View previous topic :: View next topic |
Author |
Message |
golloza Guru
Joined: 14 Mar 2004 Posts: 427
|
Posted: Sat Sep 25, 2004 10:46 am Post subject: |
|
|
nero wrote: | I'd like to see a script for this that would monitor IO on that file and then automatically unmount it and destroy the loop device. I have a terrible history of forgetting to do things like this.
/me leaves to figure out how to monitor the file IO...
--sean |
This script checks if any process is using the mountpoint and unmounts the fs and removes the mapper if no one is using it:
Code: | #!/bin/sh
fuser -m /mnt/secure > /dev/null || (umount /mnt/secure/; cryptsetup remove secure) |
Of course you have to change the mounpoint and the name of the mapper to match your setup.
You can have cron execute it every 10 minutes or so. |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Sat Sep 25, 2004 11:10 am Post subject: |
|
|
golloza wrote: | nero wrote: | I'd like to see a script for this that would monitor IO on that file and then automatically unmount it and destroy the loop device. I have a terrible history of forgetting to do things like this.
/me leaves to figure out how to monitor the file IO...
--sean |
This script checks if any process is using the mountpoint and unmounts the fs and removes the mapper if no one is using it:
Code: | #!/bin/sh
fuser -m /mnt/secure > /dev/null || (umount /mnt/secure/; cryptsetup remove secure) |
Of course you have to change the mounpoint and the name of the mapper to match your setup.
You can have cron execute it every 10 minutes or so. |
thats nice, but i have 500 Gb RAID0 reiserfs partition encrypted with SHA256 and it takes 1 minutes to mount.
does anyone know if reiser4 mounts faster than reiserfs 3.6 ? _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
golloza Guru
Joined: 14 Mar 2004 Posts: 427
|
Posted: Sat Sep 25, 2004 11:49 am Post subject: |
|
|
I've also noticed that mounted the encrypted device takes longer than a normal partition (about 1-2 secs, 5GB reiserv3, aes 256 bit).
Updated version of the unmounter:
Code: | #!/bin/sh
mappername="secure"
mpoint="/mnt/secure"
if grep $mpoint /etc/mtab > /dev/null; then
fuser -m $mpoint > /dev/null || (umount /mnt/secure/; cryptsetup remove $mappername)
else
echo $mpoint is not mounted!
if [ -e /dev/mapper/$mappername ]; then
echo "Removing the mapper " $mappername
cryptsetup remove $mappername
fi
fi
|
|
|
Back to top |
|
|
ultraViolet Apprentice
Joined: 03 Apr 2004 Posts: 280 Location: Lyon, France
|
Posted: Sun Sep 26, 2004 10:54 am Post subject: |
|
|
Thanks for this tutorial !
I would like to traduce it in french for the french gentoo forums, if you agree of course.
I am migrating from cryptoloop and I have followed your how to, but I don't use losetup, because I can't see the difference using it or not.
Code: |
cryptsetup -c twofish -s 128 -y create test /dev/vg/test
mount /dev/mapper/test /mnt/crypto
|
is working fine for me. I found many web sites indicating that dm-crypt was superior to cryptoloop because it don't use loopback devices... But if you use a /dev/loop0, what is the advantage of using dm-crypt |
|
Back to top |
|
|
alwin n00b
Joined: 04 Apr 2004 Posts: 10 Location: Germany
|
Posted: Mon Sep 27, 2004 10:42 am Post subject: |
|
|
snip
Last edited by alwin on Tue Feb 28, 2006 8:07 pm; edited 1 time in total |
|
Back to top |
|
|
ultraViolet Apprentice
Joined: 03 Apr 2004 Posts: 280 Location: Lyon, France
|
Posted: Mon Sep 27, 2004 1:43 pm Post subject: |
|
|
I think I have understand the problem :
It seems that losetup is necessary only if you want to create an encrypted filesystem in a file.
Quote: |
http://www.saout.de/misc/dm-crypt/
[...]
cryptsetup:
Because the way using dmsetup directly is too complicated for most people I'm currently writing a native cryptsetup program to behave like one of the patched losetup's out there.
[...]
What if I want to encrypt a filesystem and keep it in a file?
You can use dm-crypt on top of a normal loop device, call losetup and cryptsetup.
I'm going to add loop support to cryptsetup so it can do this for you.
[...]
|
Last edited by ultraViolet on Tue Sep 28, 2004 2:41 pm; edited 1 time in total |
|
Back to top |
|
|
ultraViolet Apprentice
Joined: 03 Apr 2004 Posts: 280 Location: Lyon, France
|
Posted: Tue Sep 28, 2004 10:35 am Post subject: |
|
|
I have a really stupid question : if I want the encrypted HD being automounted, I know that I can I write a sh script for doing so. But how can I launch it automatically when I start my computer ? |
|
Back to top |
|
|
alwin n00b
Joined: 04 Apr 2004 Posts: 10 Location: Germany
|
Posted: Tue Sep 28, 2004 1:27 pm Post subject: |
|
|
snip
Last edited by alwin on Tue Feb 28, 2006 8:07 pm; edited 3 times in total |
|
Back to top |
|
|
golloza Guru
Joined: 14 Mar 2004 Posts: 427
|
Posted: Tue Sep 28, 2004 3:07 pm Post subject: |
|
|
Write a script and add it to /etc/conf.d/local.start.
Btw: baselayout 1.11.0 has support for dm-crypt (and WLAN ), but it's still hard-masked. |
|
Back to top |
|
|
absinthe Retired Dev
Joined: 06 Oct 2002 Posts: 111 Location: San Francisco, CA, USA
|
Posted: Tue Dec 07, 2004 4:28 pm Post subject: |
|
|
I made a patch for baselayout-1.11.7 to support the mounting and unmounting of dm-crypt loops via conf.d/cryptfs. Works for me, but some testing and feedback on it by others would be appreciated.
Please refer to:
https://bugs.gentoo.org/show_bug.cgi?id=73598 _________________ Gentoo Developer |
|
Back to top |
|
|
JazzSax006 n00b
Joined: 03 Jun 2003 Posts: 38
|
Posted: Wed Dec 08, 2004 2:32 am Post subject: |
|
|
Is it only worth switching to dm-crypt if you're using block disk encryption on a physical partition, or is it still worth the upgrade even if you're mounting files as virtual encrypted disks? |
|
Back to top |
|
|
absinthe Retired Dev
Joined: 06 Oct 2002 Posts: 111 Location: San Francisco, CA, USA
|
Posted: Wed Dec 08, 2004 3:08 am Post subject: |
|
|
Yes, mainly because cryptoloop support is being dropped in 2.6 it seems (it appears to be broken in 2.6.8 and 2.6.9)... also in situations where a system can't be sliced up to create block device maps, loops make a nice alternative. THere are some upsides to using loopback filesystems, namely it's a nice way to back up filesystem snapshots, and move them around as you need to.
I don't think the mount behavior is limited versus block devices in any way... the only drawback I can see is a performance penalty.
dm-crypt loops are not supported in the current baselayout. My patch attempts to address that (see link in previous post.) _________________ Gentoo Developer |
|
Back to top |
|
|
JazzSax006 n00b
Joined: 03 Jun 2003 Posts: 38
|
Posted: Wed Dec 08, 2004 3:11 am Post subject: |
|
|
Thanks for the info! I guess I'll be converting to dm-crypt this weekend. I just hope it is as stable as cryptoloop has been for me. |
|
Back to top |
|
|
Helper_Monkey Tux's lil' helper
Joined: 22 Feb 2003 Posts: 141
|
Posted: Mon Jan 03, 2005 4:52 am Post subject: |
|
|
does anyone know how to use this in conjunction with pam-mount so that you can encrypt your home directory and have it automount when you login and unmount when you log out?
I have seen some docs on how to do this, but for the life of me I can't get everything to work correctly together. _________________ It is a poverty to decide that a child must die so that you may live as you wish. -Mother Teresa |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Sun Jan 09, 2005 7:41 pm Post subject: |
|
|
Helper_Monkey wrote: | does anyone know how to use this in conjunction with pam-mount so that you can encrypt your home directory and have it automount when you login and unmount when you log out? |
Maybe this HOWTO could help you.
Helper_Monkey wrote: | I have seen some docs on how to do this, but for the life of me I can't get everything to work correctly together. |
I just hope you're not talking about my doc . If you've got problems with it I'd be glad to help out. |
|
Back to top |
|
|
CodAv Apprentice
Joined: 09 May 2004 Posts: 166 Location: Wuppertal, Germany
|
Posted: Tue Dec 13, 2005 11:57 am Post subject: |
|
|
I would like to add that it is more secure to shred the /home/secret once with random data, since a file containing just zeroes is potentially unsecure in cryptographic means. Create the file with these commands:
Code: | dd if=/dev/zero of=/home/secret bs=1M count=100
shred -n 1 /home/secret |
_________________ Debian is available in three different versions: rusty, stale and broken. |
|
Back to top |
|
|
nyk Guru
Joined: 28 Aug 2004 Posts: 527 Location: Bern (Switzerland)
|
Posted: Tue Jan 10, 2006 11:16 pm Post subject: |
|
|
I use the command "/usr/bin/cryptsetup create secret /dev/loop0" to activate my passphrase protected, encrypted storage device stored in a file.
I've got the command from this howto.
It worked for a year, but now I get: "Command failed: Invalid argument".
What do I have to change?
Something with cryptsetup seems to have changed, but I don't even find a manpage... |
|
Back to top |
|
|
tagwar Tux's lil' helper
Joined: 11 Aug 2004 Posts: 147 Location: Karlsruhe
|
Posted: Sat Jan 14, 2006 11:16 am Post subject: |
|
|
does anyone have an idea if it is possible to use dm-crypt together with squashfs? I would like to copy some stuff from my main machine to my laptop, the two things i need are encryption and packing, since it's around 10GB of data... wouldn't want to fill up the small laptop harddisk with that... |
|
Back to top |
|
|
crubb n00b
Joined: 29 Jan 2006 Posts: 3
|
Posted: Sun Jan 29, 2006 10:39 am Post subject: |
|
|
nyk wrote: | I use the command "/usr/bin/cryptsetup create secret /dev/loop0" to activate my passphrase protected, encrypted storage device stored in a file.
I've got the command from this howto.
It worked for a year, but now I get: "Command failed: Invalid argument".
What do I have to change?
Something with cryptsetup seems to have changed, but I don't even find a manpage... |
At the moment, cryptsetup needs to be linked against libdevmapper.so.1.01, therefore you need to:
Code: | # echo '>=sys-fs/device-mapper-1.02.02' >> /etc/portage/package.mask && emerge device-mapper cryptsetup |
Or install the latest cryptsetup snapshot, see: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344313
I filed a bug on bugzilla as well: https://bugs.gentoo.org/show_bug.cgi?id=120802
mfg,
crubb |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Thu Feb 16, 2006 2:48 pm Post subject: |
|
|
To open my encrypted firewire drive I do: Code: | cryptsetup create _dev_sda1 /dev/sda1 | ..as you do also with the loop file. But I am wondering, it just ask once for a passphrase. If tha passphrase is correct, I can access my data, if not, my data is lost and a new mapper-device is created with the new passphrase?? What about typo's _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
crubb n00b
Joined: 29 Jan 2006 Posts: 3
|
Posted: Fri Feb 24, 2006 7:08 pm Post subject: |
|
|
When you mistype your passphrase your data isn't lost, it's just not accessible.
The filesystem on the crypted device cannot be mounted, therefore no writing operations should occur on this device and your data is still intact.
You'll just need to remove the mapper device and recreate it with the correct passphrase. |
|
Back to top |
|
|
|