SDB:Using the Crypto File System
Version: 7.2
At the moment, there is no possibility to set up a Crypto File System using YaST2 after the installation process. Therefore one has to configure it manually.
İçindekiler
Request:
How do I create a filesystem which uses encryption?
Procedure:
First of all load the kernel module which does the encryption:
modprobe loop_fish2
At the moment we provide only Twofish, since all other algorithms are either weak, there are known attaks or there are problems with regards to patents.
Now there are two possibilities:
- encrypt a whole partition, and
- encrypt a filesystem on a file
Encrypt a whole partition
We have to set up the loop device, create the filesystem and mount it to the desired mountpoint (assume, we use the already created partition /dev/hda3 was created before).
ATTENTION: all data on partition /dev/hda3 will be lost!
losetup -e twofish /dev/loop0 /dev/hda3
You are asked for the password for encryption. Please remember this password, since if it is lost, all your data you have stored in it will be.
mkreiserfs /dev/loop0 mount -t reiserfs /dev/loop0 /encrypt_part
The partition just created uses a reiser filesystem, the data are encrypted with the password you supplied and the twofish algorithm is used. The path of the filesystem is /encrypt_part (please be sure, this directory is created before!).
Use a file as encrypted filesystem
The main difference is that we are using a simple file residing on a regular filesystem to hold our encrypted data.
We have to create that file with the desired size and do the steps as in the above example:
dd if=/dev/urandom of=/tmp/cryptfile bs=1024 count=20000 losetup -e twofish /dev/loop1 /tmp/cryptfile mke2fs /dev/loop1 mount -t ext2 /dev/loop1 /encrypt_file
You will be asked for the encryption password after the losetup command.
The file /tmp/cryptfile holds the data, an 20MB-ext2 filesystem is used and you may reach the data via directory /encrypt_file.
Automatic mounting during bootup
If the filesystems should be mounted automatically during bootup, create a file named /etc/cryptotab and include the following lines:
/dev/loop0 /dev/hda3 /encrypt_part reiserfs twofish defaults /dev/loop1 /tmp/cryptfile /encrypt_file ext2 twofish defaults
The layout of this file is much like the format of the file /etc/fstab. In the first column there is the loop device written, in the second the name of the partition or the file holding the encrypted date, the third column contains the mountpoint followed by the used file systems type. The fifth column contains the name of the encryption algorithm an the seventh column holds mount parameters as stated in the man-page of fstab.
Please keep in mind, that each time you mount an encrypted filesystem you are asked for the password. The systems is not able to start up unless you enter the password for the encrypted file system.
Unmounting an encrypted filesystem
Unmounting an encrypted filesystem is performed in two steps.
First unmount the flesystem:
umount /encrypt_part
and then release the used loop device:
losetup -d /dev/loop0
Password limitations
Up to now there is no possibility to change the password for encryption on an already created encrypted filesystem. The only possibility you have is to create a new encrypted filesystem with a new password and to copy all files from the old to the new filesystem. Afterwards you may delete the old filesystem.
It is always a good idea to use long passwords (longer than 8 characters) and, even better, randomly created passwords, since the possibility of cracking the encryption is minimized thus.
Other sources of information
http://encryptionhowto.sourceforge.net
Disclaimer
Since encrypting of data with the above method is still marked as experimental, there is no warranty for the safeness of your data. Please create a backup of all your data before you try to experiment with the encryption and always keep a backup of your data during regular work with the encrypted filesystem.
Please keep in mind, that the setup of an encrypted file system is not subject of our free installation support.
Try it on your own risk!
<keyword>encryption,crypto,filesystem,krypto,kryptofilesystem</keyword>