rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:cryptfs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:cryptfs [2012/05/18 22:48] – [Cryptoloop] niccolodoc:appunti:linux:sa:cryptfs [2020/01/29 10:48] (current) – [enc-fs] niccolo
Line 56: Line 56:
 modprobe dm-crypt modprobe dm-crypt
 modprobe twofish modprobe twofish
-cryptsetup isLuks /dev/md4+cryptsetup isLuks /dev/md4; echo $?
 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4
 cryptsetup luksDump /dev/md4 cryptsetup luksDump /dev/md4
Line 83: Line 83:
 max keysize  : 32 max keysize  : 32
 </code> </code>
 +
 +[[wp>Twofish]] was developed by indipendent cryptographers, leaded by [[wp>Bruce Schneier]]. [[wp>Advanced_Encryption_Standard|AES]] is instead approved by the U.S. [[wp>National Security Agency]] (NSA). 
  
 The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''. The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''.
Line 89: Line 91:
  
 <code> <code>
-cryptsetup luksOpen /dev/md4 mycryptdev+cryptsetup luksOpen /dev/md4 dm0
 ls -l /dev/mapper/ ls -l /dev/mapper/
-mkfs.ext3 -m0 /dev/mapper/mycryptdev +mkfs.ext3 -m0 /dev/mapper/dm0 
-mount /dev/mapper/mycryptdev /mnt+mount /dev/mapper/dm0 /mnt
 </code> </code>
  
Line 98: Line 100:
  
 <code> <code>
-cryptsetup status mycryptdev +cryptsetup status dm0 
-cryptsetup remove mycryptdev +cryptsetup remove dm0 
-cryptsetup luksClose mycryptdev; # Same as above!+cryptsetup luksClose dm0; # Same as above!
 </code> </code>
  
Line 106: Line 108:
  
 <file> <file>
-mycryptdev  /dev/md4  none  luks,tries=1,timeout=10+dm0  /dev/md4  none  luks,tries=1,timeout=10
 </file> </file>
  
 The passphrase will be asked only once with a 10 seconds timeout. The passphrase will be asked only once with a 10 seconds timeout.
  
-If you want to start automatically the crypto device without prompting for the passphrase you have to:+**WARNING**! See bug [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|495509]]. The **''timeout''** paramter does not work, use instead **''noauto''** and start the crypt disk manually with **''/etc/init.d/cryptdisks force-start''**. Beware to set ''noauto'' also into the fstab options for that device. 
 + 
 +If you want to start automatically the crypto device at boot without prompting for the passphrase you have to:
  
   - Generate a random key with the required size (32 bytes * 8 = 256 bits)   - Generate a random key with the required size (32 bytes * 8 = 256 bits)
Line 160: Line 164:
 </code> </code>
  
-Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory.+Per **montare nuovamente** il filesystem cifrato (la directorysi usa lo stesso comando **''encfs''** utilizzato per inizializzarlo; viene ovviamente chiesta la password di cifratura. Per il montaggio è indispensabile conservare il file **.encfs6.xml** che è stato creato nella directory radice.
  
 +È possibile **eliminare file e/o directory** nel filesystem cifrato: ogni oggetto compare con un **nome cifrato**. Non è possibile invece spostare una directory: per **decodificare correttamente** il contenuto è **necessario mantenere il percorso originale completo**.
 +
 +È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando:
 +
 +<code>
 +encfsctl passwd ~/encfs/.crypt
 +</code>
 ==== Reverse enc-fs ==== ==== Reverse enc-fs ====
  
Line 167: Line 178:
  
 <code> <code>
-cat secret.txt | encfs --reverse --stdinpass /home /home-crypt+cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt
 </code> </code>
 +
 +L'opzione **%%--standard%%** serve a disabilitare la richiesta dei parametri quando si esegue il montaggio encfs per la prima volta. In tale circostanza infatti vengono chiesti via //stdin// alcuni parametri che "consumerebbero" una parte della password fornita appunto via //stdin//. I parametri di encfs vengono salvati nella directory radice in un file di nome **.encfs6.xml**.
  
 Per smontare la directory cifrata si utilizza: Per smontare la directory cifrata si utilizza:
Line 273: Line 286:
 </code> </code>
  
 +===== Manual start of encrypted disk =====
 +
 +If an encrypted disk **requires a password to be typed interactively**, it is obviously not possible to start it automatically at boot time. In old Debian releases there was the **timeout** parameter to be added into **/etc/crypttab**. Using that parameter, the starting of a LUKS volume is skipped at boot time and can be executed later using **/etc/init.d/cryptdisks start**.
 +
 +Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|bug #495509]]). The **noauto** parameter is instead required in **/etc/crypttab** and eventually in **/etc/fstab**.
 +
 +Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/etc/init.d/cryptdisks force-start** to start the encrypted disk, asking for the password.
 +
 +Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but //sysvinit// init system was superceeded by **systemd**, so the script ''/etc/init.d/cryptdisks'' is no longer used. To start the encrypted disk interactively you should use the script **cryptdisks_start** instead, e.g.:
 +
 +<code>
 +cryptdisks_start dm0
 +</code>
doc/appunti/linux/sa/cryptfs.1337374120.txt.gz · Last modified: 2012/05/18 22:48 by niccolo