  
-If you want to start automatically the crypto device without prompting for the passphrase you have to:+**WARNING**! See bug [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|495509]]. The **''timeout''** paramter does not work, use instead **''noauto''** and start the crypt disk manually with **''/etc/init.d/cryptdisks force-start''**. Beware to set ''noauto'' also into the fstab options for that device. 
 + 
 +If you want to start automatically the crypto device at boot without prompting for the passphrase you have to:
  
   - Generate a random key with the required size (32 bytes * 8 = 256 bits)   - Generate a random key with the required size (32 bytes * 8 = 256 bits)
Line 145: Line 145:
 ===== User space ===== ===== User space =====
  
-==== Enc-fs ====+==== enc-fs ====
  
-Per creare una directory criptata in ''**$HOME/encfs/crypt/''**:+Per creare una directory criptata in **''$HOME/encfs/crypt/''**:
  
 <code> <code>
Line 158: Line 158:
 La directory **''$HOME/encfs/.crypt/''** contiene i dati veri e propri, criptati. La directory **''$HOME/encfs/crypt/''** è invece una vista in chiaro dei dati. La directory **''$HOME/encfs/.crypt/''** contiene i dati veri e propri, criptati. La directory **''$HOME/encfs/crypt/''** è invece una vista in chiaro dei dati.
  
-Per smontare la directory (e quindi lasciare solo la versione cifrata dei dati):+Per smontare la directory in chiaro (e quindi lasciare solo la versione cifrata dei dati):
  
 <code> <code>
Line 165: Line 165:
  
 Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory. Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory.
 +
 +È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando:
 +
 +<code>
 +encfsctl passwd ~/encfs/.crypt
 +</code>
 +==== Reverse enc-fs ====
 +
 +È possibile usare ''encfs'' per ottenere una "vista" cifrata di una normale directory (ad esempio per effettuare un backup tramite rsync su host remoto e mantenere la riservatezza dei dati). Per automatizzare il processo la password deve essere memorizzata in un file, questo il comando per montare la vista cifrata della directory:
 +
 +<code>
 +cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt
 +</code>
 +
 +L'opzione **%%--standard%%** serve a disabilitare la richiesta dei parametri quando si esegue il montaggio encfs per la prima volta. In tale circostanza infatti vengono chiesti via //stdin// alcuni parametri che "consumerebbero" una parte della password fornita appunto via //stdin//. I parametri di encfs vengono salvati nella directory radice in un file di nome **.encfs6.xml**.
 +
 +Per smontare la directory cifrata si utilizza:
 +
 +<code>
 +fusermount -u /home-crypt
 +</code>
 ===== Which encryption algorythm? ===== ===== Which encryption algorythm? =====
  
Line 263: Line 284:
 </code> </code>
  
 +===== Manual start of encrypted disk =====
 +
 +If an encrypted disk **requires a password to be typed interactively**, it is obviously not possible to start it automatically at boot time. In old Debian releases there was the **timeout** parameter to be added into **/etc/crypttab**. Using that parameter, the starting of a LUKS volume is skipped at boot time and can be executed later using **/etc/init.d/cryptdisks start**.
 +
 +Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|bug #495509]]). The **noauto** parameter is instead required in **/etc/crypttab** and eventually in **/etc/fstab**.
 +
 +Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/etc/init.d/cryptdisks force-start** to start the encrypted disk, asking for the password.
 +
 +Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but //sysvinit// init system was superceeded by **systemd**, so the script ''/etc/init.d/cryptdisks'' is no longer used. To start the encrypted disk interactively you should use the script **cryptdisks_start** instead, e.g.:
 +
 +<code>
 +cryptdisks_start dm0
 +</code>
doc/appunti/linux/sa/cryptfs.txt · Last modified: 2020/01/29 10:48 by niccolo