Encrypting A Filesystem And Bigfile Options

[Corey]

Note right off the start that this Tip and Trick was featured in this weeks DistroWatch Weekly located on DistroWatch.com which is an excellent resource for information regarding Linux Distributions.

Encrypted Partition

You need a spare partition if you want to encrypt it because all the data will be destroyed. If you aren't already intimately familiar with your partition table, there are a few tools which will let you peek at it. One is "sfdisk" - you must be root to run it, and it's a dangerous tool if you start monkeying around with all it's capabilities, so just stick to the "-l" option. Read the sfdisk man page if you want to know more, otherwise, as root do the following:

    sfdisk -l

    Disk /dev/hda: 4865 cylinders, 255 heads, 63 sectors/track

    Device Boot Start End #cyls #blocks Id System
    /dev/hda1 * 0+ 13562- 13563- 6835626 a6 OpenBSD
    /dev/hda2 13562+ 42632- 29070 14651280 a5 FreeBSD
    /dev/hda3 42632+ 43604 973- 489982+ 82 Linux swap
    /dev/hda4 43605 77544 33940 17105760 5 Extended
    /dev/hda5 43605+ 55223- 11619- 5855661 83 Linux
    /dev/hda6 55223+ 61040- 5818- 2931831 83 Linux
    /dev/hda7 61041+ 77544 16504- 8317984+ 83 Linux

As you can see from the above, /dev/hda1 and /dev/hda2 are occupied by OpenBSD and FreeBSD respectively, so let's forget those. I had originally hoped to use /dev/hda3, but I see that's it's occupied as my swap partition, so that's out too. My /dev/hda4 is an "extended partition" - never mess with that. The only possible candidates are /dev/hda5, /dev/hda6 and /dev/hda7. But wait, I might be using those too - better check with the "df -h" command:

    df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/hda7 7.9G 3.1G 4.4G 42% /
    /dev/root.old 17M 7.9M 8.3M 49% /initrd
    /dev/hda6 2.8G 546M 2.1G 21% /home

Good thing I checked - /dev/hda7 is my root partition, and /dev/hda6 is /home. So the only spare partition I've got is /dev/hda5. Actually, I've got an old Linux distro installed there, but it's not important so I'm going to nuke it. We will use the losetup command, which is used to set up and control loop devices. So, without further ado:

    losetup -e AES128 -T /dev/loop0 /dev/hda5

This command will link /dev/hda5 to the first virtual peripheral /dev/loop0. You will be asked to enter a password - 20 characters or more is recommended. Once you've done that, create an ext2 filesystem on /dev/loop0:

    mkfs -t ext2 /dev/loop0

Now we must detach the partition from the specified loop device:

    losetup -d /dev/loop0

Now, create a new directory which will be used to mount this partition:

    mkdir /sleaze

The last step is to edit file /etc/fstab. Before you do this, make a backup copy (a wise move whenever you edit an important system configuration file:

    cp /etc/fstab /etc/fstab.original

OK, go ahead and add this line to /etc/fstab:

    /dev/hda5 /sleaze ext2 defaults,noauto,loop=/dev/loop0,encryption=AES128 0 0

Now you may mount /dev/hda5 to /sleaze whenever you like (you'll need to be root to do that, or else set up sudo). Anytime you attempt to mount it, you'll be asked for the password (not the root password, but that big long 20-character password which you'd better not forget). Whenever the partition is not mounted, the data will be inaccessible, and thus safe from prying eyes.

Finally, note that my encrypted partition could have been placed on a removable device such as a USB card or keyring (/dev/sda1) or even on a floppy (/dev/fd0), but not a CDR.

Encrypted BIGFILE

As already mentioned, loop-AES can be used to create an encrypted BIGFILE rather than an encrypted partition. The main advantage is that you won't need a spare partition on your hard drive. From what I've read, you should be able to back up the BIGFILE to a CDR, but I have not had much luck with this.

For the purpose of this experiment, I'll create a 100MB BIGFILE. Before I begin, let's see how much empty space I have available on my mounted partitions. This is best done with the "df -h" command:

    df -h
    /dev/hda7 7.9G 2.5G 5.0G 34% /
    /dev/root.old 17M 7.9M 8.3M 49% /initrd
    /dev/hda6 2.8G 546M 2.1G 21% /home

I've got more space in my "/" partition than anyplace else, so I could put my BIGFILE in /root, or create a new user in /home and put in there. Since it will require root privileges to access anyway, I'll put it in /root but there is no reason why I must. I need to perform the following steps to create my BIGFILE and set it up as a loop device:

    dd if=/dev/zero of=/root/BIGFILE bs=4k count=2560
    losetup -e AES128 -T /dev/loop1 /root/BIGFILE
    mkfs -t ext2 /dev/loop1
    losetup -d /dev/loop1
    mkdir /secret

You can do all of the above without any explanation, but most of you would probably like to know what's going on. The math in the first line: "bs" means "block size" and "count" means "how many blocks". Always use a block size of 4k, but you can vary the count according to the size you want the encrypted file to be: "4k x 256 = 1024k" which is 1MB, but I want 10MB so I multiply 256 times 10 to get 2560.

Also note above that I used "/dev/loop1", not /dev/loop0 - the only reason for this is that I've already populated /dev/loop0 with the encrypted partition I created earlier. Yes, you can indeed have both an encrypted partition and an encrypted BIGFILE at the same time. In fact, you can have up to eight encrypted partitions and/or BIGFILEs (/dev/loop0 to /dev/loop7).

Finally, I add a line to /etc/fstab so that I can mount /root/BIGFILE onto its mount point /secret:

    /root/BIGFILE /secret ext2 defaults,noauto,loop=/dev/loop1,encryption=AES128 0 0

It only remains for me to mount the encrypted BIGFILE:

    mount /secret

Ideally, it would be nice if I could back up the encrypted data to a CDR (while still keeping it encrypted). Articles I've read indicate that BIGFILE could be burned to a CDR, but my own experiments with this failed. I'd be interested if others have been more successful. However, backing up to my removable USB hard drive worked just fine.