doc:appunti:linux:sa:cryptfs
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
doc:appunti:linux:sa:cryptfs [2012/05/18 22:48] – [Cryptoloop] niccolo | doc:appunti:linux:sa:cryptfs [2020/01/29 10:48] (current) – [enc-fs] niccolo | ||
---|---|---|---|
Line 15: | Line 15: | ||
==== Cryptoloop ==== | ==== Cryptoloop ==== | ||
- | :!: WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. | + | :!: **WARNING**: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. |
Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. | Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks. | ||
Line 56: | Line 56: | ||
modprobe dm-crypt | modprobe dm-crypt | ||
modprobe twofish | modprobe twofish | ||
- | cryptsetup isLuks /dev/md4 | + | cryptsetup isLuks /dev/md4; echo $? |
cryptsetup --cipher twofish-cbc-essiv: | cryptsetup --cipher twofish-cbc-essiv: | ||
cryptsetup luksDump /dev/md4 | cryptsetup luksDump /dev/md4 | ||
Line 83: | Line 83: | ||
max keysize | max keysize | ||
</ | </ | ||
+ | |||
+ | [[wp> | ||
The ecnryption key will be 256 bits long (how it is generated? | The ecnryption key will be 256 bits long (how it is generated? | ||
Line 89: | Line 91: | ||
< | < | ||
- | cryptsetup luksOpen / | + | cryptsetup luksOpen / |
ls -l / | ls -l / | ||
- | mkfs.ext3 -m0 / | + | mkfs.ext3 -m0 / |
- | mount / | + | mount / |
</ | </ | ||
Line 98: | Line 100: | ||
< | < | ||
- | cryptsetup status | + | cryptsetup status |
- | cryptsetup remove | + | cryptsetup remove |
- | cryptsetup luksClose | + | cryptsetup luksClose |
</ | </ | ||
Line 106: | Line 108: | ||
< | < | ||
- | mycryptdev | + | dm0 / |
</ | </ | ||
The passphrase will be asked only once with a 10 seconds timeout. | The passphrase will be asked only once with a 10 seconds timeout. | ||
- | If you want to start automatically the crypto device without prompting for the passphrase you have to: | + | **WARNING**! See bug [[http:// |
+ | |||
+ | If you want to start automatically the crypto device | ||
- Generate a random key with the required size (32 bytes * 8 = 256 bits) | - Generate a random key with the required size (32 bytes * 8 = 256 bits) | ||
Line 160: | Line 164: | ||
</ | </ | ||
- | Per montare nuovamente la directory si usa lo stesso comando **'' | + | Per **montare nuovamente** il filesystem cifrato (la directory) si usa lo stesso comando **'' |
+ | È possibile **eliminare file e/o directory** nel filesystem cifrato: ogni oggetto compare con un **nome cifrato**. Non è possibile invece spostare una directory: per **decodificare correttamente** il contenuto è **necessario mantenere il percorso originale completo**. | ||
+ | |||
+ | È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando: | ||
+ | |||
+ | < | ||
+ | encfsctl passwd ~/ | ||
+ | </ | ||
==== Reverse enc-fs ==== | ==== Reverse enc-fs ==== | ||
Line 167: | Line 178: | ||
< | < | ||
- | cat secret.txt | encfs --reverse --stdinpass /home /home-crypt | + | cat secret.txt | encfs --standard |
</ | </ | ||
+ | |||
+ | L' | ||
Per smontare la directory cifrata si utilizza: | Per smontare la directory cifrata si utilizza: | ||
Line 273: | Line 286: | ||
</ | </ | ||
+ | ===== Manual start of encrypted disk ===== | ||
+ | |||
+ | If an encrypted disk **requires a password to be typed interactively**, | ||
+ | |||
+ | Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https:// | ||
+ | |||
+ | Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/ | ||
+ | |||
+ | Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but // | ||
+ | |||
+ | < | ||
+ | cryptdisks_start dm0 | ||
+ | </ |
doc/appunti/linux/sa/cryptfs.1337374105.txt.gz · Last modified: 2012/05/18 22:48 by niccolo