Create & mount 'encrypted filesystem' on a partition or file

cryptmount -m <name>
In order to create a new encrypted filing system managed by cryptmount, you can use the supplied 'cryptmount-setup' program, which can be used by the superuser to interactively configure a basic setup. Alternatively, suppose that we wish to setup a new encrypted filing system, that will have a target-name of "opaque". If we have a free disk partition available, say /dev/hdb63, then we can use this directly to store the encrypted filing system. Alternatively, if we want to store the encrypted filing system within an ordinary file, we need to create space using a recipe such as: dd if=/dev/zero of=/home/opaque.fs bs=1M count=512 . cryptmount --generate-key 32 opaque . cryptmount --prepare opaque . mke2fs /dev/mapper/opaque . cryptmount --release opaque . mkdir /home/crypt . cryptmount -m opaque . cryptmount -u opaque For detail see sample output
Sample Output
In order to create a new encrypted filing system managed by cryptmount,
       you can use the supplied 'cryptmount-setup' program, which can be  used
       by the superuser to interactively configure a basic setup.

       Alternatively,  suppose  that  we  wish to setup a new encrypted filing
       system, that will have a target-name of "opaque".  If we  have  a  free
       disk partition available, say /dev/hdb63, then we can use this directly
       to store the encrypted filing system.  Alternatively,  if  we  want  to
       store  the  encrypted filing system within an ordinary file, we need to
       create space using a recipe such as:

$dd if=/dev/zero of=/home/opaque.fs bs=1M count=512

       and then replace all occurences of '/dev/hdb63' in the  following  with
       '/home/opaque.fs'.   (/dev/urandom  can  be used in place of /dev/zero,
       debatably for extra security, but is rather slower.)

       First,  we  need  to  add  an  entry  in  /etc/cryptmount/cmtab,  which
       describes  the  encryption  that will be used to protect the filesystem
       itself and the access key, as follows:

           opaque {
               dev=/dev/hdb63 dir=/home/crypt
               fstype=ext2 mountoptions=defaults cipher=twofish
               keyfile=/etc/cryptmount/opaque.key
               keyformat=builtin
           }

       Here, we will be using the "twofish" algorithm to  encrypt  the  filing
       system  itself, with the built-in key-manager being used to protect the
       decryption key (to be stored in /etc/cryptmount/opaque.key).

       In  order  to  generate  a  secret  decryption  key   (in   /etc/crypt&#8208;
       mount/opaque.key)  that  will  be  used  to  encrypt  the filing system
itself, we can execute, as root:

$cryptmount --generate-key 32 opaque

       This will generate a 32-byte (256-bit) key, which is known to  be  sup&#8208;
       ported  by the Twofish cipher algorithm, and store it in encrypted form
       after asking the system administrator for a password.

       If we now execute, as root:

$cryptmount --prepare opaque

       we will then be asked for the password that we  used  when  setting  up
       /etc/cryptmount/opaque.key,  which  will  enable  cryptmount to setup a
       device-mapper target (/dev/mapper/opaque).  (If you  receive  an  error
       message  of the form device-mapper ioctl cmd 9 failed: Invalid argument
       , this may mean that you have chosen a key-size that isn't supported by
       your chosen cipher algorithm.  You can get some information about suit&#8208;
       able key-sizes by checking the output  from  "more  /proc/crypto",  and
       looking at the "min keysize" and "max keysize" fields.)

       We  can  now  use  standard tools to create the actual filing system on
       /dev/mapper/opaque:

$mke2fs /dev/mapper/opaque

       (It may be advisable, after the filesystem is first mounted,  to  check
       that  the  permissions of the top-level directory created by mke2fs are
       appropriate for your needs.)

       After executing

$cryptmount --release opaque
$mkdir /home/crypt

       the encrypted filing system is ready for use.  Ordinary users can mount
       it by typing

$cryptmount -m opaque

       or

           cryptmount opaque

       and unmount it using

$cryptmount -u opaque

-2
By: totti
2012-01-17 18:02:47

These Might Interest You

  • Suppose you made a backup of your hard disk with dd: dd if=/dev/sda of=/mnt/disk/backup.img This command enables you to mount a partition from inside this image, so you can access your files directly. Substitute PARTITION=1 with the number of the partition you want to mount (returned from sfdisk -d yourfile.img). Show Sample Output


    6
    INFILE=/path/to/your/backup.img; MOUNTPT=/mnt/foo; PARTITION=1; mount "$INFILE" "$MOUNTPT" -o loop,offset=$[ `/sbin/sfdisk -d "$INFILE" | grep "start=" | head -n $PARTITION | tail -n1 | sed 's/.*start=[ ]*//' | sed 's/,.*//'` * 512 ]
    Alanceil · 2009-03-06 21:29:13 3
  • This does not require you to know the partition offset, kpartx will find all partitions in the image and create loopback devices for them automatically. This works for all types of images (dd of hard drives, img, etc) not just vmkd. You can also activate LVM volumes in the image by running vgchange -a y and then you can mount the LV inside the image. To unmount the image, umount the partition/LV, deactivate the VG for the image vgchange -a n <volume_group> then run kpartx -dv <image-flad.vmdk> to remove the partition mappings. Show Sample Output


    11
    kpartx -av <image-flat.vmdk>; mount -o /dev/mapper/loop0p1 /mnt/vmdk
    rldleblanc · 2014-09-25 23:05:09 0
  • This is just a proof of concept: A FILE WHICH CAN AUTOMOUNT ITSELF through a SIMPLY ENCODED script. It takes advantage of the OFFSET option of mount, and uses it as a password (see that 9191? just change it to something similar, around 9k). It works fine, mounts, gets modified, updated, and can be moved by just copying it. USAGE: SEE SAMPLE OUTPUT The file is composed of three parts: a) The legible script (about 242 bytes) b) A random text fill to reach the OFFSET size (equals PASSWORD minus 242) c) The actual filesystem Logically, (a)+(b) = PASSWORD, that means OFFSET, and mount uses that option. PLEASE NOTE: THIS IS NOT AN ENCRYPTED FILESYSTEM. To improve it, it can be mounted with a better encryption script and used with encfs or cryptfs. The idea was just to test the concept... with one line :) It applies the original idea of http://www.commandlinefu.com/commands/view/7382/command-for-john-cons for encrypting the file. The embedded bash script can be grown, of course, and the offset recalculation goes fine. I have my own version with bash --init-file to startup a bashrc with a well-defined environment, aliases, variables. Show Sample Output


    6
    dd if=/dev/zero of=T bs=1024 count=10240;mkfs.ext3 -q T;E=$(echo 'read O;mount -o loop,offset=$O F /mnt;'|base64|tr -d '\n');echo "E=\$(echo $E|base64 -d);eval \$E;exit;">F;cat <(dd if=/dev/zero bs=$(echo 9191-$(stat -c%s F)|bc) count=1) <(cat T;rm T)>>F
    rodolfoap · 2013-01-31 01:38:30 5
  • Assuming we have a disk image, created by dd if=/dev/sda of=image.dd we can check the image's partition layout with fdisk -ul image.dd, then substitute "x" with starting sector of the partition we want to mount. This example assumes that the disk uses 512Byte sectors


    0
    mount -o loop,offset=$((512*x)) /path/to/dd/image /mount/path
    0disse0 · 2011-06-14 19:30:54 0

What Others Think

Useful tool no doubt, but is there a need to post the entire EXAMPLE USAGE section from the man page?
zlemini · 335 weeks and 2 days ago
Sorry
totti · 335 weeks and 1 day ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: