Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
useful:encryption [2009/01/10 21:59] chemistuseful:encryption [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-====== encryption ====== 
-===== harddisks usbkeys ===== 
-==== dm-crypt & luks ==== 
-<code bash> 
-#crypt device, you can either use blowfish twofish or any other as you like  
-#but you need to load the proper kernel module, here I used aes-i586  
-#and on my laptop blowfish 
-cryptsetup -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/"device_name" 
- 
-#open device 
-cryptsetup luksOpen /dev/"device_name" "crypt_name" 
- 
-#make filesystem 
-mkfs.ext4 /dev/mapper/"crypt_name" 
- 
-#mount and fill with random data (fast way) 
-mount /dev/mapper/"crypt_name" /mnt/ 
-randfs /mnt/random.file 
- 
-#fill with random data and check partition 
-#(secure way, to be executed before mkfs or lvm setup) 
-badblocks -c 10240 -s -w -t random -v /dev/"device_name" 
- 
-#umount and close crypt 
-umount /mnt/ 
-cryptsetup luksClose "crypt_name"</code> 
- 
-=== /etc/crypttab === 
-on boot: the first device asks for password, the second looks for the keyfile at /mnt/keys/ 
-<code bash> 
-# <target name> <source device> <key file> <options> 
-"crypt_name" /dev/"device_name" none luks,cipher=aes-cbc-essiv:sha256 
-"crypt_name" /dev/"device_name" /mnt/keys/"crypt_name".key luks,cipher=aes-cbc-essiv:sha256 
-</code> 
-=== links === 
-[[useful:encryption:randfs]] 
- 
-==== loop-aes with 100MB file ==== 
-<code bash> 
-#load needed module 
-modprobe cryptoloop 
- 
-#create file crypt.aes 100MB 
-dd if=/dev/urandom of=./crypt.aes bs=2k count=50000 
- 
-#setup loop, you will be prompted for passphrase 
-losetup -e aes /dev/loop0 ./crypt.aes 
- 
-#make FS 
-mkfs.ext3 /dev/loop0 
- 
-#release loop 
-losetup -d /dev/loop0 
- 
-#make node 
-mkdir /mnt/keys</code> 
-=== /etc/fstab === 
- 
-<code bash> 
-/crypt.aes /mnt/keys       ext3    noauto,encryption=aes         0 
-</code> 
-to make it available on boot you need to load the module with an entry in /etc/modules 
- 
-==== the keys ==== 
-<code bash> 
-head -c 256 /dev/random > /mnt/crypt.key 
-cryptsetup luksAddkey /dev/"device_name" /mnt/crypt.key 
-</code> 
-==== settings ==== 
- 
-===  /etc/default/cryptdisks === 
-<code bash> 
-# Run cryptdisks at startup ? 
-CRYPTDISKS_ENABLE=Yes 
- 
-# Mountpoints to mount, before starting cryptsetup. This is useful for 
-# keyfiles on removable media. Seperate mountpoints by space. 
-CRYPTDISKS_MOUNT="/mnt/keys" 
- 
-# Default check script, see /lib/cryptsetup/checks/ 
-# Takes effect, if the 'check' option is set in crypttab without a value 
-CRYPTDISKS_CHECK=vol_id 
- 
-# Default precheck script, see  
-# Takes effect, if the 'precheck' option is set in crypttab without a value 
-CRYPTDISKS_PRECHECK= 
- 
-# Default timeout in seconds for password prompt 
-# Takes effect, if the 'timeout' option is set in crypttab without a value 
-CRYPTDISKS_TIMEOUT=180 
-</code> 
  
Last modified: le 2009/01/10 21:59

Page Tools