Mounting encrypted volumes
Posted by Steve on Wed 19 Jan 2005 at 11:14
If you're worried about storing confidential material upon your home machine, or a laptop, then you might be interested in using encryption. Using applications such as GNU Privacy Guard are good for protecting single files, but they lack something when wanting to keep a whole directory secure. This is where mounting volumes with an encryption module can be useful.
Using the loop-aes kernel module you can mount a file via the loopback interface and have everything written to that file be secure and private.
Of course there is a downside. Using encryption for a file will give you additional overhead, and it can make recovery of data difficult in the case of a crash, or filesystem corruption.
But the gain of mounting things securely is worthwhile.
The loopback module is available in Debian's unstable and sarge archives, and requires the use of the full kernel source of your running kernel to build.
For the moment it is suggested you use 2.6.x.
To determine your running kernel's version you should run:
uname -r
Assuming it returns "2.6.8-1-386" you would then run:
apt-get install kernel-headers-2.6.8-1-386
This will leave you with the header files in the directory /usr/src.
Now we can download the source to the kernel module itself, and the tool to build it module-assistant:
apt-get install module-assistant loop-aes-source
(This will almost certainly install additional packages on your system).
To build the module is very simple:
module-assistant prepare module-assistant build loop-aes apt-get install loop-aes-utils module-assistant install loop-aes
Now this is done we can create a small 5Mb filesystem using an encrypted volume:
dd if=/dev/zero of=volume bs=4k count=1280 losetup -e AES128 /dev/loop1 volume mkfs -t ext2 /dev/loop1 losetup -d /dev/loop1 mkdir /mnt/secure mount volume -o loop=/dev/loop1,encryption=AES128 /mnt/secure/ -t ext2
You will be prompted for the password to use when you run the "losetup" command to create the encrypted volume, and again when you attempt to mount it. The passwords must be 20 characters or more.
For passwords I'd run something like :
root@host:~# head /dev/urandom | md5sum | awk '{print $1}'
01f7c41e5936eff710e13581b3f8a1fe
This password can then be printed out and kept secure, or archived somewhere safe.
In addition to mounting a file as a filesystem like this you can find instructions for mounting partitions, swap, and even your root filesystem in a secure manner by reading /usr/share/doc/loop-aes-2.6.8-1-386/README.gz
Useful article - not used module-assistent before.
You only need the kernel-headers (as shown in the examples) - not the kernel source as stated in the intro.
For some strange reason after the module-assistant install loop-aes I had the following:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel
# rmmod loop # modprobe loop
fixed this.
And - the following line in fstab worked well for me:
/path/to/volume /mnt/secure/ ext2 loop=/dev/loop1,encryption=AES128,user,noauto,rw 0 0
:-)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
You can cause the modules to be loaded automatically at boot time if you add their names to /etc/modules.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
module-assistant rocks!
I've used it for mounting remote filesystems using SSH, installing the NVidia drivers, and for a few kernel packages.
I find it much more understandable than the alternatives.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
@Chris: Thanks a lot for the fix. I was having the same "cipher or key length (128 bits) not supported by kernel" problem.
Thanks once again.
[ Parent | Reply to this comment ]
Thanks for setting up this site... I have passed it around to many of my debian friends and we all have found some good reads.
I have used encryption before using the crypto loop module - which has worked well. The one issue I have with using encrypted loop devices is the wasted space of using a file for this. Example: I have a 5gig file for my encrypted loop device. Only 50% is being used... so its wasting some space on my otherwise unencrypted drive.
Any good ideas on a way to make the encrypted file grown and shrink with the data thats inside?
Thanks,
Al
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I've not seen anything that's as general purpose as using the loopback support.
I guess it depends on what you're looking at storing? If its simple files you might be better off using some software that saves things in an encrypted fashion - or using GNUPG for example.
It might be possible to use LVM via loopback, but its something I've not thought of, could be worth investigating maybe?.
I tend to create a small initial partition of say 1Gb, then if it gets close to being full just create a new one of a large size and copy all the contents over - so I dont commit myself to using lots of space in advance ...
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
/usr/share/doc/cryptsetup/CryptoRoot.HowTo
Very useful, makes it easy to understand and do.
[ Parent | Reply to this comment ]
I'm still trying to work out what it was I did wrong with my kernel upgrade, ended up starting again.
Also, make sure /home is on a seperate partition, that way you'll avoid potential heartache :)
[ Parent | Reply to this comment ]
But when I do:
module-assistant fakesource
I get at the end:
make[2]: *** No rule to make target `/usr/src/kernel-source-2.4.27-2-386/include/linux/autoconf.h', needed by `/usr/src/kernel-source-2.4.27-2-386/include/linux/modules/signal .ver'. Stop.
make[2]: Leaving directory `/usr/src/kernel-source-2.4.27-2-386/kernel'
make[1]: *** [_sfdep_kernel] Error 2
make[1]: Leaving directory `/usr/src/kernel-source-2.4.27-2-386'
make: *** [dep-files] Error 2
And my subsequent attempt to build the module with these faked sources fails.
It doesn;t work using just the headers either. Any help out there? Am I missing something?
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The text at the beginning of the page is instructions for building the loop-aes module using module-assistant, which is what I was trying to do but was having, er, difficulties. In desperation I tried first configuring my downloaded kernel sources for my architecture with m-a fakesource, but that was not working, obviously.
However I have now got around my problems.
In case anyone's interested, I did this by building from the .deb loop-aes-source and loop-aes-ciphers-source packages (from sid) using method 4 in the README.debian described in those packages (this uses debian full kernel tree, image etc). Loop-aes is now up and working well.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I have successfully installed the loop-aes module using module-assistant. However, it seems I don't have the appropriate loop devices (/dev/loop[0-7]). All I have is /dev/loop/0). Is this a problem and/or how do I create the other loop devices? Should I just reinstall loop-aes-utils?
Thanks, Tom
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
This should help if you're using a static /dev setup:
skx2:/# cd /dev skx2:/dev# ./MAKEDEV loop
If you're using a dynamic /dev I'd guess they would be created on demand..
[ Parent | Reply to this comment ]
I'm actually in the process of writing an article on encrypted filesystems for Linux at the moment (for OSTG) - comparing EncFS and Loop-aes, and also including a comment on TrueCrypt (and possibly dm-crypt as well). If you'd like to see a draft when it's ready, let me know.
Tom
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Great!
Sure I'd be happy to read what you've written, and if it were possible carry it here too ;)
[ Parent | Reply to this comment ]
Anyone knows a way to do LVM + Loop-AES + XFS? Thanks in advance.
[ Parent | Reply to this comment ]