User Tools

Site Tools


doc:appunti:linux:sa:cryptfs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
doc:appunti:linux:sa:cryptfs [2011/02/21 09:57] – [Enc-fs] niccolodoc:appunti:linux:sa:cryptfs [2020/01/29 10:48] (current) – [enc-fs] niccolo
Line 15: Line 15:
 ==== Cryptoloop ==== ==== Cryptoloop ====
  
-Kernel option''**CONFIG_BLK_DEV_CRYPTOLOOP**''+:!: **WARNING**: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.
- +
-WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.+
  
 Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks.
  
- +Kernel option: ''**CONFIG_BLK_DEV_CRYPTOLOOP**''.
- +
  
 ==== Dm-crypt ==== ==== Dm-crypt ====
Line 60: Line 56:
 modprobe dm-crypt modprobe dm-crypt
 modprobe twofish modprobe twofish
-cryptsetup isLuks /dev/md4+cryptsetup isLuks /dev/md4; echo $?
 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4
 cryptsetup luksDump /dev/md4 cryptsetup luksDump /dev/md4
Line 87: Line 83:
 max keysize  : 32 max keysize  : 32
 </code> </code>
 +
 +[[wp>Twofish]] was developed by indipendent cryptographers, leaded by [[wp>Bruce Schneier]]. [[wp>Advanced_Encryption_Standard|AES]] is instead approved by the U.S. [[wp>National Security Agency]] (NSA). 
  
 The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''. The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''.
Line 93: Line 91:
  
 <code> <code>
-cryptsetup luksOpen /dev/md4 mycryptdev+cryptsetup luksOpen /dev/md4 dm0
 ls -l /dev/mapper/ ls -l /dev/mapper/
-mkfs.ext3 -m0 /dev/mapper/mycryptdev +mkfs.ext3 -m0 /dev/mapper/dm0 
-mount /dev/mapper/mycryptdev /mnt+mount /dev/mapper/dm0 /mnt
 </code> </code>
  
Line 102: Line 100:
  
 <code> <code>
-cryptsetup status mycryptdev +cryptsetup status dm0 
-cryptsetup remove mycryptdev +cryptsetup remove dm0 
-cryptsetup luksClose mycryptdev; # Same as above!+cryptsetup luksClose dm0; # Same as above!
 </code> </code>
  
Line 110: Line 108:
  
 <file> <file>
-mycryptdev  /dev/md4  none  luks,tries=1,timeout=10+dm0  /dev/md4  none  luks,tries=1,timeout=10
 </file> </file>
  
 The passphrase will be asked only once with a 10 seconds timeout. The passphrase will be asked only once with a 10 seconds timeout.
  
-If you want to start automatically the crypto device without prompting for the passphrase you have to:+**WARNING**! See bug [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|495509]]. The **''timeout''** paramter does not work, use instead **''noauto''** and start the crypt disk manually with **''/etc/init.d/cryptdisks force-start''**. Beware to set ''noauto'' also into the fstab options for that device. 
 + 
 +If you want to start automatically the crypto device at boot without prompting for the passphrase you have to:
  
   - Generate a random key with the required size (32 bytes * 8 = 256 bits)   - Generate a random key with the required size (32 bytes * 8 = 256 bits)
Line 145: Line 145:
 ===== User space ===== ===== User space =====
  
-==== Enc-fs ====+==== enc-fs ====
  
 Per creare una directory criptata in **''$HOME/encfs/crypt/''**: Per creare una directory criptata in **''$HOME/encfs/crypt/''**:
Line 164: Line 164:
 </code> </code>
  
-Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory.+Per **montare nuovamente** il filesystem cifrato (la directorysi usa lo stesso comando **''encfs''** utilizzato per inizializzarlo; viene ovviamente chiesta la password di cifratura. Per il montaggio è indispensabile conservare il file **.encfs6.xml** che è stato creato nella directory radice.
  
 +È possibile **eliminare file e/o directory** nel filesystem cifrato: ogni oggetto compare con un **nome cifrato**. Non è possibile invece spostare una directory: per **decodificare correttamente** il contenuto è **necessario mantenere il percorso originale completo**.
 +
 +È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando:
 +
 +<code>
 +encfsctl passwd ~/encfs/.crypt
 +</code>
 +==== Reverse enc-fs ====
 +
 +È possibile usare ''encfs'' per ottenere una "vista" cifrata di una normale directory (ad esempio per effettuare un backup tramite rsync su host remoto e mantenere la riservatezza dei dati). Per automatizzare il processo la password deve essere memorizzata in un file, questo il comando per montare la vista cifrata della directory:
 +
 +<code>
 +cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt
 +</code>
 +
 +L'opzione **%%--standard%%** serve a disabilitare la richiesta dei parametri quando si esegue il montaggio encfs per la prima volta. In tale circostanza infatti vengono chiesti via //stdin// alcuni parametri che "consumerebbero" una parte della password fornita appunto via //stdin//. I parametri di encfs vengono salvati nella directory radice in un file di nome **.encfs6.xml**.
 +
 +Per smontare la directory cifrata si utilizza:
 +
 +<code>
 +fusermount -u /home-crypt
 +</code>
 ===== Which encryption algorythm? ===== ===== Which encryption algorythm? =====
  
Line 264: Line 286:
 </code> </code>
  
 +===== Manual start of encrypted disk =====
 +
 +If an encrypted disk **requires a password to be typed interactively**, it is obviously not possible to start it automatically at boot time. In old Debian releases there was the **timeout** parameter to be added into **/etc/crypttab**. Using that parameter, the starting of a LUKS volume is skipped at boot time and can be executed later using **/etc/init.d/cryptdisks start**.
 +
 +Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|bug #495509]]). The **noauto** parameter is instead required in **/etc/crypttab** and eventually in **/etc/fstab**.
 +
 +Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/etc/init.d/cryptdisks force-start** to start the encrypted disk, asking for the password.
 +
 +Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but //sysvinit// init system was superceeded by **systemd**, so the script ''/etc/init.d/cryptdisks'' is no longer used. To start the encrypted disk interactively you should use the script **cryptdisks_start** instead, e.g.:
 +
 +<code>
 +cryptdisks_start dm0
 +</code>
doc/appunti/linux/sa/cryptfs.1298278665.txt.gz · Last modified: 2011/02/21 09:57 by niccolo