doc:appunti:linux:sa:cryptfs
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
doc:appunti:linux:sa:cryptfs [2011/02/21 09:57] – [Enc-fs] niccolo | doc:appunti:linux:sa:cryptfs [2019/07/12 11:11] – [Reverse enc-fs] niccolo | ||
---|---|---|---|
Line 15: | Line 15: | ||
==== Cryptoloop ==== | ==== Cryptoloop ==== | ||
- | Kernel option: '' | + | :!: **WARNING**: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. |
- | + | ||
- | WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. | + | |
Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. | Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. | ||
- | + | Kernel option: '' | |
- | + | ||
==== Dm-crypt ==== | ==== Dm-crypt ==== | ||
Line 60: | Line 56: | ||
modprobe dm-crypt | modprobe dm-crypt | ||
modprobe twofish | modprobe twofish | ||
- | cryptsetup isLuks /dev/md4 | + | cryptsetup isLuks /dev/md4; echo $? |
cryptsetup --cipher twofish-cbc-essiv: | cryptsetup --cipher twofish-cbc-essiv: | ||
cryptsetup luksDump /dev/md4 | cryptsetup luksDump /dev/md4 | ||
Line 87: | Line 83: | ||
max keysize | max keysize | ||
</ | </ | ||
+ | |||
+ | [[wp> | ||
The ecnryption key will be 256 bits long (how it is generated? | The ecnryption key will be 256 bits long (how it is generated? | ||
Line 93: | Line 91: | ||
< | < | ||
- | cryptsetup luksOpen / | + | cryptsetup luksOpen / |
ls -l / | ls -l / | ||
- | mkfs.ext3 -m0 / | + | mkfs.ext3 -m0 / |
- | mount / | + | mount / |
</ | </ | ||
Line 102: | Line 100: | ||
< | < | ||
- | cryptsetup status | + | cryptsetup status |
- | cryptsetup remove | + | cryptsetup remove |
- | cryptsetup luksClose | + | cryptsetup luksClose |
</ | </ | ||
Line 110: | Line 108: | ||
< | < | ||
- | mycryptdev | + | dm0 / |
</ | </ | ||
The passphrase will be asked only once with a 10 seconds timeout. | The passphrase will be asked only once with a 10 seconds timeout. | ||
- | If you want to start automatically the crypto device without prompting for the passphrase you have to: | + | **WARNING**! See bug [[http:// |
+ | |||
+ | If you want to start automatically the crypto device | ||
- Generate a random key with the required size (32 bytes * 8 = 256 bits) | - Generate a random key with the required size (32 bytes * 8 = 256 bits) | ||
Line 145: | Line 145: | ||
===== User space ===== | ===== User space ===== | ||
- | ==== Enc-fs ==== | + | ==== enc-fs ==== |
Per creare una directory criptata in **'' | Per creare una directory criptata in **'' | ||
Line 166: | Line 166: | ||
Per montare nuovamente la directory si usa lo stesso comando **'' | Per montare nuovamente la directory si usa lo stesso comando **'' | ||
+ | È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando: | ||
+ | |||
+ | < | ||
+ | encfsctl passwd ~/ | ||
+ | </ | ||
+ | ==== Reverse enc-fs ==== | ||
+ | |||
+ | È possibile usare '' | ||
+ | |||
+ | < | ||
+ | cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt | ||
+ | </ | ||
+ | |||
+ | L' | ||
+ | |||
+ | Per smontare la directory cifrata si utilizza: | ||
+ | |||
+ | < | ||
+ | fusermount -u /home-crypt | ||
+ | </ | ||
===== Which encryption algorythm? ===== | ===== Which encryption algorythm? ===== | ||
Line 264: | Line 284: | ||
</ | </ | ||
+ | ===== Manual start of encrypted disk ===== | ||
+ | |||
+ | If an encrypted disk **requires a password to be typed interactively**, | ||
+ | |||
+ | Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https:// | ||
+ | |||
+ | Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/ | ||
+ | |||
+ | Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but // | ||
+ | |||
+ | < | ||
+ | cryptdisks_start dm0 | ||
+ | </ |
doc/appunti/linux/sa/cryptfs.txt · Last modified: 2020/01/29 10:48 by niccolo