Difference between revisions of "Crypt Filesystems"

From Blue-IT.org Wiki

 
(26 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
 +
==Generate secure passwords==
 +
head -c 30 /dev/urandom | uuencode -m -
 +
''-c 30'' means, that the resulting password will be 30 characters long.
 +
 +
== luks and lvm2 ==
 +
 +
See the article [[LVM]], which describes using lvm2 and cryptsetup together.
 +
 +
== luks, dm-crypt, lvm2 and TRIM ==
 +
 +
See also the article [[LVM]], which describes using lvm2 and cryptsetup together.
 +
 +
== Secure encfs in the cloud ==
 +
[GER] This german HowTo shows how to secure EncFs in the cloud.
 +
* https://wiki.ubuntuusers.de/Baustelle/EncFS_in_der_Cloud/
 +
 +
== Android, KeePassDroid und Dropbox bzw. BoxCryptor ==
 +
http://d24m.de/2012/02/21/cryptonite-encfs-unter-android-nutzen/#comment-4336
 +
 +
Es gibt einen sehr einfachen Weg, um KeePassX via DropBox / Cryptonite bzw. BoxCryptor zu verwenden ohne die Datei manuell herunterladen zu müssen:
 +
 +
# Cryptonite bzw. BoxCryptor öffnen und verschlüsselten Dropbox-Ordner mounten (das – für kommerzielle Zwecke nicht freie Tool - BoxCryptor ist dabei etwas komfortabler, finde ich)
 +
# Jetzt kommt der Trick: Auf die Keepass Datenbank-Datei klicken (BoxCryptor) bzw. in Cryptonite länger darauf halten und im Auswahldialog “Open” und KeePassDroid als Programm verwenden.
 +
 +
Somit muss man die Datei nicht mehr lokal herunterladen. Leider ist die Datei dann im Klartext im Cache-Verzeichnis vorhanden und wird wohl auch nach Beendigung nicht gelöscht!!!
 +
 +
D.h. man muss manuell nach Beendigung von BoxCryptor den (BoxCryptor) Cache leeren, oder DropBox und BoxCrypter “unlinken”. Dies geschieht im Preferences-Menü.
 +
Dasselbe gilt für CrypTonite.
 +
 +
Zusätzlich würde ich immer eine Schlüsseldatei verwenden, die man entweder lokal – oder wenn man ganz paranoid ist – lokal in einem verschlüsselten Verzeichnis speichern ;)
 +
 +
'''Also: Unlinken von DropBox nicht vergessen!!!'''
 +
 +
== Gnome Encfs Manager ==
 +
This is an real handy tool for using a real secure file system based on encfs within the cloud.
 +
 +
* http://www.libertyzero.com/GEncfsM/
 +
* http://www.webupd8.org/2013/05/gnome-encfs-manager-cryptkeeper.html
 +
* [GER] https://wiki.ubuntuusers.de/encfs#Gnome-Encfs-Manager
 +
 +
There is nothing much to say, BUT there is a little security whole using encfs: the key to encode the data is stored within the config XML file - usally ".encfs6.xml" - which is stored WITHIN the data directory. Not very secure.
 +
 +
To get a real '''two factor authentification''' you should store the key within a secure place, e.g. on a usb stick or a save place on your local hard drive, and move the .encfs6.xml-file to that location. So that encfs will work, copy the xml file to the save location and '''symlink''' to it from within the data-directory:
 +
 +
# FIRST unmount the Secured Folder
 +
 +
cd /path/to/Dropbox/.SecuredFolder/
 +
 +
# exclude the .SecuredFolder/.encfs6.xml from syncing -
 +
# if you don't do this, the link will result into a cleartext file on other computers!
 +
dropbox exclude add .encfs6.xml
 +
 +
mv .encfs6.xml /a/local/safe/place/SecuredFolder.xml # contains the key
 +
ln -s /safe/place/SecuredFolder.xml  /path/to/Dropbox/.SecuredFolder/.encfs6.xml
 +
 +
I personally store all my keys on a local encfs volume on my (secured) harddrive. To be shure not to mix up my encfs.xml-files, I rename them in the same matter than the folder it belongs to:
 +
 +
Dropbox/.SecuredFolder/.encfs6.xml -> safe/place/SecuredFolder.xml
 +
 +
That's it. If you are totally paranoid, you can safe your private keys on a usb drive or an sd-card, that you put into your notebook or desktop pc. In either way: secure them and NEVER EVER store private keyfiles unsafe or world-readable on your hard drive.
 +
 +
'''And: be shure to do a backup of all these keyfiles!!!'''
 +
 +
== Cryptkeeper in Gnome ==
 +
 +
''''This is outdated, use gnome-encfs-manager instead!'''
 +
--[[User:Apos|Apos]] ([[User talk:Apos|talk]]) 20:40, 14 September 2015 (CEST)
 +
 +
A more comfortable way of using encrypted filesystems is a tool for gnome: cryptkeeper
 +
sudo apt-get install cryptkeeper
 +
 +
installs everything that is needed. Using is pretty forward.
 +
 +
Editing the file
 +
vim /etc/gdm/PostSession/Default
 +
 +
and adding the line
 +
for dir in "$(cat /etc/mtab | grep encfs | awk '{print $2}' | sed -e 's/\040/ /g')"
 +
do
 +
echo "${dir}" | awk '{system("umount " $0)}'
 +
done
 +
 +
assures that all encfs filesystems are umounted after logout.
 +
 +
'''Comment''': The script seems to be a little bit complicated but fact is, that there are big problems concerning filenames and foldernames with white spaces in bash and utf-8 support in awk!!! So if you find a easier way to achieve this: write me an email ;)
 +
 +
== Cryptoloop AES ==
 +
 
Prepare a file according or partition according to [https://wiki.blue-it.org/index.php?action=edit&preload=&editintro=&title=Cryptoloop+AES&create=Create+article Encrypted DVD] and [http://www.pl-berichte.de/t_system/loop-aes.html Laufwerke verschlüsselen mit Loop-AES] for encryption with Loop-AES.
 
Prepare a file according or partition according to [https://wiki.blue-it.org/index.php?action=edit&preload=&editintro=&title=Cryptoloop+AES&create=Create+article Encrypted DVD] and [http://www.pl-berichte.de/t_system/loop-aes.html Laufwerke verschlüsselen mit Loop-AES] for encryption with Loop-AES.
  
==Prerequisites==
+
===Prerequisites===
 
* Load module '''cryptoloop''':
 
* Load module '''cryptoloop''':
 
  modprobe cryptoloop
 
  modprobe cryptoloop
Line 10: Line 99:
  
  
==encrypted partition==
+
===Encrypted partition===
  
 
  losetup -e AES128 /dev/loop0 /dev/hdaX
 
  losetup -e AES128 /dev/loop0 /dev/hdaX
Line 35: Line 124:
 
  aespipe -e AES128 -T < /dev/hda7 > /dev/hda7
 
  aespipe -e AES128 -T < /dev/hda7 > /dev/hda7
  
==Encrypted File==
+
===Encrypted File===
  
 
  dd if=/dev/zero of=/home/user/secure bs=1024 count=5120
 
  dd if=/dev/zero of=/home/user/secure bs=1024 count=5120
Line 46: Line 135:
  
 
Mounting, unmounting and '''/etc/fstab''' entries are as mentioned before.
 
Mounting, unmounting and '''/etc/fstab''' entries are as mentioned before.
 +
 +
[[Category:Security]]

Latest revision as of 11:43, 3 February 2016

Generate secure passwords

head -c 30 /dev/urandom | uuencode -m -

-c 30 means, that the resulting password will be 30 characters long.

luks and lvm2

See the article LVM, which describes using lvm2 and cryptsetup together.

luks, dm-crypt, lvm2 and TRIM

See also the article LVM, which describes using lvm2 and cryptsetup together.

Secure encfs in the cloud

[GER] This german HowTo shows how to secure EncFs in the cloud.

Android, KeePassDroid und Dropbox bzw. BoxCryptor

http://d24m.de/2012/02/21/cryptonite-encfs-unter-android-nutzen/#comment-4336

Es gibt einen sehr einfachen Weg, um KeePassX via DropBox / Cryptonite bzw. BoxCryptor zu verwenden ohne die Datei manuell herunterladen zu müssen:

  1. Cryptonite bzw. BoxCryptor öffnen und verschlüsselten Dropbox-Ordner mounten (das – für kommerzielle Zwecke nicht freie Tool - BoxCryptor ist dabei etwas komfortabler, finde ich)
  2. Jetzt kommt der Trick: Auf die Keepass Datenbank-Datei klicken (BoxCryptor) bzw. in Cryptonite länger darauf halten und im Auswahldialog “Open” und KeePassDroid als Programm verwenden.

Somit muss man die Datei nicht mehr lokal herunterladen. Leider ist die Datei dann im Klartext im Cache-Verzeichnis vorhanden und wird wohl auch nach Beendigung nicht gelöscht!!!

D.h. man muss manuell nach Beendigung von BoxCryptor den (BoxCryptor) Cache leeren, oder DropBox und BoxCrypter “unlinken”. Dies geschieht im Preferences-Menü. Dasselbe gilt für CrypTonite.

Zusätzlich würde ich immer eine Schlüsseldatei verwenden, die man entweder lokal – oder wenn man ganz paranoid ist – lokal in einem verschlüsselten Verzeichnis speichern ;)

Also: Unlinken von DropBox nicht vergessen!!!

Gnome Encfs Manager

This is an real handy tool for using a real secure file system based on encfs within the cloud.

There is nothing much to say, BUT there is a little security whole using encfs: the key to encode the data is stored within the config XML file - usally ".encfs6.xml" - which is stored WITHIN the data directory. Not very secure.

To get a real two factor authentification you should store the key within a secure place, e.g. on a usb stick or a save place on your local hard drive, and move the .encfs6.xml-file to that location. So that encfs will work, copy the xml file to the save location and symlink to it from within the data-directory:

# FIRST unmount the Secured Folder

cd /path/to/Dropbox/.SecuredFolder/

# exclude the .SecuredFolder/.encfs6.xml from syncing - 
# if you don't do this, the link will result into a cleartext file on other computers!
dropbox exclude add .encfs6.xml

mv .encfs6.xml /a/local/safe/place/SecuredFolder.xml # contains the key
ln -s /safe/place/SecuredFolder.xml  /path/to/Dropbox/.SecuredFolder/.encfs6.xml

I personally store all my keys on a local encfs volume on my (secured) harddrive. To be shure not to mix up my encfs.xml-files, I rename them in the same matter than the folder it belongs to:

Dropbox/.SecuredFolder/.encfs6.xml -> safe/place/SecuredFolder.xml

That's it. If you are totally paranoid, you can safe your private keys on a usb drive or an sd-card, that you put into your notebook or desktop pc. In either way: secure them and NEVER EVER store private keyfiles unsafe or world-readable on your hard drive.

And: be shure to do a backup of all these keyfiles!!!

Cryptkeeper in Gnome

'This is outdated, use gnome-encfs-manager instead! --Apos (talk) 20:40, 14 September 2015 (CEST)

A more comfortable way of using encrypted filesystems is a tool for gnome: cryptkeeper

sudo apt-get install cryptkeeper

installs everything that is needed. Using is pretty forward.

Editing the file

vim /etc/gdm/PostSession/Default

and adding the line

for dir in "$(cat /etc/mtab | grep encfs | awk '{print $2}' | sed -e 's/\040/ /g')"
do
	echo "${dir}" | awk '{system("umount " $0)}'
done

assures that all encfs filesystems are umounted after logout.

Comment: The script seems to be a little bit complicated but fact is, that there are big problems concerning filenames and foldernames with white spaces in bash and utf-8 support in awk!!! So if you find a easier way to achieve this: write me an email ;)

Cryptoloop AES

Prepare a file according or partition according to Encrypted DVD and Laufwerke verschlüsselen mit Loop-AES for encryption with Loop-AES.

Prerequisites

  • Load module cryptoloop:
modprobe cryptoloop
  • Assure you have AES compiled in your kernel.
  • Assure you have installed loop-aes
  • Prepare a password (>20 chars for 128bit) and write it down at a secure place.


Encrypted partition

losetup -e AES128 /dev/loop0 /dev/hdaX
mkfs -t ext2 /dev/loop0
losetup -d /dev/loop0
mkdir /mnt/secure

With losetup the encrypted partition /dev/hdaX will be used. You are asked to give a password. With 128 bits it must be longer than 20 characters.

In fstab put something like

/dev/hdaX /mnt/secure ext2 noauto,user,rw,loop=/dev/loop0,encryption=AES128 0 0 

The option noauto gives you the chance to mount it in a terminal. This partition will be accesible and mountable by the user with

mount /dev/hdaX

You have to unmount it with

umount /dev/hdaX && losetup -d /dev/loop0

With aespipe you can encrypt an existing partition

aespipe -e AES128 -T < /dev/hda7 > /dev/hda7

Encrypted File

dd if=/dev/zero of=/home/user/secure bs=1024 count=5120
losetup -e AES128 /dev/loop0 /home/user/secure
mkfs -t ext2 /dev/loop0
losetup -d /dev/loop0
mkdir /mnt/secure

This gives you a file with a size of 5MB (5120x1024 byte). You will be prompted for a password like before.

Mounting, unmounting and /etc/fstab entries are as mentioned before.