Encrypted Loopback Filesystem

Hello,

I am trying to play around loopback device and want to set up an
encrypted loopback filesystem. I did the following things:

1. losetup -e serpent /dev/loop0 /etc/crypt
/ect/crypt: Is a directory

So I tried: losetup -e serpent /dev/loop0 /etc/cryptfile and this time
cryptfile is a plain txt file.

Enter passwd...

2. mkfs -t ext2 /dev/loop0
3. mount -t ext2 /dev/loop0 /mnt/crypt

After this, how do I verify that anything happened that has enabled
encryption? I can't understand where the encrypted filesystem lies in
here:( Plus, when we say 'encrypted', which file is on earth encrypted?
Is that files and data in /mnt/crypt are encrypted form of
/etc/cryptfile? Really confused.

TIA!

Lei


-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Encrypted Loopback Filesystem

Lei Yang wrote:

> I am trying to play around loopback device and want to set up an
> encrypted loopback filesystem. I did the following things:
>
> 1. losetup -e serpent /dev/loop0 /etc/crypt
> /ect/crypt: Is a directory
>
> So I tried: losetup -e serpent /dev/loop0 /etc/cryptfile and this time
> cryptfile is a plain txt file.

It should be a filesystem image; or, at least, it needs to be large
enough to have a filesystem image subsequently created on it, e.g.

dd if=/dev/zero of=/etc/cryptfile bs=1m count=20

for a 20Mb "device".

> Enter passwd...
>
> 2. mkfs -t ext2 /dev/loop0
> 3. mount -t ext2 /dev/loop0 /mnt/crypt
>
> After this, how do I verify that anything happened that has enabled
> encryption? I can't understand where the encrypted filesystem lies in
> here:( Plus, when we say 'encrypted', which file is on earth encrypted?
> Is that files and data in /mnt/crypt are encrypted form of
> /etc/cryptfile? Really confused.

After the above sequence, /etc/cryptfile will be an encrypted ext2
filesystem. Any files which are created beneath /mnt/crypt will
actually be stored in /etc/cryptfile.

If you examine /etc/cryptfile directly with e.g. less, the contents
should be unintelligible (because they are encrypted). Once you
run:

umount /mnt/crypt
losetup -d /dev/loop0

the only way to recover those files will be to re-do steps 1 and 3
above, which will require the encryption key.

Similarly, if someone steals the machine then, assuming that they had
to unplug it, they won't be able to recover the data without the
encryption key.

OTOH, while the encrypted filesystem is mounted, the files which are
on it remain accessible. So the encryption doesn't provide any
protection against someone accessing the individual files while the
encrypted filesystem is mounted.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Encrypted Loopback Filesystem

Thank you Gylnn, everything is pretty clear now :-)

So if I want something to be safe, I put them in /mnt/crypt. While the
filesystem is mounted, I can access all the data and file in /mnt/crypt
without problem. If the machine is unplugged or stolen, /mnt/crypt no
longer works, right?


On Tue, 2004-08-03 at 17:58, Glynn Clements wrote:
> Lei Yang wrote:
>
> > I am trying to play around loopback device and want to set up an
> > encrypted loopback filesystem. I did the following things:
> >
> > 1. losetup -e serpent /dev/loop0 /etc/crypt
> > /ect/crypt: Is a directory
> >
> > So I tried: losetup -e serpent /dev/loop0 /etc/cryptfile and this time
> > cryptfile is a plain txt file.
>
> It should be a filesystem image; or, at least, it needs to be large
> enough to have a filesystem image subsequently created on it, e.g.
>
> dd if=/dev/zero of=/etc/cryptfile bs=1m count=20
>
> for a 20Mb "device".
>
> > Enter passwd...
> >
> > 2. mkfs -t ext2 /dev/loop0
> > 3. mount -t ext2 /dev/loop0 /mnt/crypt
> >
> > After this, how do I verify that anything happened that has enabled
> > encryption? I can't understand where the encrypted filesystem lies in
> > here:( Plus, when we say 'encrypted', which file is on earth encrypted?
> > Is that files and data in /mnt/crypt are encrypted form of
> > /etc/cryptfile? Really confused.
>
> After the above sequence, /etc/cryptfile will be an encrypted ext2
> filesystem. Any files which are created beneath /mnt/crypt will
> actually be stored in /etc/cryptfile.
>
> If you examine /etc/cryptfile directly with e.g. less, the contents
> should be unintelligible (because they are encrypted). Once you
> run:
>
> umount /mnt/crypt
> losetup -d /dev/loop0
>
> the only way to recover those files will be to re-do steps 1 and 3
> above, which will require the encryption key.
>
> Similarly, if someone steals the machine then, assuming that they had
> to unplug it, they won't be able to recover the data without the
> encryption key.
>
> OTOH, while the encrypted filesystem is mounted, the files which are
> on it remain accessible. So the encryption doesn't provide any
> protection against someone accessing the individual files while the
> encrypted filesystem is mounted.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Encrypted Loopback Filesystem

Right. As I can see, you need to load modules (how to read the data?) to
do that. The way to you read the data now is the module in memory of
your machine. If you stolen, the "how to read this data" go out.

-Thiago Rondon

On Wed, 04 Aug 2004 10:32:44 -0700, Lei Yang wrote:
> Thank you Gylnn, everything is pretty clear now :-)
>
> So if I want something to be safe, I put them in /mnt/crypt. While the
> filesystem is mounted, I can access all the data and file in /mnt/crypt
> without problem. If the machine is unplugged or stolen, /mnt/crypt no
> longer works, right?
>
>
>
>
> On Tue, 2004-08-03 at 17:58, Glynn Clements wrote:
> > Lei Yang wrote:
> >
> > > I am trying to play around loopback device and want to set up an
> > > encrypted loopback filesystem. I did the following things:
> > >
> > > 1. losetup -e serpent /dev/loop0 /etc/crypt
> > > /ect/crypt: Is a directory
> > >
> > > So I tried: losetup -e serpent /dev/loop0 /etc/cryptfile and this time
> > > cryptfile is a plain txt file.
> >
> > It should be a filesystem image; or, at least, it needs to be large
> > enough to have a filesystem image subsequently created on it, e.g.
> >
> > dd if=/dev/zero of=/etc/cryptfile bs=1m count=20
> >
> > for a 20Mb "device".
> >
> > > Enter passwd...
> > >
> > > 2. mkfs -t ext2 /dev/loop0
> > > 3. mount -t ext2 /dev/loop0 /mnt/crypt
> > >
> > > After this, how do I verify that anything happened that has enabled
> > > encryption? I can't understand where the encrypted filesystem lies in
> > > here:( Plus, when we say 'encrypted', which file is on earth encrypted?
> > > Is that files and data in /mnt/crypt are encrypted form of
> > > /etc/cryptfile? Really confused.
> >
> > After the above sequence, /etc/cryptfile will be an encrypted ext2
> > filesystem. Any files which are created beneath /mnt/crypt will
> > actually be stored in /etc/cryptfile.
> >
> > If you examine /etc/cryptfile directly with e.g. less, the contents
> > should be unintelligible (because they are encrypted). Once you
> > run:
> >
> > umount /mnt/crypt
> > losetup -d /dev/loop0
> >
> > the only way to recover those files will be to re-do steps 1 and 3
> > above, which will require the encryption key.
> >
> > Similarly, if someone steals the machine then, assuming that they had
> > to unplug it, they won't be able to recover the data without the
> > encryption key.
> >
> > OTOH, while the encrypted filesystem is mounted, the files which are
> > on it remain accessible. So the encryption doesn't provide any
> > protection against someone accessing the individual files while the
> > encrypted filesystem is mounted.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>
>
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Encrypted Loopback Filesystem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lei Yang wrote:
> I am trying to play around loopback device and want to set up an
> encrypted loopback filesystem. I did the following things:

One should not use mainline cryptoloop because it is vulnerable to
dictionary & watermark attacks. Use loop-AES in multi-key mode with
encrypted swap instead.

- --
Bastard Administrator in $hell

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBFzN2LMyTO8Kj/uQRAkyOAJ9GCj9AciKdeiGE7gizUbGPfmaZPwCg juwB
j+iWwLyqUCnDXj9Q4arrh94=
=cXup
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html