Create & mount 'encrypted filesystem' on a partition or file

cryptmount -m <name>
In order to create a new encrypted filing system managed by cryptmount, you can use the supplied 'cryptmount-setup' program, which can be used by the superuser to interactively configure a basic setup. Alternatively, suppose that we wish to setup a new encrypted filing system, that will have a target-name of "opaque". If we have a free disk partition available, say /dev/hdb63, then we can use this directly to store the encrypted filing system. Alternatively, if we want to store the encrypted filing system within an ordinary file, we need to create space using a recipe such as: dd if=/dev/zero of=/home/opaque.fs bs=1M count=512 . cryptmount --generate-key 32 opaque . cryptmount --prepare opaque . mke2fs /dev/mapper/opaque . cryptmount --release opaque . mkdir /home/crypt . cryptmount -m opaque . cryptmount -u opaque For detail see sample output
Sample Output
In order to create a new encrypted filing system managed by cryptmount,
       you can use the supplied 'cryptmount-setup' program, which can be  used
       by the superuser to interactively configure a basic setup.

       Alternatively,  suppose  that  we  wish to setup a new encrypted filing
       system, that will have a target-name of "opaque".  If we  have  a  free
       disk partition available, say /dev/hdb63, then we can use this directly
       to store the encrypted filing system.  Alternatively,  if  we  want  to
       store  the  encrypted filing system within an ordinary file, we need to
       create space using a recipe such as:

$dd if=/dev/zero of=/home/opaque.fs bs=1M count=512

       and then replace all occurences of '/dev/hdb63' in the  following  with
       '/home/opaque.fs'.   (/dev/urandom  can  be used in place of /dev/zero,
       debatably for extra security, but is rather slower.)

       First,  we  need  to  add  an  entry  in  /etc/cryptmount/cmtab,  which
       describes  the  encryption  that will be used to protect the filesystem
       itself and the access key, as follows:

           opaque {
               dev=/dev/hdb63 dir=/home/crypt
               fstype=ext2 mountoptions=defaults cipher=twofish
               keyfile=/etc/cryptmount/opaque.key
               keyformat=builtin
           }

       Here, we will be using the "twofish" algorithm to  encrypt  the  filing
       system  itself, with the built-in key-manager being used to protect the
       decryption key (to be stored in /etc/cryptmount/opaque.key).

       In  order  to  generate  a  secret  decryption  key   (in   /etc/crypt&#8208;
       mount/opaque.key)  that  will  be  used  to  encrypt  the filing system
itself, we can execute, as root:

$cryptmount --generate-key 32 opaque

       This will generate a 32-byte (256-bit) key, which is known to  be  sup&#8208;
       ported  by the Twofish cipher algorithm, and store it in encrypted form
       after asking the system administrator for a password.

       If we now execute, as root:

$cryptmount --prepare opaque

       we will then be asked for the password that we  used  when  setting  up
       /etc/cryptmount/opaque.key,  which  will  enable  cryptmount to setup a
       device-mapper target (/dev/mapper/opaque).  (If you  receive  an  error
       message  of the form device-mapper ioctl cmd 9 failed: Invalid argument
       , this may mean that you have chosen a key-size that isn't supported by
       your chosen cipher algorithm.  You can get some information about suit&#8208;
       able key-sizes by checking the output  from  "more  /proc/crypto",  and
       looking at the "min keysize" and "max keysize" fields.)

       We  can  now  use  standard tools to create the actual filing system on
       /dev/mapper/opaque:

$mke2fs /dev/mapper/opaque

       (It may be advisable, after the filesystem is first mounted,  to  check
       that  the  permissions of the top-level directory created by mke2fs are
       appropriate for your needs.)

       After executing

$cryptmount --release opaque
$mkdir /home/crypt

       the encrypted filing system is ready for use.  Ordinary users can mount
       it by typing

$cryptmount -m opaque

       or

           cryptmount opaque

       and unmount it using

$cryptmount -u opaque

-2
By: totti
2012-01-17 18:02:47

What Others Think

Useful tool no doubt, but is there a need to post the entire EXAMPLE USAGE section from the man page?
zlemini · 352 weeks and 1 day ago
Sorry
totti · 352 weeks ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: