rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:cryptfs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
doc:appunti:linux:sa:cryptfs [2012/05/18 22:48] – [Cryptoloop] niccolodoc:appunti:linux:sa:cryptfs [2019/07/12 11:11] – [Reverse enc-fs] niccolo
Line 56: Line 56:
 modprobe dm-crypt modprobe dm-crypt
 modprobe twofish modprobe twofish
-cryptsetup isLuks /dev/md4+cryptsetup isLuks /dev/md4; echo $?
 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4
 cryptsetup luksDump /dev/md4 cryptsetup luksDump /dev/md4
Line 83: Line 83:
 max keysize  : 32 max keysize  : 32
 </code> </code>
 +
 +[[wp>Twofish]] was developed by indipendent cryptographers, leaded by [[wp>Bruce Schneier]]. [[wp>Advanced_Encryption_Standard|AES]] is instead approved by the U.S. [[wp>National Security Agency]] (NSA). 
  
 The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''. The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''.
Line 89: Line 91:
  
 <code> <code>
-cryptsetup luksOpen /dev/md4 mycryptdev+cryptsetup luksOpen /dev/md4 dm0
 ls -l /dev/mapper/ ls -l /dev/mapper/
-mkfs.ext3 -m0 /dev/mapper/mycryptdev +mkfs.ext3 -m0 /dev/mapper/dm0 
-mount /dev/mapper/mycryptdev /mnt+mount /dev/mapper/dm0 /mnt
 </code> </code>
  
Line 98: Line 100:
  
 <code> <code>
-cryptsetup status mycryptdev +cryptsetup status dm0 
-cryptsetup remove mycryptdev +cryptsetup remove dm0 
-cryptsetup luksClose mycryptdev; # Same as above!+cryptsetup luksClose dm0; # Same as above!
 </code> </code>
  
Line 106: Line 108:
  
 <file> <file>
-mycryptdev  /dev/md4  none  luks,tries=1,timeout=10+dm0  /dev/md4  none  luks,tries=1,timeout=10
 </file> </file>
  
 The passphrase will be asked only once with a 10 seconds timeout. The passphrase will be asked only once with a 10 seconds timeout.
  
-If you want to start automatically the crypto device without prompting for the passphrase you have to:+**WARNING**! See bug [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|495509]]. The **''timeout''** paramter does not work, use instead **''noauto''** and start the crypt disk manually with **''/etc/init.d/cryptdisks force-start''**. Beware to set ''noauto'' also into the fstab options for that device. 
 + 
 +If you want to start automatically the crypto device at boot without prompting for the passphrase you have to:
  
   - Generate a random key with the required size (32 bytes * 8 = 256 bits)   - Generate a random key with the required size (32 bytes * 8 = 256 bits)
Line 162: Line 166:
 Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory. Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory.
  
 +È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando:
 +
 +<code>
 +encfsctl passwd ~/encfs/.crypt
 +</code>
 ==== Reverse enc-fs ==== ==== Reverse enc-fs ====
  
Line 167: Line 176:
  
 <code> <code>
-cat secret.txt | encfs --reverse --stdinpass /home /home-crypt+cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt
 </code> </code>
 +
 +L'opzione **%%--standard%%** serve a disabilitare la richiesta dei parametri quando si esegue il montaggio encfs per la prima volta. In tale circostanza infatti vengono chiesti via //stdin// alcuni parametri che "consumerebbero" una parte della password fornita appunto via //stdin//. I parametri di encfs vengono salvati nella directory radice in un file di nome **.encfs6.xml**.
  
 Per smontare la directory cifrata si utilizza: Per smontare la directory cifrata si utilizza:
Line 273: Line 284:
 </code> </code>
  
 +===== Manual start of encrypted disk =====
 +
 +If an encrypted disk **requires a password to be typed interactively**, it is obviously not possible to start it automatically at boot time. In old Debian releases there was the **timeout** parameter to be added into **/etc/crypttab**. Using that parameter, the starting of a LUKS volume is skipped at boot time and can be executed later using **/etc/init.d/cryptdisks start**.
 +
 +Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|bug #495509]]). The **noauto** parameter is instead required in **/etc/crypttab** and eventually in **/etc/fstab**.
 +
 +Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/etc/init.d/cryptdisks force-start** to start the encrypted disk, asking for the password.
 +
 +Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but //sysvinit// init system was superceeded by **systemd**, so the script ''/etc/init.d/cryptdisks'' is no longer used. To start the encrypted disk interactively you should use the script **cryptdisks_start** instead, e.g.:
 +
 +<code>
 +cryptdisks_start dm0
 +</code>
doc/appunti/linux/sa/cryptfs.txt · Last modified: 2020/01/29 10:48 by niccolo