Difference between revisions of "Crypt Filesystems"
From Blue-IT.org Wiki
(→encrypted partition) |
|||
(25 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | |||
+ | ==Generate secure passwords== | ||
+ | head -c 30 /dev/urandom | uuencode -m - | ||
+ | ''-c 30'' means, that the resulting password will be 30 characters long. | ||
+ | |||
+ | == luks and lvm2 == | ||
+ | |||
+ | See the article [[LVM]], which describes using lvm2 and cryptsetup together. | ||
+ | |||
+ | == luks, dm-crypt, lvm2 and TRIM == | ||
+ | |||
+ | See also the article [[LVM]], which describes using lvm2 and cryptsetup together. | ||
+ | |||
+ | == Secure encfs in the cloud == | ||
+ | [GER] This german HowTo shows how to secure EncFs in the cloud. | ||
+ | * https://wiki.ubuntuusers.de/Baustelle/EncFS_in_der_Cloud/ | ||
+ | |||
+ | == Android, KeePassDroid und Dropbox bzw. BoxCryptor == | ||
+ | http://d24m.de/2012/02/21/cryptonite-encfs-unter-android-nutzen/#comment-4336 | ||
+ | |||
+ | Es gibt einen sehr einfachen Weg, um KeePassX via DropBox / Cryptonite bzw. BoxCryptor zu verwenden ohne die Datei manuell herunterladen zu müssen: | ||
+ | |||
+ | # Cryptonite bzw. BoxCryptor öffnen und verschlüsselten Dropbox-Ordner mounten (das – für kommerzielle Zwecke nicht freie Tool - BoxCryptor ist dabei etwas komfortabler, finde ich) | ||
+ | # Jetzt kommt der Trick: Auf die Keepass Datenbank-Datei klicken (BoxCryptor) bzw. in Cryptonite länger darauf halten und im Auswahldialog “Open” und KeePassDroid als Programm verwenden. | ||
+ | |||
+ | Somit muss man die Datei nicht mehr lokal herunterladen. Leider ist die Datei dann im Klartext im Cache-Verzeichnis vorhanden und wird wohl auch nach Beendigung nicht gelöscht!!! | ||
+ | |||
+ | D.h. man muss manuell nach Beendigung von BoxCryptor den (BoxCryptor) Cache leeren, oder DropBox und BoxCrypter “unlinken”. Dies geschieht im Preferences-Menü. | ||
+ | Dasselbe gilt für CrypTonite. | ||
+ | |||
+ | Zusätzlich würde ich immer eine Schlüsseldatei verwenden, die man entweder lokal – oder wenn man ganz paranoid ist – lokal in einem verschlüsselten Verzeichnis speichern ;) | ||
+ | |||
+ | '''Also: Unlinken von DropBox nicht vergessen!!!''' | ||
+ | |||
+ | == Gnome Encfs Manager == | ||
+ | This is an real handy tool for using a real secure file system based on encfs within the cloud. | ||
+ | |||
+ | * http://www.libertyzero.com/GEncfsM/ | ||
+ | * http://www.webupd8.org/2013/05/gnome-encfs-manager-cryptkeeper.html | ||
+ | * [GER] https://wiki.ubuntuusers.de/encfs#Gnome-Encfs-Manager | ||
+ | |||
+ | There is nothing much to say, BUT there is a little security whole using encfs: the key to encode the data is stored within the config XML file - usally ".encfs6.xml" - which is stored WITHIN the data directory. Not very secure. | ||
+ | |||
+ | To get a real '''two factor authentification''' you should store the key within a secure place, e.g. on a usb stick or a save place on your local hard drive, and move the .encfs6.xml-file to that location. So that encfs will work, copy the xml file to the save location and '''symlink''' to it from within the data-directory: | ||
+ | |||
+ | # FIRST unmount the Secured Folder | ||
+ | |||
+ | cd /path/to/Dropbox/.SecuredFolder/ | ||
+ | |||
+ | # exclude the .SecuredFolder/.encfs6.xml from syncing - | ||
+ | # if you don't do this, the link will result into a cleartext file on other computers! | ||
+ | dropbox exclude add .encfs6.xml | ||
+ | |||
+ | mv .encfs6.xml /a/local/safe/place/SecuredFolder.xml # contains the key | ||
+ | ln -s /safe/place/SecuredFolder.xml /path/to/Dropbox/.SecuredFolder/.encfs6.xml | ||
+ | |||
+ | I personally store all my keys on a local encfs volume on my (secured) harddrive. To be shure not to mix up my encfs.xml-files, I rename them in the same matter than the folder it belongs to: | ||
+ | |||
+ | Dropbox/.SecuredFolder/.encfs6.xml -> safe/place/SecuredFolder.xml | ||
+ | |||
+ | That's it. If you are totally paranoid, you can safe your private keys on a usb drive or an sd-card, that you put into your notebook or desktop pc. In either way: secure them and NEVER EVER store private keyfiles unsafe or world-readable on your hard drive. | ||
+ | |||
+ | '''And: be shure to do a backup of all these keyfiles!!!''' | ||
+ | |||
+ | == Cryptkeeper in Gnome == | ||
+ | |||
+ | ''''This is outdated, use gnome-encfs-manager instead!''' | ||
+ | --[[User:Apos|Apos]] ([[User talk:Apos|talk]]) 20:40, 14 September 2015 (CEST) | ||
+ | |||
+ | A more comfortable way of using encrypted filesystems is a tool for gnome: cryptkeeper | ||
+ | sudo apt-get install cryptkeeper | ||
+ | |||
+ | installs everything that is needed. Using is pretty forward. | ||
+ | |||
+ | Editing the file | ||
+ | vim /etc/gdm/PostSession/Default | ||
+ | |||
+ | and adding the line | ||
+ | for dir in "$(cat /etc/mtab | grep encfs | awk '{print $2}' | sed -e 's/\040/ /g')" | ||
+ | do | ||
+ | echo "${dir}" | awk '{system("umount " $0)}' | ||
+ | done | ||
+ | |||
+ | assures that all encfs filesystems are umounted after logout. | ||
+ | |||
+ | '''Comment''': The script seems to be a little bit complicated but fact is, that there are big problems concerning filenames and foldernames with white spaces in bash and utf-8 support in awk!!! So if you find a easier way to achieve this: write me an email ;) | ||
+ | |||
+ | == Cryptoloop AES == | ||
+ | |||
Prepare a file according or partition according to [https://wiki.blue-it.org/index.php?action=edit&preload=&editintro=&title=Cryptoloop+AES&create=Create+article Encrypted DVD] and [http://www.pl-berichte.de/t_system/loop-aes.html Laufwerke verschlüsselen mit Loop-AES] for encryption with Loop-AES. | Prepare a file according or partition according to [https://wiki.blue-it.org/index.php?action=edit&preload=&editintro=&title=Cryptoloop+AES&create=Create+article Encrypted DVD] and [http://www.pl-berichte.de/t_system/loop-aes.html Laufwerke verschlüsselen mit Loop-AES] for encryption with Loop-AES. | ||
− | ==Prerequisites== | + | ===Prerequisites=== |
* Load module '''cryptoloop''': | * Load module '''cryptoloop''': | ||
modprobe cryptoloop | modprobe cryptoloop | ||
Line 10: | Line 99: | ||
− | ==Encrypted partition== | + | ===Encrypted partition=== |
losetup -e AES128 /dev/loop0 /dev/hdaX | losetup -e AES128 /dev/loop0 /dev/hdaX | ||
Line 35: | Line 124: | ||
aespipe -e AES128 -T < /dev/hda7 > /dev/hda7 | aespipe -e AES128 -T < /dev/hda7 > /dev/hda7 | ||
− | ==Encrypted File== | + | ===Encrypted File=== |
dd if=/dev/zero of=/home/user/secure bs=1024 count=5120 | dd if=/dev/zero of=/home/user/secure bs=1024 count=5120 | ||
Line 46: | Line 135: | ||
Mounting, unmounting and '''/etc/fstab''' entries are as mentioned before. | Mounting, unmounting and '''/etc/fstab''' entries are as mentioned before. | ||
+ | |||
+ | [[Category:Security]] |
Latest revision as of 11:43, 3 February 2016
Contents
Generate secure passwords
head -c 30 /dev/urandom | uuencode -m -
-c 30 means, that the resulting password will be 30 characters long.
luks and lvm2
See the article LVM, which describes using lvm2 and cryptsetup together.
luks, dm-crypt, lvm2 and TRIM
See also the article LVM, which describes using lvm2 and cryptsetup together.
Secure encfs in the cloud
[GER] This german HowTo shows how to secure EncFs in the cloud.
Android, KeePassDroid und Dropbox bzw. BoxCryptor
http://d24m.de/2012/02/21/cryptonite-encfs-unter-android-nutzen/#comment-4336
Es gibt einen sehr einfachen Weg, um KeePassX via DropBox / Cryptonite bzw. BoxCryptor zu verwenden ohne die Datei manuell herunterladen zu müssen:
- Cryptonite bzw. BoxCryptor öffnen und verschlüsselten Dropbox-Ordner mounten (das – für kommerzielle Zwecke nicht freie Tool - BoxCryptor ist dabei etwas komfortabler, finde ich)
- Jetzt kommt der Trick: Auf die Keepass Datenbank-Datei klicken (BoxCryptor) bzw. in Cryptonite länger darauf halten und im Auswahldialog “Open” und KeePassDroid als Programm verwenden.
Somit muss man die Datei nicht mehr lokal herunterladen. Leider ist die Datei dann im Klartext im Cache-Verzeichnis vorhanden und wird wohl auch nach Beendigung nicht gelöscht!!!
D.h. man muss manuell nach Beendigung von BoxCryptor den (BoxCryptor) Cache leeren, oder DropBox und BoxCrypter “unlinken”. Dies geschieht im Preferences-Menü. Dasselbe gilt für CrypTonite.
Zusätzlich würde ich immer eine Schlüsseldatei verwenden, die man entweder lokal – oder wenn man ganz paranoid ist – lokal in einem verschlüsselten Verzeichnis speichern ;)
Also: Unlinken von DropBox nicht vergessen!!!
Gnome Encfs Manager
This is an real handy tool for using a real secure file system based on encfs within the cloud.
- http://www.libertyzero.com/GEncfsM/
- http://www.webupd8.org/2013/05/gnome-encfs-manager-cryptkeeper.html
- [GER] https://wiki.ubuntuusers.de/encfs#Gnome-Encfs-Manager
There is nothing much to say, BUT there is a little security whole using encfs: the key to encode the data is stored within the config XML file - usally ".encfs6.xml" - which is stored WITHIN the data directory. Not very secure.
To get a real two factor authentification you should store the key within a secure place, e.g. on a usb stick or a save place on your local hard drive, and move the .encfs6.xml-file to that location. So that encfs will work, copy the xml file to the save location and symlink to it from within the data-directory:
# FIRST unmount the Secured Folder cd /path/to/Dropbox/.SecuredFolder/ # exclude the .SecuredFolder/.encfs6.xml from syncing - # if you don't do this, the link will result into a cleartext file on other computers! dropbox exclude add .encfs6.xml mv .encfs6.xml /a/local/safe/place/SecuredFolder.xml # contains the key ln -s /safe/place/SecuredFolder.xml /path/to/Dropbox/.SecuredFolder/.encfs6.xml
I personally store all my keys on a local encfs volume on my (secured) harddrive. To be shure not to mix up my encfs.xml-files, I rename them in the same matter than the folder it belongs to:
Dropbox/.SecuredFolder/.encfs6.xml -> safe/place/SecuredFolder.xml
That's it. If you are totally paranoid, you can safe your private keys on a usb drive or an sd-card, that you put into your notebook or desktop pc. In either way: secure them and NEVER EVER store private keyfiles unsafe or world-readable on your hard drive.
And: be shure to do a backup of all these keyfiles!!!
Cryptkeeper in Gnome
'This is outdated, use gnome-encfs-manager instead! --Apos (talk) 20:40, 14 September 2015 (CEST)
A more comfortable way of using encrypted filesystems is a tool for gnome: cryptkeeper
sudo apt-get install cryptkeeper
installs everything that is needed. Using is pretty forward.
Editing the file
vim /etc/gdm/PostSession/Default
and adding the line
for dir in "$(cat /etc/mtab | grep encfs | awk '{print $2}' | sed -e 's/\040/ /g')" do echo "${dir}" | awk '{system("umount " $0)}' done
assures that all encfs filesystems are umounted after logout.
Comment: The script seems to be a little bit complicated but fact is, that there are big problems concerning filenames and foldernames with white spaces in bash and utf-8 support in awk!!! So if you find a easier way to achieve this: write me an email ;)
Cryptoloop AES
Prepare a file according or partition according to Encrypted DVD and Laufwerke verschlüsselen mit Loop-AES for encryption with Loop-AES.
Prerequisites
- Load module cryptoloop:
modprobe cryptoloop
- Assure you have AES compiled in your kernel.
- Assure you have installed loop-aes
- Prepare a password (>20 chars for 128bit) and write it down at a secure place.
Encrypted partition
losetup -e AES128 /dev/loop0 /dev/hdaX mkfs -t ext2 /dev/loop0 losetup -d /dev/loop0 mkdir /mnt/secure
With losetup the encrypted partition /dev/hdaX will be used. You are asked to give a password. With 128 bits it must be longer than 20 characters.
In fstab put something like
/dev/hdaX /mnt/secure ext2 noauto,user,rw,loop=/dev/loop0,encryption=AES128 0 0
The option noauto gives you the chance to mount it in a terminal. This partition will be accesible and mountable by the user with
mount /dev/hdaX
You have to unmount it with
umount /dev/hdaX && losetup -d /dev/loop0
With aespipe you can encrypt an existing partition
aespipe -e AES128 -T < /dev/hda7 > /dev/hda7
Encrypted File
dd if=/dev/zero of=/home/user/secure bs=1024 count=5120 losetup -e AES128 /dev/loop0 /home/user/secure mkfs -t ext2 /dev/loop0 losetup -d /dev/loop0 mkdir /mnt/secure
This gives you a file with a size of 5MB (5120x1024 byte). You will be prompted for a password like before.
Mounting, unmounting and /etc/fstab entries are as mentioned before.