To use a crypted Filesystem - you first need to actually create it. I came accross an article showing me how to do it using cryptsetup. Check it out under http://luks.endorphin.org. Note that this is the upcoming standard for filesystem encryption under linux
LUKS was designed according to TKS1, a template design developed in [TKS1] for secure key setup. LUKS closely reassembles the structure recommended in the TKS1 paper, but also adds meta data for cipher setup management and LUKS also supports for multipe keys/passphrases.
Why LUKS?
- compatiblity via standardization,
- secure against low entropy attacks,
- support for multiple keys,
- effective passphrase revocation,
- free
For creating the Crypted Filesystem - I assume using the /dev/sda1 device (USB-Drive). Replace all instances of sda1 with the device you require.:
modprobe aes
modprobe dm-crypt
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda1
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
cryptsetup luksOpen /dev/sda1 cryptfs
Enter LUKS passphrase:
key slot 0 unlocked.
mke2fs -j -m 0 /dev/mapper/cryptfs
[...Formatting informations removed...]
tune2fs -c 0 -i 0 /dev/mapper/cryptfs
mkdir /cryptfs
mount /dev/mapper/cryptfs /cryptfs
This will setup up your crypted Partition and mount it under /cryptfs.
Unmount the Partition and lock the encrypted Filesystem cleanly for security
umount /cryptfs
cryptsetup luksClose cryptfs
and you're done. If you now want to add some more passwords - use cryptsetup to do so:
cryptsetup luksAddKey /dev/sda1
Enter any LUKS passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:
This added a new passphrase. Remove it using a similar command.
cryptsetup luksDelKey /dev/sda1 1
where 1 is the slot the key was stored in. Make sure you don't erase your master Key ... Would be bad if you couldn't access the encrypted FS anymore.
As I'm lazy to remember all that - I usually write wrapper scripts I use at home for mounting these devices. Check it out in the
donwload section.
Usage: mount_crypted.sh
This Program manipulates crypted partitions
mount Mount a crypted partition
umount Unmount a crypted partition
addkey Add a new access key to the encrypted
delkey remove a key from the encrypted - don't use 0
Filesystem/Partition. 8 Max.
new_partition Create a new encrypted partition
* Warning - this will destroy all data on it
device Device to work on. e.g. /dev/sda1
enc_module Encryption module. Usually aes, or padlock if you have
a padlock accellerator chip as found on recent VIA Nemiah CPU's
Examples:
mount_crypted.sh new_partition /dev/sda1 aes
mount_crypted.sh mount /dev/sda1 aes
mount_crypted.sh addkey /dev/sda1
mount_crypted.sh delkey /dev/sda1 aes 2
mount_crypted.sh umount /dev/sda1
In case someone screws his partition - and needs a static version - check this static version of cryptsetup out.
|