By Carla Schroder
We see the headlines all the time: "Company X Loses 30,000,000 Customer Social Security Numbers and Other Intimately Personal and Financial Data! Haha, Boy Are Our Faces Red!" And it always turns out to be some "contractor" (notice how it's never an employee) who had the entire wad on a laptop with (seemingly) a terabyte hard drive, which was then lost or stolen, but nobody is quite sure where or when. Or it's a giant box of backup tapes that was being transported by a vendor, who apparently cannot afford a vehicle with locking doors. To me it sounds pretty darned lame, even surreal; why in the heck do contractors get all that sensitive data in the first place, and why do they need the world's databases on their laptops? Why are giant boxes of sensitive backup tapes being carted around by some minimum-wage kid in a beatermobile? How come they never quite know what data is missing, and if it was encrypted or protected in any way?
So many questions, so few answers. Today let us focus on the issue of protecting sensitive data on hard drives with encrypted file systems. This is for your mobile users and anyone who needs extra data security on workstations and servers. We're going to use cryptsetup-luks because it is easy and it is strong. We will create an encrypted partition that requires a passphrase only at mount time. Then you can use it just like any other partition.
Debian, Ubuntu, and Fedora all come ready to run cryptsetup-luks. You won't need to hack kernels or anything; just install it. On Debian and the Buntu family:
# aptitude install cryptsetup
On Fedora:
# yum install cryptsetup-luks
Preparing Your System
Unfortunately cryptsetup cannot encrypt your existing data; you must create an encrypted partition, then move your data to it. The easy way to manage your partitions is with GParted. GParted (the Gnome Partition editor) is available on all the major Linux distributions, and is a nice graphical front-end to fdisk, mkfs, and other filesystem utilities. With GParted you can resize, move, delete and create partitions, and format them with your favorite filesystem. It supports all the partition types and filesystems supported by your kernel, so you can even use it on Windows partitions on your dual-boot boxes. You can use the GParted live CD on new empty hard drives.
We're just going to encrypt data partitions. There are ways to encrypt other filesystem partitions that hold potentially sensitive data, such as /var and /etc, but it is complex and tricky because these cannot be encrypted at boot. So I am going to chicken out and merely point to a page that tells how to do this in Resources, because in my own testing I have not gotten it working reliably. Yet.
It doesn't matter if you format your partition with a filesystem at this point because everything will be overwritten, and the filesystem formatted after encryption.
Your encrypted partition will be protected by a password. If you lose your password, you are so out of luck- your data will not be recoverable.
Encrypting the Partition
Once you have a nice new empty partition, you'll encrypt it with the cryptsetup command. Be very sure you are encrypting the correct partition:
# cryptsetup --verbose --verify-passphrase -c aes-cbc-plain luksFormat /dev/sda2
WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
This creates the encrypted partition. Now you need to create and name a mountable logical partition. In this example, it is named sda2, which could be test or fred or mysecretpartition, or anything you want:
# cryptsetup luksOpen /dev/sda2 sda2
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
This should show as a block device in /dev/mapper:
$ ls -l /dev/mapper
total 0
crw-rw---- 1 root root 10, 63 2007-06-09 18:38 control
brw-rw---- 1 root disk 254, 0 2007-06-09 19:46 sda2
Now put a filesystem on the logical partition:
# mkfs.ext3 /dev/mapper/sda2
Now you need to make a mount point so you can mount and use this nice new encrypted partition. Remember, you must use the device name is from /dev/mapper/. I'll put it in my home directory. Watch for operations that require rootly powers:
$ mkdir /home/me/crypted
# mount /dev/mapper/sda1 /home/me/crypted
Confirm that it mounted, and write a test file:
# df -H
[...]
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/sda2 7.9G 152M 7.3G 3% /home/carla/crypted
# cd /home/me/crypted
# nano test
# ls
lost+found test
Making it Available to Users
So far so good! But there is one big problem: only root can access this partition. We need our ordinary user to be able to use it. This virtual partition can be managed in /etc/fstab, just like any other partition. So add a line to /etc/fstab to allow an unprivileged user to mount and unmount the partition:
/dev/mapper/sda2 /home/carla/crypted ext3 user,atime,noauto,rw,dev,exec,suid 0 0
Now Carla can mount it herself:
$ mount ~/crypted
But Carla still cannot write to it. For this we need rootly powers one more time, to put the correct ownership and permissions on the mounted block device:
# chown carla:carla /home/carla/crypted/
# chmod 0700 /home/carla/crypted/
Ok then, that's a lot of Carlas! But now Carla has her own encrypted directory to read and write to just like any other directory in her home directory, and no one else can touch it.
You may unmount and shut off the encrypted partition manually like this:
$ umount crypted
# cryptsetup luksClose sda2
You'll need your LUKS password only when you open the encrypted device. Remember, if you lose this password you are toast. You may delete the partition and start over, but your data are unrecoverable. Once the encrypted device is open and mounted, you may use it like any other partition.
You need root powers to run cryptsetup. This is probably not ideal for your users. There are a number of different ways to handle this. One is to use sudo; *buntu users are already set up with an all-powerful sudo. Another option is to configure it to start up at boot, and close at shutdown. Or you might want to create some nice desktop icons so your users can start it up and shut it down easily on demand.
We'll learn how to do these things next week, plus we'll learn how to encrypt USB keys, and how to set up a failsafe for a lost passphrase.
read more
Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts
Wednesday, April 30, 2008
Create Encrypted Volumes With Cryptmount and Linux
By Carla Schroder
Cryptmount is a friendly front-end to a batch of Linux utilities used to create encrypted volumes, such as device mapper, dm-crypt, and the kernel's loopback device. It requires root privileges to create encrypted files or partitions, and then once it's set up users can mount and unmount their own encrypted volumes on demand. Its major features are:
Users can change their own passwords
Encrypted filesystems can be initialized at boot-up or on demand
Encrypted access keys are OpenSSL-compatible
Supports storing access keys on removable media
Encrypt entire partitions, or create several encrypted filesystems on a single partition
Plain text human-readable configuration files
So it has several advantages over the excellent Cryptsetup (see Resources). Users can mount and unmount their own encrypted volumes without a bunch of /etc/fstab and sudo hacks, you have more flexibility because you're not restricted to encrypting entire block devices, and making encrypted filesystems available on demand leaves the unneeded ones in a safer state. From the user's perspective it treats raw disk partitions, any individual file, loopback devices, and LVM volumes all in the same way because Cryptmount operates on an encrypted device-mapper layer (which you can see in /dev/mapper after it's created).
More File Encryption
Protect Your Stuff With Encrypted Linux Partitions
Protect Your Stuff With Encrypted Linux Partitions (Part 2)
Protect Your Mobile Users With Windows' Encrypting File System
Stuck for a definition? Look it up at Webopedia:
Cryptmount is slowly making its way into various distribution repositories. Debian Testing and Unstable currently have cryptmount 2.1. Ubuntu Feisty and Gutsy contain the moldy old 2.0 version in the Universe repository. The current stable release on Sourceforge is 2.2. You can get .debs, RPMs, and source tarballs on Sourceforge. You want at least 2.1 to get the cryptmount-setup command, plus a number of useful fixes and updates.
Encrypted Filesystem Inside a File
You don't have to encrypt an entire partition, but can create an encrypted filesystem inside an ordinary file. Use the cryptmount-setup script to do this. This example has the uninteresting bits removed:
# cryptmount-setup
Please enter a target name for your filesystem
[opaque]: mystuff
Which user should own the filesystem (leave blank for root)
[]: carla
Please specify where "mystuff" should be mounted
[/home/carla/crypt]:
Enter the filesystem size (in MB)
[64]: 1028
Enter a filename for your encrypted container
[/home/carla/crypto.fs]: /home/carla/mystuff.fs
Enter a location for the keyfile
[/etc/cryptmount/mystuff.key]:
enter password for target "mystuff":
Your new encrypted filesystem is now ready for use.
To access, try:
cryptmount mystuff
cd /home/carla/crypt
After you have finished using the filesystem, try:
cd
cryptmount --unmount mystuff
Do not choose a wimpy password, and do not forget your password, because if you lose it it's not recoverable. You can wipe out the encrypted filesystem and start over, but you cannot recover your data. You should also make backup copies of your access keys and keep them in a safe place, because losing the key also loses your data.
The defaults are in square brackets. You may invent whatever names you like, and the script will create directories for you. When you specify a filename, be sure to use the whole path. When it's finished you will have a new crypt (or whatever you named it) directory and three new files, which in this example are named container, crypto.fs, and mystuff.fs. Don't try to read these files because they are just containers.
Go ahead and mount your new encrypted filesystem- cryptmount-setup tells you exactly the command you need:
$ cryptmount mystuff
enter password for target "mystuff":
e2fsck 1.40.8 (13-Mar-2008)
/dev/mapper/mystuff: clean, 11/32768 files, 9805/131072 blocks
Now there is a new /dev/mapper/mystuff block device. Only the user you specified during setup (and root) can mount and unmount the encrypted filesystem. Play around with it— copy files in and out of it, look at it in your favorite file manager—it looks just like any other directory. Unmount it just like the setup script told you:
$ cd
$ cryptmount --unmount mystuff
A silent exit means success. If you have anything accessing your encrypted directory, such as a command prompt, file manager, or open file, you'll get the "umount: /home/carla/crypt: device is busy" error. Running the cd command first puts you back in the top level of your home directory. Sometimes the famd daemon will get in the way and you'll have to kill it. Don't use the standard umount command or it will get messed up, and you won't be able to re-mount it.
If you make a mistake and get a "specification for target "foo" contains non-absolute pathname" error, or any other error message, enter /etc/cryptmount/cmtab to correct it. Or delete the entry and start over.
If you create more than one encrypted filesystem cryptsetup -l displays a list. Users can change their passwords with cryptsetup -c [targetname].
Using a Different Linux Filesystem
cryptmount-setup defaults to using Ext3. If you want to use something else, such as ReiserFS, JFS, or XFS, first find out if your kernel supports it:
$ cat /proc/filesystems
nodev sysfs
nodev rootfs
[...]
ext3
jfs
reiserfs
xfs
nodev filesystems are pseudo filesystems that don't directly access a physical storage device. This example shows that all four major Linux filesystems are supported.
Encrypting an Entire Partition
If you would rather encrypt an entire partition it's better to create it manually. In this example we'll use a partition on a second hard drive, and mount it in the user's home directory. First create an entry in /etc/cryptmount/cmtab like this:
manual {
dev=/dev/hdb5
dir=/home/terry/manual
fstype=reiserfs
fsoptions=defaults
cipher=aes
keyfile=/etc/cryptmount/manual.key
keyformat=builtin
}
This tells Cryptmount your target name is "manual", you want /dev/hdb5 to be your encrypted partition, and to mount it in /home/terry/manual. You also should specify the filesystem type and options, and which cipher you prefer (which will be used to encrypt your filesystem) depends on what your system supports. Run this command to find out:
$ ls -l /lib/modules/$(uname -r)/kernel/crypto/
ablkcipher.ko
aes.ko
anubis.ko
arc4.ko
[...]
The correct kernel module will be automatically loaded when you mount the encrypted filesystem. man cmtab describes all the options and tells you which ones are required.
Next, generate your encryption key, specifying the size in bytes. This might involve a bit of math, since it's more common to use bits. This example creates a 32-byte/256-bit key. The key size depends on your chosen cipher, which you're going to have to research your own self:
# cryptmount --generate-key 32 manual
generating random key, please be patient
enter new password for target "manual":
confirm password:
Then run this command, using your own target name of course:
# cryptmount --prepare manual
enter password for target "manual":
Now create the filesystem:
# mkreiserfs /dev/mapper/manual
Now run:
# cryptmount --release manual
Then create the mountpoint as the user it's going to belong to for fewer permissions-fixing hassles:
# su terry
$ mkdir /home/terry/manual
Next, mount it as the user with cryptmount manual. You'll probably have to tweak file permissions to allow a non-root user to read and write to the new encrypted partition, so while it is mounted fix the permissions and ownership:
# chown terry:terry /home/terry/manual
# chmod 0700 /home/terry/manual
You're welcome to tweak the permissions however you like; this makes Terry the owner and group owner, and only Terry can access this directory. Now Terry should be able to mount and unmount the encrypted filesystem, read and write to it, create and delete directories, and change her own password.
To mount encrypted filesystems automatically at boot, enter them in /etc/default/cryptmount. Refer to the well-written man cryptmount and man cmtab for additional options. Your installation or source tarball should contain additional examples and help, such as a sample /etc/cmtab that shows how to painlessly encrypt your swap file, and how to store your access key on a USB stick instead of on your computer. It is possible to create password-less keys, so then your USB stick operates just like an ordinary door key.
read more
Cryptmount is a friendly front-end to a batch of Linux utilities used to create encrypted volumes, such as device mapper, dm-crypt, and the kernel's loopback device. It requires root privileges to create encrypted files or partitions, and then once it's set up users can mount and unmount their own encrypted volumes on demand. Its major features are:
Users can change their own passwords
Encrypted filesystems can be initialized at boot-up or on demand
Encrypted access keys are OpenSSL-compatible
Supports storing access keys on removable media
Encrypt entire partitions, or create several encrypted filesystems on a single partition
Plain text human-readable configuration files
So it has several advantages over the excellent Cryptsetup (see Resources). Users can mount and unmount their own encrypted volumes without a bunch of /etc/fstab and sudo hacks, you have more flexibility because you're not restricted to encrypting entire block devices, and making encrypted filesystems available on demand leaves the unneeded ones in a safer state. From the user's perspective it treats raw disk partitions, any individual file, loopback devices, and LVM volumes all in the same way because Cryptmount operates on an encrypted device-mapper layer (which you can see in /dev/mapper after it's created).
More File Encryption
Protect Your Stuff With Encrypted Linux Partitions
Protect Your Stuff With Encrypted Linux Partitions (Part 2)
Protect Your Mobile Users With Windows' Encrypting File System
Stuck for a definition? Look it up at Webopedia:
Cryptmount is slowly making its way into various distribution repositories. Debian Testing and Unstable currently have cryptmount 2.1. Ubuntu Feisty and Gutsy contain the moldy old 2.0 version in the Universe repository. The current stable release on Sourceforge is 2.2. You can get .debs, RPMs, and source tarballs on Sourceforge. You want at least 2.1 to get the cryptmount-setup command, plus a number of useful fixes and updates.
Encrypted Filesystem Inside a File
You don't have to encrypt an entire partition, but can create an encrypted filesystem inside an ordinary file. Use the cryptmount-setup script to do this. This example has the uninteresting bits removed:
# cryptmount-setup
Please enter a target name for your filesystem
[opaque]: mystuff
Which user should own the filesystem (leave blank for root)
[]: carla
Please specify where "mystuff" should be mounted
[/home/carla/crypt]:
Enter the filesystem size (in MB)
[64]: 1028
Enter a filename for your encrypted container
[/home/carla/crypto.fs]: /home/carla/mystuff.fs
Enter a location for the keyfile
[/etc/cryptmount/mystuff.key]:
enter password for target "mystuff":
Your new encrypted filesystem is now ready for use.
To access, try:
cryptmount mystuff
cd /home/carla/crypt
After you have finished using the filesystem, try:
cd
cryptmount --unmount mystuff
Do not choose a wimpy password, and do not forget your password, because if you lose it it's not recoverable. You can wipe out the encrypted filesystem and start over, but you cannot recover your data. You should also make backup copies of your access keys and keep them in a safe place, because losing the key also loses your data.
The defaults are in square brackets. You may invent whatever names you like, and the script will create directories for you. When you specify a filename, be sure to use the whole path. When it's finished you will have a new crypt (or whatever you named it) directory and three new files, which in this example are named container, crypto.fs, and mystuff.fs. Don't try to read these files because they are just containers.
Go ahead and mount your new encrypted filesystem- cryptmount-setup tells you exactly the command you need:
$ cryptmount mystuff
enter password for target "mystuff":
e2fsck 1.40.8 (13-Mar-2008)
/dev/mapper/mystuff: clean, 11/32768 files, 9805/131072 blocks
Now there is a new /dev/mapper/mystuff block device. Only the user you specified during setup (and root) can mount and unmount the encrypted filesystem. Play around with it— copy files in and out of it, look at it in your favorite file manager—it looks just like any other directory. Unmount it just like the setup script told you:
$ cd
$ cryptmount --unmount mystuff
A silent exit means success. If you have anything accessing your encrypted directory, such as a command prompt, file manager, or open file, you'll get the "umount: /home/carla/crypt: device is busy" error. Running the cd command first puts you back in the top level of your home directory. Sometimes the famd daemon will get in the way and you'll have to kill it. Don't use the standard umount command or it will get messed up, and you won't be able to re-mount it.
If you make a mistake and get a "specification for target "foo" contains non-absolute pathname" error, or any other error message, enter /etc/cryptmount/cmtab to correct it. Or delete the entry and start over.
If you create more than one encrypted filesystem cryptsetup -l displays a list. Users can change their passwords with cryptsetup -c [targetname].
Using a Different Linux Filesystem
cryptmount-setup defaults to using Ext3. If you want to use something else, such as ReiserFS, JFS, or XFS, first find out if your kernel supports it:
$ cat /proc/filesystems
nodev sysfs
nodev rootfs
[...]
ext3
jfs
reiserfs
xfs
nodev filesystems are pseudo filesystems that don't directly access a physical storage device. This example shows that all four major Linux filesystems are supported.
Encrypting an Entire Partition
If you would rather encrypt an entire partition it's better to create it manually. In this example we'll use a partition on a second hard drive, and mount it in the user's home directory. First create an entry in /etc/cryptmount/cmtab like this:
manual {
dev=/dev/hdb5
dir=/home/terry/manual
fstype=reiserfs
fsoptions=defaults
cipher=aes
keyfile=/etc/cryptmount/manual.key
keyformat=builtin
}
This tells Cryptmount your target name is "manual", you want /dev/hdb5 to be your encrypted partition, and to mount it in /home/terry/manual. You also should specify the filesystem type and options, and which cipher you prefer (which will be used to encrypt your filesystem) depends on what your system supports. Run this command to find out:
$ ls -l /lib/modules/$(uname -r)/kernel/crypto/
ablkcipher.ko
aes.ko
anubis.ko
arc4.ko
[...]
The correct kernel module will be automatically loaded when you mount the encrypted filesystem. man cmtab describes all the options and tells you which ones are required.
Next, generate your encryption key, specifying the size in bytes. This might involve a bit of math, since it's more common to use bits. This example creates a 32-byte/256-bit key. The key size depends on your chosen cipher, which you're going to have to research your own self:
# cryptmount --generate-key 32 manual
generating random key, please be patient
enter new password for target "manual":
confirm password:
Then run this command, using your own target name of course:
# cryptmount --prepare manual
enter password for target "manual":
Now create the filesystem:
# mkreiserfs /dev/mapper/manual
Now run:
# cryptmount --release manual
Then create the mountpoint as the user it's going to belong to for fewer permissions-fixing hassles:
# su terry
$ mkdir /home/terry/manual
Next, mount it as the user with cryptmount manual. You'll probably have to tweak file permissions to allow a non-root user to read and write to the new encrypted partition, so while it is mounted fix the permissions and ownership:
# chown terry:terry /home/terry/manual
# chmod 0700 /home/terry/manual
You're welcome to tweak the permissions however you like; this makes Terry the owner and group owner, and only Terry can access this directory. Now Terry should be able to mount and unmount the encrypted filesystem, read and write to it, create and delete directories, and change her own password.
To mount encrypted filesystems automatically at boot, enter them in /etc/default/cryptmount. Refer to the well-written man cryptmount and man cmtab for additional options. Your installation or source tarball should contain additional examples and help, such as a sample /etc/cmtab that shows how to painlessly encrypt your swap file, and how to store your access key on a USB stick instead of on your computer. It is possible to create password-less keys, so then your USB stick operates just like an ordinary door key.
read more
Subscribe to:
Posts (Atom)
