2011-08-17
Encrypted volumes under Linux
Today's fortune:
Your love life will be... interesting.
... and on that note, I plan to write a little bit about how to keep secrets.
Hah!
Linux encrypted volumes
One of the few things I miss from my time on a Mac, was how easy it was to create small encrypted .DMG files: virtual hard drives which it takes a password to open up.
This last week, inspired by some security consultation work I was doing for Opin Kerfi, I decided to figure out how to do the same thing under Linux, so I could be sure that I was taking good care of our customers' data.
So to sum up, here is what I did:
$ dd if=/dev/urandom of=Volume.img bs=1M count=50 # 50MB
50+0 records in
50+0 records out
52428800 bytes (52 MB) copied, 31.2424 s, 1.7 MB/s
$ sudo losetup -e aes /dev/loop0 Volume.img
[sudo] password for bre: <my sudo pass-phrase>
Password: <pass-phrase for the volume goes here>
$ sudo mkfs.ext3 /dev/loop0
[...]
$ sudo losetup -d /dev/loop0
$ mkdir Volume
$ sudo mount -o loop,encryption=aes -t ext3 Volume.img Volume
Password: <passphrase for the volume goes here>
$ chown -R bre:bre Volume/. # Grant myself access
$ chmod -R go-rwx Volume/. # Keep other local users out
$ df Volume/
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/loop0 49574 4923 42091 11% /path/to/Volume
So that works: I now have a file named Volume.img that contains an
encrypted ext3 filesystem, which I have attached to the folder named
/path/to/Volume. While it is mounted I can work with the contents
just like any other files, but when unmounted the data should be as secure
as my (looong) pass-phrase.
I unmount the volume with sudo umount Volume and the final trick is to
add it to /etc/fstab so I don't have to remember such a horrible mount
command:
$ tail -1 /etc/fstab
/path/to/Volume.img /path/to/Volume ext3 noauto,encryption=aes 0 0
$ sudo mount /path/to/Volume # Easy!
I haven't bothered teaching the Gnome GUI about these volumes, but I suspect it wouldn't be too hard. That would be the only missing step towards making this just as user-friendly as it was on the Mac - but I don't really care, I prefer the command line.
The end result is that the data is as secure as my computer when it is mounted (Unix file permissions keep everyone except me and root out), and when I unmount it, the data should be completely unreadable to anyone who doesn't know the password I chose. As a rule, I keep the volumes unmounted when I am not working on them.
So in particular, if my laptop gets stolen, I do not need to worry that I just lost all my important clients' data. If my home backups get stolen or the backup machine hacked, the data is safe too. And yes, I deleted all the old unencrypted backups...
Footnote: encrypted .DMG volumes on Linux?
Related to this, I also happen to have some old encrypted .DMG files lying around from my Mac days. Now, for some, I seem to have forgotten the passphrase and the data will probably remain secure forever...
Others, I was able to access using dmg2img and vfdecrypt.
apt-get install is my friend.
