Introduction
Imagine someone boots your laptop with a bootable CD and just copies all your data.
The attacker can see whatever data on your home folder (most critical data for most users).
So what I wanted was:
- NO extra partitions (most people have all HDD space partitioned; backup of the encrypted image file is easy)
- NO compiling (I want to be able to quickly setup a system for rescue)
Now I read some stuff and cryptsetup seemed the best solution for this.
All is in the debian package manager and setup is really easy ... so let's go!
Setup
First install cryptsetup:
In this example we use AES encryption.
You can see the supported encryption types:
If you don't see AES then you (in Debian) you have to load the module (In other distributions it could be that you have to recompile your kernel):
Now lets create the image file that will hold the filesystem.
This will create the image "cryptedhome" with a blocksize of 1024 bytes with 20000000 blocks (20GB)
Now we need to create a loopback device file. This makes your image file transparent so Linux does see it as if it was a device (/dev/sda , /dev/hda, ...):
The following will setup encryption for this loopback device, so everything that is written to it, will be encrypted.
-c defines what encryption algorithm has to be used.
-s defines the size of the key
--verify-passphrase will make the program ask 2 times for your password before accepting it.
luksFormat tells cryptsetup what to do (others are: luksAddKey, luksDelKey, luksOpen, luksClose)
The next step is making a device file that makes the encrypted device accessible.
After that we create a filesystem on it.
Usage
Everytime you will want to use the encrypted image, you will need to do the following:
After use just unmount it and use luksClose.
Adding/Removing Keys
Adding key:
Removing key:
Getting it all automatically done
What we gonna do is for every user that has a ..img file mounting this encrypted filesystem to there home directory.
Install pam_mount. This library makes it possible to mount and unmount devices while authenticating.
Imagine someone boots your laptop with a bootable CD and just copies all your data.
The attacker can see whatever data on your home folder (most critical data for most users).
So what I wanted was:
- NO extra partitions (most people have all HDD space partitioned; backup of the encrypted image file is easy)
- NO compiling (I want to be able to quickly setup a system for rescue)
Now I read some stuff and cryptsetup seemed the best solution for this.
All is in the debian package manager and setup is really easy ... so let's go!
Setup
First install cryptsetup:
apt-get install cryptsetup
In this example we use AES encryption.
You can see the supported encryption types:
cat /proc/crypto
If you don't see AES then you (in Debian) you have to load the module (In other distributions it could be that you have to recompile your kernel):
modprobe aes
Now lets create the image file that will hold the filesystem.
This will create the image "cryptedhome" with a blocksize of 1024 bytes with 20000000 blocks (20GB)
dd if=/dev/urandom of=/home/username.crypto.img bs=1024 count=20000000
Now we need to create a loopback device file. This makes your image file transparent so Linux does see it as if it was a device (/dev/sda , /dev/hda, ...):
losetup /dev/loop0 /home/username.crypto.img
The following will setup encryption for this loopback device, so everything that is written to it, will be encrypted.
-c defines what encryption algorithm has to be used.
-s defines the size of the key
--verify-passphrase will make the program ask 2 times for your password before accepting it.
luksFormat tells cryptsetup what to do (others are: luksAddKey, luksDelKey, luksOpen, luksClose)
cryptsetup -c aes-cbc-essiv:sha256 -s 256 --verify-passphrase luksFormat /dev/loop0
The next step is making a device file that makes the encrypted device accessible.
After that we create a filesystem on it.
cryptsetup luksOpen /dev/loop0 cryptedhome
mkfs.ext3 /dev/mapper/cryptedhome
cryptsetup luksClose /dev/loop0 cryptedhome
Usage
Everytime you will want to use the encrypted image, you will need to do the following:
cryptsetup luksOpen /dev/loop0 cryptedhome
mount /dev/mapper/cryptedhome /home/username/
After use just unmount it and use luksClose.
cryptsetup luksOpen /dev/loop0 cryptedhome
Adding/Removing Keys
Adding key:
cryptsetup luksAddKey --verify-passphrase /dev/loop0
Removing key:
cryptsetup luksDelKey --verify-passphrase /dev/loop0
Getting it all automatically done
What we gonna do is for every user that has a .
Install pam_mount. This library makes it possible to mount and unmount devices while authenticating.
apt-get install libpam-mount
Powered by ScribeFire.