Create Encrypted Volumes With Cryptmount and Linux

Protect your data from prying eyes with a suite of tools designed to make encrypted volumes easy to set up — even on removable media.

By Carla Schroder | Posted Apr 21, 2008
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Carla SchroderCryptmount is a friendly front-end to a batch of Linux utilities used to create encrypted volumes, such as device mapper, dm-crypt, and the kernel's loopback device. It requires root privileges to create encrypted files or partitions, and then once it's set up users can mount and unmount their own encrypted volumes on demand. Its major features are:

  • Users can change their own passwords
  • Encrypted filesystems can be initialized at boot-up or on demand
  • Encrypted access keys are OpenSSL-compatible
  • Supports storing access keys on removable media
  • Encrypt entire partitions, or create several encrypted filesystems on a single partition
  • Plain text human-readable configuration files

So it has several advantages over the excellent Cryptsetup (see Resources). Users can mount and unmount their own encrypted volumes without a bunch of /etc/fstab and sudo hacks, you have more flexibility because you're not restricted to encrypting entire block devices, and making encrypted filesystems available on demand leaves the unneeded ones in a safer state. From the user's perspective it treats raw disk partitions, any individual file, loopback devices, and LVM volumes all in the same way because Cryptmount operates on an encrypted device-mapper layer (which you can see in /dev/mapper after it's created).

Cryptmount is slowly making its way into various distribution repositories. Debian Testing and Unstable currently have cryptmount 2.1. Ubuntu Feisty and Gutsy contain the moldy old 2.0 version in the Universe repository. The current stable release on Sourceforge is 2.2. You can get .debs, RPMs, and source tarballs on Sourceforge. You want at least 2.1 to get the cryptmount-setup command, plus a number of useful fixes and updates.

Encrypted Filesystem Inside a File

You don't have to encrypt an entire partition, but can create an encrypted filesystem inside an ordinary file. Use the cryptmount-setup script to do this. This example has the uninteresting bits removed:

# cryptmount-setup
   Please enter a target name for your filesystem
   [opaque]: mystuff

   Which user should own the filesystem (leave blank for root)
   []: carla

   Please specify where "mystuff" should be mounted
  [/home/carla/crypt]:

  Enter the filesystem size (in MB)
   [64]: 1028

   Enter a filename for your encrypted container
   [/home/carla/crypto.fs]: /home/carla/mystuff.fs

   Enter a location for the keyfile
   [/etc/cryptmount/mystuff.key]:

  enter password for target "mystuff":

Your new encrypted filesystem is now ready for use.
To access, try:
   cryptmount mystuff
   cd /home/carla/crypt
After you have finished using the filesystem, try:
   cd
   cryptmount --unmount mystuff

Do not choose a wimpy password, and do not forget your password, because if you lose it it's not recoverable. You can wipe out the encrypted filesystem and start over, but you cannot recover your data. You should also make backup copies of your access keys and keep them in a safe place, because losing the key also loses your data.

The defaults are in square brackets. You may invent whatever names you like, and the script will create directories for you. When you specify a filename, be sure to use the whole path. When it's finished you will have a new crypt (or whatever you named it) directory and three new files, which in this example are named container, crypto.fs, and mystuff.fs. Don't try to read these files because they are just containers.

Go ahead and mount your new encrypted filesystem- cryptmount-setup tells you exactly the command you need:

$ cryptmount mystuff
enter password for target "mystuff":
e2fsck 1.40.8 (13-Mar-2008)
/dev/mapper/mystuff: clean, 11/32768 files, 9805/131072 blocks

Now there is a new /dev/mapper/mystuff block device. Only the user you specified during setup (and root) can mount and unmount the encrypted filesystem. Play around with it— copy files in and out of it, look at it in your favorite file manager—it looks just like any other directory. Unmount it just like the setup script told you:

$ cd
$ cryptmount --unmount mystuff

A silent exit means success. If you have anything accessing your encrypted directory, such as a command prompt, file manager, or open file, you'll get the "umount: /home/carla/crypt: device is busy" error. Running the cd command first puts you back in the top level of your home directory. Sometimes the famd daemon will get in the way and you'll have to kill it. Don't use the standard umount command or it will get messed up, and you won't be able to re-mount it.

If you make a mistake and get a "specification for target "foo" contains non-absolute pathname" error, or any other error message, enter /etc/cryptmount/cmtab to correct it. Or delete the entry and start over.

If you create more than one encrypted filesystem cryptsetup -l displays a list. Users can change their passwords with cryptsetup -c [targetname].

Using a Different Linux Filesystem

cryptmount-setup defaults to using Ext3. If you want to use something else, such as ReiserFS, JFS, or XFS, first find out if your kernel supports it:

$ cat /proc/filesystems
nodev sysfs
nodev rootfs
[...]
     ext3
     jfs
     reiserfs
     xfs

nodev filesystems are pseudo filesystems that don't directly access a physical storage device. This example shows that all four major Linux filesystems are supported.

Encrypting an Entire Partition

If you would rather encrypt an entire partition it's better to create it manually. In this example we'll use a partition on a second hard drive, and mount it in the user's home directory. First create an entry in /etc/cryptmount/cmtab like this:

    manual {
        dev=/dev/hdb5
        dir=/home/terry/manual
        fstype=reiserfs
        fsoptions=defaults
        cipher=aes
        keyfile=/etc/cryptmount/manual.key
        keyformat=builtin
    }

This tells Cryptmount your target name is "manual", you want /dev/hdb5 to be your encrypted partition, and to mount it in /home/terry/manual. You also should specify the filesystem type and options, and which cipher you prefer (which will be used to encrypt your filesystem) depends on what your system supports. Run this command to find out:

$ ls -l /lib/modules/$(uname -r)/kernel/crypto/
ablkcipher.ko
aes.ko
anubis.ko
arc4.ko
[...]

The correct kernel module will be automatically loaded when you mount the encrypted filesystem. man cmtab describes all the options and tells you which ones are required.

Next, generate your encryption key, specifying the size in bytes. This might involve a bit of math, since it's more common to use bits. This example creates a 32-byte/256-bit key. The key size depends on your chosen cipher, which you're going to have to research your own self:

# cryptmount --generate-key 32 manual
generating random key, please be patient
enter new password for target "manual":
confirm password:

Then run this command, using your own target name of course:

# cryptmount --prepare manual
enter password for target "manual":

Now create the filesystem:

# mkreiserfs /dev/mapper/manual

Now run:

# cryptmount --release manual

Then create the mountpoint as the user it's going to belong to for fewer permissions-fixing hassles:

# su terry
$ mkdir /home/terry/manual

Next, mount it as the user with cryptmount manual. You'll probably have to tweak file permissions to allow a non-root user to read and write to the new encrypted partition, so while it is mounted fix the permissions and ownership:

# chown terry:terry /home/terry/manual
# chmod 0700 /home/terry/manual

You're welcome to tweak the permissions however you like; this makes Terry the owner and group owner, and only Terry can access this directory. Now Terry should be able to mount and unmount the encrypted filesystem, read and write to it, create and delete directories, and change her own password.

To mount encrypted filesystems automatically at boot, enter them in /etc/default/cryptmount. Refer to the well-written man cryptmount and man cmtab for additional options. Your installation or source tarball should contain additional examples and help, such as a sample /etc/cmtab that shows how to painlessly encrypt your swap file, and how to store your access key on a USB stick instead of on your computer. It is possible to create password-less keys, so then your USB stick operates just like an ordinary door key.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter