Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:cryptfs [2012/05/18 22:48] – [Cryptoloop] niccolo
+++ doc:appunti:linux:sa:cryptfs [2020/01/29 10:48] (current) – [enc-fs] niccolo
@@ Line 15: / Line 15: @@
 ==== Cryptoloop ====
-:!: WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.
+:!: **WARNING**: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.
 Cryptoloops is also vulnerable to known plaintext attacks and watermark attacks.
@@ Line 56: / Line 56: @@
 modprobe dm-crypt
 modprobe twofish
-cryptsetup isLuks /dev/md4
+cryptsetup isLuks /dev/md4; echo $?
 cryptsetup --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md4
 cryptsetup luksDump /dev/md4
@@ Line 83: / Line 83: @@
 max keysize  : 32
 </code>
+[[wp>Twofish]] was developed by indipendent cryptographers, leaded by [[wp>Bruce Schneier]]. [[wp>Advanced_Encryption_Standard|AES]] is instead approved by the U.S. [[wp>National Security Agency]] (NSA).
 The ecnryption key will be 256 bits long (how it is generated?). The key will be hashed with a passphrase typed by the user and stored in a LUKS keyslot contained in ''/dev/md4''.
@@ Line 89: / Line 91: @@
 <code>
-cryptsetup luksOpen /dev/md4 mycryptdev
+cryptsetup luksOpen /dev/md4 dm0
 ls -l /dev/mapper/
-mkfs.ext3 -m0 /dev/mapper/mycryptdev
+mkfs.ext3 -m0 /dev/mapper/dm0
-mount /dev/mapper/mycryptdev /mnt
+mount /dev/mapper/dm0 /mnt
 </code>
@@ Line 98: / Line 100: @@
 <code>
-cryptsetup status mycryptdev
+cryptsetup status dm0
-cryptsetup remove mycryptdev
+cryptsetup remove dm0
-cryptsetup luksClose mycryptdev; # Same as above!
+cryptsetup luksClose dm0; # Same as above!
 </code>
@@ Line 106: / Line 108: @@
 <file>
-mycryptdev  /dev/md4  none  luks,tries=1,timeout=10
+dm0  /dev/md4  none  luks,tries=1,timeout=10
 </file>
 The passphrase will be asked only once with a 10 seconds timeout.
-If you want to start automatically the crypto device without prompting for the passphrase you have to:
+**WARNING**! See bug [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|495509]]. The **''timeout''** paramter does not work, use instead **''noauto''** and start the crypt disk manually with **''/etc/init.d/cryptdisks force-start''**. Beware to set ''noauto'' also into the fstab options for that device.
+If you want to start automatically the crypto device at boot without prompting for the passphrase you have to:
   - Generate a random key with the required size (32 bytes * 8 = 256 bits)
@@ Line 160: / Line 164: @@
 </code>
-Per montare nuovamente la directory si usa lo stesso comando **''encfs''** utilizzato per inizializzare la directory.
+Per **montare nuovamente** il filesystem cifrato (la directory) si usa lo stesso comando **''encfs''** utilizzato per inizializzarlo; viene ovviamente chiesta la password di cifratura. Per il montaggio è indispensabile conservare il file **.encfs6.xml** che è stato creato nella directory radice.
+È possibile **eliminare file e/o directory** nel filesystem cifrato: ogni oggetto compare con un **nome cifrato**. Non è possibile invece spostare una directory: per **decodificare correttamente** il contenuto è **necessario mantenere il percorso originale completo**.
+È possibile **modificare la password**; si tratta in realtà della **password che protegge la chiave di cifratura** vera e propria, pertanto non sarà necessario cifrare nuovamente tutto il contenuto. Si usa il comando:
+<code>
+encfsctl passwd ~/encfs/.crypt
+</code>
 ==== Reverse enc-fs ====
@@ Line 167: / Line 178: @@
 <code>
-cat secret.txt | encfs --reverse --stdinpass /home /home-crypt
+cat secret.txt | encfs --standard --reverse --stdinpass /home /home-crypt
 </code>
+L'opzione **%%--standard%%** serve a disabilitare la richiesta dei parametri quando si esegue il montaggio encfs per la prima volta. In tale circostanza infatti vengono chiesti via //stdin// alcuni parametri che "consumerebbero" una parte della password fornita appunto via //stdin//. I parametri di encfs vengono salvati nella directory radice in un file di nome **.encfs6.xml**.
 Per smontare la directory cifrata si utilizza:
@@ Line 273: / Line 286: @@
 </code>
+===== Manual start of encrypted disk =====
+If an encrypted disk **requires a password to be typed interactively**, it is obviously not possible to start it automatically at boot time. In old Debian releases there was the **timeout** parameter to be added into **/etc/crypttab**. Using that parameter, the starting of a LUKS volume is skipped at boot time and can be executed later using **/etc/init.d/cryptdisks start**.
+Starting with **Debian 5 Lenny** the //timeout// parameter was not longer available (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495509|bug #495509]]). The **noauto** parameter is instead required in **/etc/crypttab** and eventually in **/etc/fstab**.
+Starting with **Debian 6 Squeeze** the **noauto** parameter is still required. Once the system is running you can execute the command **/etc/init.d/cryptdisks force-start** to start the encrypted disk, asking for the password.
+Starting with **Debian 9 Stretch** the **noauto** parameter is used as usual, but //sysvinit// init system was superceeded by **systemd**, so the script ''/etc/init.d/cryptdisks'' is no longer used. To start the encrypted disk interactively you should use the script **cryptdisks_start** instead, e.g.:
+<code>
+cryptdisks_start dm0
+</code>