SDB:Using the Crypto File System

From openSUSE

Version: 10.1

At the moment, there is no possibility to set up a Crypto File System using YaST2 after the installation process. Therefore one has to configure it manually.

Request:

How do I create a filesystem which uses encryption?

Procedure:

If the commands below get error messages, it may be that you need to load the kernel module which does the encryption:

modprobe cryptoloop

Suse 10.1 provides twofish256 encryption. On some versions prior to 10.1, Suse provided only plain Twofish, since all other algorithms were either weak, there were known attacks or there were problems with regards to patents.

There are two possibilities:

• initialize an encrypted disk partition and mount it
• initialize a file as if it were an encrypted disk partition and mount it

Encrypt a whole partition

Check the Encryption checkbox when you create the partition in YaST2 and enter the password when asked.

Or: create the filesystem by hand as in the next section.

Mount an encrypted partition

In this section, we assume we already created partition /dev/hda3.

We have to set up the "loop device".

losetup -e twofish256 /dev/loop0 /dev/hda3

The losetup program asks you for the password for encryption. Remember this password, since if it is lost, so will be all your data you have stored in it.

If you didn't already initialize the file system volume in YaST2 because you wanted to initialize it by hand, then do the following. The partition you will create uses a Reiser filesystem, and the data are encrypted using the twofish256 algorithm with the password you supplied above. ATTENTION: all data on the partition will be lost!

mkreiserfs /dev/loop0

Now the last bit. Mount the encrypted partition onto "/encrypt_part".

mkdir -p /encrypted-part
mount -t reiserfs /dev/loop0 /encrypt_part

Use a file as encrypted filesystem

The main difference is that we are using a simple file residing on a regular filesystem to hold our encrypted data.
We have to create that file with the desired size and do the steps as in the above example:

dd if=/dev/urandom of=/tmp/cryptfile bs=1024 count=20000
losetup -e twofish256 /dev/loop1 /tmp/cryptfile
mke2fs /dev/loop1
mount -t ext2 /dev/loop1 /encrypt_file

Editor's note: Is ext2 still a reasonable choice in 2006 with 10.1?

You will be asked for the encryption password after the losetup command.

The file /tmp/cryptfile holds the data, an 20MB-ext2 filesystem is used and you may reach the data via directory /encrypt_file.

Automatic mounting during bootup

If the filesystems should be mounted automatically during bootup, create a file named /etc/cryptotab and include the following lines:

/dev/loop0  /dev/hda3       /encrypt_part  reiserfs  twofish256  defaults
/dev/loop1  /tmp/cryptfile  /encrypt_file  ext2      twofish256  defaults

The layout of this file is much like the format of the file /etc/fstab. In the first column there is the loop device written, in the second the name of the partition or the file holding the encrypted date, the third column contains the mountpoint followed by the used file systems type. The fifth column contains the name of the encryption algorithm an the seventh column holds mount parameters as stated in the man-page of fstab.

Please keep in mind, that each time you mount an encrypted filesystem you are asked for the password. The systems is not able to start up unless you enter the password for the encrypted file system.

Unmounting an encrypted filesystem

Unmounting an encrypted filesystem is performed in two steps.
First unmount the flesystem:

umount /encrypt_part

and then release the used loop device:

losetup -d /dev/loop0

Password limitations

Up to now there is no possibility to change the password for encryption on an already created encrypted filesystem. The only possibility you have is to create a new encrypted filesystem with a new password and to copy all files from the old to the new filesystem. Afterwards you may delete the old filesystem.

It is always a good idea to use long passwords (longer than 8 characters) and, even better, randomly created passwords, since the possibility of cracking the encryption is minimized thus.

Other sources of information

http://encryptionhowto.sourceforge.net

Disclaimer

Since encrypting of data with the above method is still marked as experimental, there is no warranty for the safeness of your data. Please create a backup of all your data before you try to experiment with the encryption and always keep a backup of your data during regular work with the encrypted filesystem.

Please keep in mind, that the setup of an encrypted file system is not subject of our free installation support.

Try it on your own risk!