The wikis are now using the new authentication system.
If you did not migrate your account yet, visit https://idp-portal-info.suse.com/

SDB:Using the Crypto File System

Şuraya atla: kullan, ara


Version: 7.2

At the moment, there is no possibility to set up a Crypto File System using YaST2 after the installation process. Therefore one has to configure it manually.

Request:

How do I create a filesystem which uses encryption?

Procedure:

First of all load the kernel module which does the encryption:

modprobe loop_fish2

At the moment we provide only Twofish, since all other algorithms are either weak, there are known attaks or there are problems with regards to patents.

Now there are two possibilities:

  1. encrypt a whole partition, and
  2. encrypt a filesystem on a file

Encrypt a whole partition

We have to set up the loop device, create the filesystem and mount it to the desired mountpoint (assume, we use the already created partition /dev/hda3 was created before).
ATTENTION: all data on partition /dev/hda3 will be lost!

losetup -e twofish /dev/loop0 /dev/hda3

You are asked for the password for encryption. Please remember this password, since if it is lost, all your data you have stored in it will be.

mkreiserfs /dev/loop0
mount -t reiserfs /dev/loop0 /encrypt_part

The partition just created uses a reiser filesystem, the data are encrypted with the password you supplied and the twofish algorithm is used. The path of the filesystem is /encrypt_part (please be sure, this directory is created before!).

Use a file as encrypted filesystem

The main difference is that we are using a simple file residing on a regular filesystem to hold our encrypted data.
We have to create that file with the desired size and do the steps as in the above example:

dd if=/dev/urandom of=/tmp/cryptfile bs=1024 count=20000
losetup -e twofish /dev/loop1 /tmp/cryptfile
mke2fs /dev/loop1
mount -t ext2 /dev/loop1 /encrypt_file

You will be asked for the encryption password after the losetup command.

The file /tmp/cryptfile holds the data, an 20MB-ext2 filesystem is used and you may reach the data via directory /encrypt_file.

Automatic mounting during bootup

If the filesystems should be mounted automatically during bootup, create a file named /etc/cryptotab and include the following lines:

/dev/loop0  /dev/hda3       /encrypt_part  reiserfs  twofish  defaults
/dev/loop1  /tmp/cryptfile  /encrypt_file  ext2      twofish  defaults

The layout of this file is much like the format of the file /etc/fstab. In the first column there is the loop device written, in the second the name of the partition or the file holding the encrypted date, the third column contains the mountpoint followed by the used file systems type. The fifth column contains the name of the encryption algorithm an the seventh column holds mount parameters as stated in the man-page of fstab.

Please keep in mind, that each time you mount an encrypted filesystem you are asked for the password. The systems is not able to start up unless you enter the password for the encrypted file system.

Unmounting an encrypted filesystem

Unmounting an encrypted filesystem is performed in two steps.
First unmount the flesystem:

umount /encrypt_part

and then release the used loop device:

losetup -d /dev/loop0

Password limitations

Up to now there is no possibility to change the password for encryption on an already created encrypted filesystem. The only possibility you have is to create a new encrypted filesystem with a new password and to copy all files from the old to the new filesystem. Afterwards you may delete the old filesystem.

It is always a good idea to use long passwords (longer than 8 characters) and, even better, randomly created passwords, since the possibility of cracking the encryption is minimized thus.

Other sources of information

http://encryptionhowto.sourceforge.net

Disclaimer

Since encrypting of data with the above method is still marked as experimental, there is no warranty for the safeness of your data. Please create a backup of all your data before you try to experiment with the encryption and always keep a backup of your data during regular work with the encrypted filesystem.

Please keep in mind, that the setup of an encrypted file system is not subject of our free installation support.

Try it on your own risk! <keyword>encryption,crypto,filesystem,krypto,kryptofilesystem</keyword>