Using the loopback filesystem interface, you can create encrypted filesystems very easily. These filesystems are great for storing sensitive documents be it SSH or GnuPG keys, financial documents, etc.
To begin, you'll need to load the aes and cryptoloop modules in the kernel if they are not already available. This can be done by executing:
# modprobe cryptoloop
# modprobe aes
Most modern Linux distributions provide these modules from the get-go, so you shouldn't have to recompile the kernel. Once this is done, create the filesystem container, associate it to a loopback device interface, and format it:
# dd if=/dev/urandom of=enc.img bs=1M count=50
# losetup -e aes /dev/loop0 enc.img
Password:
# mkfs -t ext2 /dev/loop0
# mount /dev/loop0
# mount -o loop,encryption=aes enc.img /media/disk
Very -2 Important is that this will work for once, but when you will reboot what you need to do.
you need to just give this command again.
# mount -o loop,encryption=aes enc.img /media/disk
but the problem is this command will fail. So make a file /etc/rc.modules (if it is already not there) and copy this contents in this file.
modprobe aes
modprobe loop
modprobe cryptoloop
(this will load modules during boot time so will not get the module error). Else you have to run modprobe command after every reboot.
(Waise yahan tak ka hi kaam ka hai baki sab waise hi hai )
The first step creates an empty image file called enc.img with a size of 50 MB; you can increase this by changing the count value. Next, use losetup to associate the enc.img file to the /dev/loop0 device and tell it that the device is to be encrypted with AES encryption. This command uses 128-bit AES encryption; look at the losetup manpage to see what other encryption types you can use. You will have to provide a password that will be used from that point forward to access the image.
Next, the filesystem is formatted with the ext2 filesystem. Finally, it is mounted to /media/disk. The options passed to mount tell it to use the loopback interface and the encryption type needed. When you call mount, you will have to provide the password you used to encrypt the image.
Putting this kind of image in /etc/fstab will not work unless you want to be prompted for your password on each boot. Instead, this should be accessed as needed. For instance, you could store the file as ~/.enc.img so it's hidden from normal view, with mode 0600 permissions. Wrapper scripts could be written to mount and umount the image easily:
#!/bin/sh
# mount ~/.enc.img
mkdir -p /media/secure && mount -o loop,encryption=aes ~/.enc.img /media/secure
And to unmount the volume when you're finished with it:
#!/bin/sh
# umount /media/secure
umount /media/secure && rmdir /media/secure
These two commands could be saved as ~/bin/ms and ~/bin/ums respectively. Alternatively, you could add the following to ~/.bashrc and uses aliases instead:
alias ms="mkdir -p /media/secure && mount -o loop,encryption=aes ~/.enc.img /media/secure"
alias ums="umount /media/secure && rmdir /media/secure"
Using encrypted filesystems for on Linux is extremely easy and sensible, especially for laptops or when dealing with very sensitive files.
No comments:
Post a Comment