2011-08-17

Encrypted volumes under Linux

Today's fortune:

Your love life will be... interesting.

... and on that note, I plan to write a little bit about how to keep secrets.

Hah!

Linux encrypted volumes

One of the few things I miss from my time on a Mac, was how easy it was to create small encrypted .DMG files: virtual hard drives which it takes a password to open up.

This last week, inspired by some security consultation work I was doing for Opin Kerfi, I decided to figure out how to do the same thing under Linux, so I could be sure that I was taking good care of our customers' data.

So to sum up, here is what I did:

$ dd if=/dev/urandom of=Volume.img bs=1M count=50  # 50MB
50+0 records in
50+0 records out
52428800 bytes (52 MB) copied, 31.2424 s, 1.7 MB/s

$ sudo losetup -e aes /dev/loop0 Volume.img
[sudo] password for bre: <my sudo pass-phrase>
Password: <pass-phrase for the volume goes here>

$ sudo mkfs.ext3 /dev/loop0 
[...]

$ sudo losetup -d /dev/loop0
$ mkdir Volume
$ sudo mount -o loop,encryption=aes -t ext3 Volume.img Volume
Password: <passphrase for the volume goes here>    

$ chown -R bre:bre Volume/.  # Grant myself access
$ chmod -R go-rwx Volume/.   # Keep other local users out
$ df Volume/
Filesystem   1K-blocks   Used Available Use% Mounted on
/dev/loop0       49574   4923     42091  11% /path/to/Volume

So that works: I now have a file named Volume.img that contains an encrypted ext3 filesystem, which I have attached to the folder named /path/to/Volume. While it is mounted I can work with the contents just like any other files, but when unmounted the data should be as secure as my (looong) pass-phrase.

I unmount the volume with sudo umount Volume and the final trick is to add it to /etc/fstab so I don't have to remember such a horrible mount command:

$ tail -1 /etc/fstab
/path/to/Volume.img /path/to/Volume ext3 noauto,encryption=aes 0 0

$ sudo mount /path/to/Volume  # Easy!

I haven't bothered teaching the Gnome GUI about these volumes, but I suspect it wouldn't be too hard. That would be the only missing step towards making this just as user-friendly as it was on the Mac - but I don't really care, I prefer the command line.

The end result is that the data is as secure as my computer when it is mounted (Unix file permissions keep everyone except me and root out), and when I unmount it, the data should be completely unreadable to anyone who doesn't know the password I chose. As a rule, I keep the volumes unmounted when I am not working on them.

So in particular, if my laptop gets stolen, I do not need to worry that I just lost all my important clients' data. If my home backups get stolen or the backup machine hacked, the data is safe too. And yes, I deleted all the old unencrypted backups...

Footnote: encrypted .DMG volumes on Linux?

Related to this, I also happen to have some old encrypted .DMG files lying around from my Mac days. Now, for some, I seem to have forgotten the passphrase and the data will probably remain secure forever...

Others, I was able to access using dmg2img and vfdecrypt.

apt-get install is my friend.

Tags: tech


Recent posts

...