dd if=/dev/zero of=/home/opaque.fs bs=1M count=512
.
cryptmount --generate-key 32 opaque
.
cryptmount --prepare opaque
.
mke2fs /dev/mapper/opaque
.
cryptmount --release opaque
.
mkdir /home/crypt
.
cryptmount -m opaque
.
cryptmount -u opaque
For detail see sample output
In order to create a new encrypted filing system managed by cryptmount, you can use the supplied 'cryptmount-setup' program, which can be used by the superuser to interactively configure a basic setup. Alternatively, suppose that we wish to setup a new encrypted filing system, that will have a target-name of "opaque". If we have a free disk partition available, say /dev/hdb63, then we can use this directly to store the encrypted filing system. Alternatively, if we want to store the encrypted filing system within an ordinary file, we need to create space using a recipe such as: $dd if=/dev/zero of=/home/opaque.fs bs=1M count=512 and then replace all occurences of '/dev/hdb63' in the following with '/home/opaque.fs'. (/dev/urandom can be used in place of /dev/zero, debatably for extra security, but is rather slower.) First, we need to add an entry in /etc/cryptmount/cmtab, which describes the encryption that will be used to protect the filesystem itself and the access key, as follows: opaque { dev=/dev/hdb63 dir=/home/crypt fstype=ext2 mountoptions=defaults cipher=twofish keyfile=/etc/cryptmount/opaque.key keyformat=builtin } Here, we will be using the "twofish" algorithm to encrypt the filing system itself, with the built-in key-manager being used to protect the decryption key (to be stored in /etc/cryptmount/opaque.key). In order to generate a secret decryption key (in /etc/crypt‐ mount/opaque.key) that will be used to encrypt the filing system itself, we can execute, as root: $cryptmount --generate-key 32 opaque This will generate a 32-byte (256-bit) key, which is known to be sup‐ ported by the Twofish cipher algorithm, and store it in encrypted form after asking the system administrator for a password. If we now execute, as root: $cryptmount --prepare opaque we will then be asked for the password that we used when setting up /etc/cryptmount/opaque.key, which will enable cryptmount to setup a device-mapper target (/dev/mapper/opaque). (If you receive an error message of the form device-mapper ioctl cmd 9 failed: Invalid argument , this may mean that you have chosen a key-size that isn't supported by your chosen cipher algorithm. You can get some information about suit‐ able key-sizes by checking the output from "more /proc/crypto", and looking at the "min keysize" and "max keysize" fields.) We can now use standard tools to create the actual filing system on /dev/mapper/opaque: $mke2fs /dev/mapper/opaque (It may be advisable, after the filesystem is first mounted, to check that the permissions of the top-level directory created by mke2fs are appropriate for your needs.) After executing $cryptmount --release opaque $mkdir /home/crypt the encrypted filing system is ready for use. Ordinary users can mount it by typing $cryptmount -m opaque or cryptmount opaque and unmount it using $cryptmount -u opaque
Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?
You must be signed in to comment.
commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.
Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.
» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10
Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):
Subscribe to the feed for: