Tuesday, October 9, 2012

Encrypted File Systems

Linux lets you encrypt nonroot and swap file systems, allowing access only to those users with the appropriate encrypted password. You can apply encryption to both fixed and removable file systems such as USB devices. It is recommended that you use the Luks (Linux Unified Key Setup) encryption tools to encrypt file systems.You can use either the gnome-luks-format tool or cryptsetup directly to setup your encrypted file system. If available for your distribution, the easiest way to set up an encrypted file system is to use the tool. This tool lets you specify the file system, the encryption cipher and passphrase, and the file system type and name. Be sure the file system is not mounted. Once formatted, restart your system. You can then access the encrypted partition or removable drive. For a USB drive or disk, from the file system window double-click the USB drive icon. This opens a window in which you are prompted for a password with the option to forget, remember for the session, or always remember. A message tells you the device is encrypted. Once you enter your password, you can then mount and access the device (double-click it again). The volume name will appear with an icon on your desktop. HAL will handle all mounting and access for removable media. Use the same procedure for fixed partitions. Instead of restarting your system after the initialization and format, you can use luks-setup or crypsetup with the luksOpen option to open the encrypted file system. If you want to manage fixed drives manually, you can place entries in the /etc/ crypttab and /etc/fstab files for them.
Cryptsetup usage

Instead of using gnome-luks-format, you can use the cryptsetup command directly to
manually setup your encrypted file system. You first use the cryptsetup command with the luksFormat option to initialize and create an encrypted volume. You will be prompted to specify a key (or add the key file as an argument). Add an entry for the volume in the /etc/ crypttab file. Then either reboot or use the cryptsetup command with the luksOpen option to access the volume. You will be prompted for the key (or use --keyfile to specify the key). You can then format the file system, specifying its name and type. Place an entry for the new file system in the /etc/fstab file.
If you did not use Luks, you will have to specify an encryption method with the cipher option. Use the --cypher option with cryptsetup in the /etc/crypttab entry. For an ESSIV
cypher, you use aes-cbc-essiv:sha256. For a plain cypher, you use aes-cbc-plain.