Using the Crypto File System
Support knowledgebase (jsj_crypto_filesystem_mini_howto)
Applies to
SuSE Linux: Versions since 7.2
At the moment, there is no possibility to set up a Crypto File System
using YaST2 after the installation process. Therefore one has to
configure it manually.
Request:
How do I create a filesystem which uses encryption?
Procedure:
First of all load the kernel module which does the encryption:
modprobe loop_fish2
At the moment we provide only Twofish, ince all other algorithms are
either weak, there are known attaks or there are problems with regards
to patents.
Now there are two possibilities:
- encrypt a whole partition, and
- encrypt a filesystem on a file
Encrypt a whole partition
We have to set up the loop device, create the filesystem and mount it
to the desired mountpoint (assume, we use the already created
partition /dev/hda3 was created before).
ATTENTION: all data on partition /dev/hda3 will be lost!
losetup -e twofish /dev/loop0 /dev/hda3
You are asked for the password for encryption. Please remember this
password, since if it is lost, all your data you have stored in it
will be.
mkreiserfs /dev/loop0
mount -t reiserfs /dev/loop0 /encrypt_part
The partition just created uses a reiser filesystem, the data are
encrypted with the password you supplied and the twofish algorithm
is used. The path of the filesystem is /encrypt_part (please be sure,
this directory is created before!).
Use a file as encrypted filesystem
The main difference is that we are using a simple file residing on a
regular filesystem to hold our encrypted data.
We have to create that file with the desired size and do the steps as
in the above example:
dd if=/dev/urandom of=/tmp/cryptfile bs=1024 count=20000
losetup -e twofish /dev/loop1 /tmp/cryptfile
mke2fs /dev/loop1
mount -t ext2 /dev/loop1 /encrypt_file
You will be asked for the encryption password after the
losetup command.
The file /tmp/cryptfile holds the data, an 20MB-ext2 filesystem is
used and you may reach the data via directory /encrypt_file.
Automatic mounting during bootup
If the filesystems should be mounted automatically during bootup,
create a file named /etc/cryptotab and include the following
lines:
/dev/loop0 /dev/hda3 /encrypt_part reiserfs twofish defaults
/dev/loop1 /tmp/cryptfile /encrypt_file ext2 twofish defaults
The layout of this file is much like the format of the file
/etc/fstab. In the first column there is the loop device written, in
the second the name of the partition or the file holding the encrypted
date, the third column contains the mountpoint followed by the used
file systems type. The fifth column contains the name of the
encryption algorithm an the seventh column holds mount parameters as
stated in the man-page of fstab.
Please keep in mind, that each time you mount an encrypted filesystem
you are asked for the password. The systems is not able to start up
unless you enter the password for the encrypted file system.
Unmounting an encrypted filesystem
Unmounting an encrypted filesystem is performed in two steps.
First unmount the flesystem:
umount /encrypt_part
and then release the used loop device:
losetup -d /dev/loop0
Password limitations
Up to now there is no possibility to change the password for
encryption on an already created encrypted filesystem. The only
possibility you have is to create a new encrypted filesystem with a
new password and to copy all files from the old to the new filesystem.
Afterwards you may delete the old filesystem.
It is always a good idea to use long passwords (longer than 8
characters) and, even better, randomly created passwords, since the
possibility of cracking the encryption is minimized thus.
Other sources of information
http://encryptionhowto.sourceforge.net
Disclaimer
Since encrypting of data with the above method is still marked as
experimental, there is no warranty for the safeness of your data.
Please create a backup of all your data before you try to experiment
with the encryption and always keep a backup of your data during
regular work with the encrypted filesystem.
Please keep in mind, that the setup of an encrypted file system is not
subject of our free installation support.
Try it on your own risk!
Keywords: ENCRYPTION, CRYPTO, FILESYSTEM, KRYPTO, KRYPTOFILESYSTEM
Categories:
Frequently asked Questions
SDB-jsj_crypto_filesystem_mini_howto, Copyright SuSE Linux AG, Nürnberg, Germany
- Version: 18. Jun 2001
SuSE Linux AG - Last generated: 01. Aug 2001 by jsj (sdb_gen 1.40.0)