HOWTO: Encrypt a filesystem in a loopback file via dm_crypt

Message

golloza · Post by **golloza** » Sat Sep 25, 2004 10:46 am

nero wrote:I'd like to see a script for this that would monitor IO on that file and then automatically unmount it and destroy the loop device. I have a terrible history of forgetting to do things like this.

/me leaves to figure out how to monitor the file IO...

--sean

This script checks if any process is using the mountpoint and unmounts the fs and removes the mapper if no one is using it:

Code: Select all

#!/bin/sh
fuser -m /mnt/secure > /dev/null || (umount /mnt/secure/; cryptsetup remove secure)

Of course you have to change the mounpoint and the name of the mapper to match your setup.

You can have cron execute it every 10 minutes or so.

GentooBox · Post by **GentooBox** » Sat Sep 25, 2004 11:10 am

golloza wrote:
nero wrote:I'd like to see a script for this that would monitor IO on that file and then automatically unmount it and destroy the loop device. I have a terrible history of forgetting to do things like this.

/me leaves to figure out how to monitor the file IO...

--sean
This script checks if any process is using the mountpoint and unmounts the fs and removes the mapper if no one is using it:
Code: Select all
#!/bin/sh
fuser -m /mnt/secure > /dev/null || (umount /mnt/secure/; cryptsetup remove secure)
Of course you have to change the mounpoint and the name of the mapper to match your setup.

You can have cron execute it every 10 minutes or so.

thats nice, but i have 500 Gb RAID0 reiserfs partition encrypted with SHA256 and it takes 1 minutes to mount.

does anyone know if reiser4 mounts faster than reiserfs 3.6 ?

golloza · Post by **golloza** » Sat Sep 25, 2004 11:49 am

I've also noticed that mounted the encrypted device takes longer than a normal partition (about 1-2 secs, 5GB reiserv3, aes 256 bit).

Updated version of the unmounter:

Code: Select all

#!/bin/sh
                                                                                                                                                             
mappername="secure"
mpoint="/mnt/secure"
                                                                                                                                                             
if grep $mpoint /etc/mtab > /dev/null; then
        fuser -m $mpoint > /dev/null || (umount /mnt/secure/; cryptsetup remove $mappername)
else
        echo $mpoint is not mounted!
        if [ -e /dev/mapper/$mappername ]; then
                echo "Removing the mapper " $mappername
                cryptsetup remove $mappername
        fi
fi

ultraViolet · Post by **ultraViolet** » Sun Sep 26, 2004 10:54 am

Thanks for this tutorial !
I would like to traduce it in french for the french gentoo forums, if you agree of course.

I am migrating from cryptoloop and I have followed your how to, but I don't use losetup, because I can't see the difference using it or not.

Code: Select all

cryptsetup -c twofish -s 128 -y create test /dev/vg/test
mount /dev/mapper/test /mnt/crypto

is working fine for me. I found many web sites indicating that dm-crypt was superior to cryptoloop because it don't use loopback devices... But if you use a /dev/loop0, what is the advantage of using dm-crypt

alwin · Post by **alwin** » Mon Sep 27, 2004 10:42 am

ultraViolet · Post by **ultraViolet** » Mon Sep 27, 2004 1:43 pm

I think I have understand the problem :
It seems that losetup is necessary only if you want to create an encrypted filesystem in a file.

http://www.saout.de/misc/dm-crypt/
[...]
cryptsetup:
Because the way using dmsetup directly is too complicated for most people I'm currently writing a native cryptsetup program to behave like one of the patched losetup's out there.
[...]
What if I want to encrypt a filesystem and keep it in a file?
You can use dm-crypt on top of a normal loop device, call losetup and cryptsetup.
I'm going to add loop support to cryptsetup so it can do this for you.
[...]

ultraViolet · Post by **ultraViolet** » Tue Sep 28, 2004 10:35 am

I have a really stupid question : if I want the encrypted HD being automounted, I know that I can I write a sh script for doing so. But how can I launch it automatically when I start my computer ?

alwin · Post by **alwin** » Tue Sep 28, 2004 1:27 pm

golloza · Post by **golloza** » Tue Sep 28, 2004 3:07 pm

Write a script and add it to /etc/conf.d/local.start.

Btw: baselayout 1.11.0 has support for dm-crypt (and WLAN

), but it's still hard-masked.

absinthe · Post by **absinthe** » Tue Dec 07, 2004 4:28 pm

I made a patch for baselayout-1.11.7 to support the mounting and unmounting of dm-crypt loops via conf.d/cryptfs. Works for me, but some testing and feedback on it by others would be appreciated.

Please refer to:
http://bugs.gentoo.org/show_bug.cgi?id=73598

JazzSax006 · Post by **JazzSax006** » Wed Dec 08, 2004 2:32 am

Is it only worth switching to dm-crypt if you're using block disk encryption on a physical partition, or is it still worth the upgrade even if you're mounting files as virtual encrypted disks?

absinthe · Post by **absinthe** » Wed Dec 08, 2004 3:08 am

Yes, mainly because cryptoloop support is being dropped in 2.6 it seems (it appears to be broken in 2.6.8 and 2.6.9)... also in situations where a system can't be sliced up to create block device maps, loops make a nice alternative. THere are some upsides to using loopback filesystems, namely it's a nice way to back up filesystem snapshots, and move them around as you need to.

I don't think the mount behavior is limited versus block devices in any way... the only drawback I can see is a performance penalty.

dm-crypt loops are not supported in the current baselayout. My patch attempts to address that (see link in previous post.)

JazzSax006 · Post by **JazzSax006** » Wed Dec 08, 2004 3:11 am

Thanks for the info! I guess I'll be converting to dm-crypt this weekend. I just hope it is as stable as cryptoloop has been for me.

Helper_Monkey · Post by **Helper_Monkey** » Mon Jan 03, 2005 4:52 am

does anyone know how to use this in conjunction with pam-mount so that you can encrypt your home directory and have it automount when you login and unmount when you log out?

I have seen some docs on how to do this, but for the life of me I can't get everything to work correctly together.

tuxophil · Post by **tuxophil** » Sun Jan 09, 2005 7:41 pm

Helper_Monkey wrote:does anyone know how to use this in conjunction with pam-mount so that you can encrypt your home directory and have it automount when you login and unmount when you log out?

Maybe this HOWTO could help you.

Helper_Monkey wrote:I have seen some docs on how to do this, but for the life of me I can't get everything to work correctly together.

I just hope you're not talking about my doc

. If you've got problems with it I'd be glad to help out.

CodAv · Post by **CodAv** » Tue Dec 13, 2005 11:57 am

I would like to add that it is more secure to shred the /home/secret once with random data, since a file containing just zeroes is potentially unsecure in cryptographic means. Create the file with these commands:

Code: Select all

dd if=/dev/zero of=/home/secret bs=1M count=100
shred -n 1 /home/secret

nyk · Post by **nyk** » Tue Jan 10, 2006 11:16 pm

I use the command "/usr/bin/cryptsetup create secret /dev/loop0" to activate my passphrase protected, encrypted storage device stored in a file.
I've got the command from this howto.
It worked for a year, but now I get: "Command failed: Invalid argument".
What do I have to change?
Something with cryptsetup seems to have changed, but I don't even find a manpage...

tagwar · Post by **tagwar** » Sat Jan 14, 2006 11:16 am

does anyone have an idea if it is possible to use dm-crypt together with squashfs? I would like to copy some stuff from my main machine to my laptop, the two things i need are encryption and packing, since it's around 10GB of data... wouldn't want to fill up the small laptop harddisk with that...

crubb · Post by **crubb** » Sun Jan 29, 2006 10:39 am

nyk wrote:I use the command "/usr/bin/cryptsetup create secret /dev/loop0" to activate my passphrase protected, encrypted storage device stored in a file.
I've got the command from this howto.
It worked for a year, but now I get: "Command failed: Invalid argument".
What do I have to change?
Something with cryptsetup seems to have changed, but I don't even find a manpage...

At the moment, cryptsetup needs to be linked against libdevmapper.so.1.01, therefore you need to:

Code: Select all

# echo '>=sys-fs/device-mapper-1.02.02' >> /etc/portage/package.mask && emerge device-mapper cryptsetup

Or install the latest cryptsetup snapshot, see: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344313

I filed a bug on bugzilla as well: http://bugs.gentoo.org/show_bug.cgi?id=120802

mfg,
crubb

Massimo B. · Post by **Massimo B.** » Thu Feb 16, 2006 2:48 pm

To open my encrypted firewire drive I do:

Code: Select all

cryptsetup create _dev_sda1 /dev/sda1

..as you do also with the loop file. But I am wondering, it just ask once for a passphrase. If tha passphrase is correct, I can access my data, if not, my data is lost and a new mapper-device is created with the new passphrase?? What about typo's:)

crubb · Post by **crubb** » Fri Feb 24, 2006 7:08 pm

When you mistype your passphrase your data isn't lost, it's just not accessible.
The filesystem on the crypted device cannot be mounted, therefore no writing operations should occur on this device and your data is still intact.

You'll just need to remove the mapper device and recreate it with the correct passphrase.