Encrypted File System

From Koset

Jump to: navigation, search

One of the very best ways to protect your information and privacy is to encrypt it. Guess what? Since this is Linux, there's nothing to buy. Under most distros, everything you need is already included.

Apple makes it easy

Apple OS X has a feature called FileVault which encrypts a user's entire account.

To turn it on, open the System Preferences / Security / FileVault / "Turn on FileVault"

That's it! Now if anyone steals your laptop or desktop Mac, they won't be able to get to your data.

Note, if you're using the TimeMachine facility in OS X (and I recommend that you do), note these caveats:

  1. It can only back up your files when you log off
  2. You can only restore your whole account, not single files at a time
  3. FileVault requires that you log off to recover space used by deleted (modified) files

So, just make sure you log off at least once a week. Rebooting has the same effect.

Windows

Windows has no native facility for encryption. I suggest PGP Whole Disk Encryption.

No muss for Linux

Knoppix has a built-in way to encrypt a file as your user space. No programming required.

Swap

/etc/fstab:
/dev/hda4 swap swap encrypted 0 0

Home brew

If you don't opt to use Knoppix, here's how to build your own. I distilled the instructions form this freshmeat article.

Load the kernel modules. Note, you can put these commands in /etc/rc.local (or modify /etc/modules.conf appropriately). 

modprobe loop
modprobe cryptoloop
modprobe aes

Create the file. Note the size is in 512 byte blocks. This will make a 50MB file. Leave off the count and it will use the whole partition. If you're making a huge file system, you might drop to single user mode (init 2) and kill all unnecessary processes. This will help ensure that you have as few fragments as possible. 

dd if=/dev/urandom of=disk-aes count=102400

Make the loop device using AES encryption, which is just about the best you can have. 

losetup -e aes /dev/loop1 ./disk-aes

Make the file system. Hey, it acts just like a real disk! 

mkfs -t ext2 /dev/loop1
tune2fs -j /dev/loop1

Mount it. You'll need to be root. 

mkdir /fs
mount -o loop,encryption=aes,acl ./disk-aes /fs
ls /fs

And you're done. You can now read/write files on the /fs directory. You might even want to make it your user home directory.

PS. If you're building a kernel, you need these parameters. 

CONFIG_BLK_DEV_LOOP
CONFIG_BLK_DEV_CRYPTOLOOP
CONFIG_CRYPTO_AES_586

Big disk?

With this script you won't have to calculate the size of a big disk. It keeps dumping until the disk is full. Also, you can stop the process with rm -f ~/go 

date > ~/go
while [ -f ~/go ] ; do rm -f ~/go; dd if=/dev/urandom count=100000000 >> /a/disk-aes && date > ~/go >> disk-aes; done ; date > ~/done

With this script, it writes in chunks in order to leave a little free space at the end instead of overflowing to the max.

Retrieved from "http://koset.net/Encrypted_File_System"
Personal tools