real time encrypted directories in Mandriva 2009.1

Data encryption is no obscure thing only secret agents and computer experts should know about but instead be a fundamental precausion against theft of the storage medium or even the entire computer you have stored your personal data upon.

The choices are many in Linux, ranging from creating dedicated partions to encrypted directories and finally single files.

I won’t go too deep into the technical alternatives you have (ranging from special file systems to “simple” commandline encrypting/decrypting tools), instead I will focus on LUKS (“Linux Unified Key Storage”) [1] and [2], that is the current state of the art in Linux these days.

So what I want to do is to create a new encrypted /encrypted directory that can either mounted manually and optionally also automagically during boot:

As root, …

  • create a huge file, as big as you want your directory ever to become:

    dd if=/dev/urandom of=/secure bs=1M count=4096

    That gives you a 4GB large file named /secure. Beware that the creation of the file will take a couple of minutes (fast SATA disks come in handy here 🙂
  • setup an ordinary loop device pointing to the new file:

    losetup /dev/loop0 /secure
  • load some kernel modules

    modprobe dm-mod
    modprobe dm-crypt
  • create an encrypted filesystem on the device:

    cryptsetup luksFormat /dev/loop0

    The password you enter here is crucial for you to continue, so use a resonably “save” one and be sure not to forget it 🙂
  • test if everything is fine

    cryptsetup luksOpen /dev/loop0 secure

    If the command succeeds, you should have a newly created block device named /dev/mapper/secure
  • format the new device

    mkfs.ext3 /dev/mapper/secure
  • mount the new device

    mount /dev/mapper/secure /encrypted
  • closing the encrypted directory
    If you are finished working with your encrypted data, you need to umount the directory and close the crypto channel for it:

    umount /encrypted
    cryptsetup luksClose /dev/mapper/secure
    losetup -d /dev/loop0

Now that wasn’t too difficult. Optionally, you might also want to have the directory mounted automagically at boot time, but that will have to wait a bit 🙂

Caveat:

  • performance
    without surprize, encryption comes with a prize: both read and write access to your encrypted directory are slower of course (you can expect about half the performance compared to an unencrypted directory). But the performance hit is heavly influenced by the CPU & OS architecture you have (64bit noticibly beats 32bit).
  • disk/file corruption
    If your hard disk fails or – for whatever reason – your image file becomes corrupt (bad RAM modules, buggy I/O controllers, …), then the chances you end up with a complete data loss increase if the problem occurs in the “sensitive” parts of your image file (or let it even be a seperate partition). So encrypting your data increases the need to backup your data!

[1] http://luks.endorphin.org/, seems to be dead right now
[2] http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS

Spread the love

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of

Post Navigation