UbuntuHelp:EncryptedFilesystemsOnRemovableStorage

文章出处:

https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

1. title Encrypted filesystem for removable storage devices

Introduction

Encrypting removable devices (USB flash drives, external hard drives, etc) provides a method to guarantee data security in the event of loss, theft or confiscation. When backing up personal information onto external storage, encryption is a recommended preparation for the filesystem. Recent versions of Gnome will now support encrypted filesystems on removable storage by prompting the user for the passphrase when the device is automounted.

Hardy Heron 8.04 Steps

The following steps are destructive and will erase the existing data on the removable storage. Backup existing files on the removable storage before proceeding, if necessary. The steps are based on using an external SATA hard drive connected via USB2. Using these steps will create a LUKS encrypted filesystem. LUKS-encrypted filesystems can be read both in Linux and in Windows (using FreeOTFE).

Install cryptsetup

The cryptsetup package needs to be installed in order to encrypt filesystems:

sudo apt-get install cryptsetup

Identifying Attached Storage

After attaching (and, if applicable, powering on) the storage, tail the output of dmesg to identify the device name:

dmesg | tail -20

[33884.688746] usb 4-1: new high speed USB device using ehci_hcd and address 9
[33884.764079] usb 4-1: configuration #1 chosen from 1 choice
[33884.764868] scsi8 : SCSI emulation for USB Mass Storage devices
[33884.765316] usb-storage: device found at 9
[33884.765321] usb-storage: waiting for device to settle before scanning
[33888.042416] usb-storage: device scan complete
[33888.043707] scsi 8:0:0:0: Direct-Access     HDS72505 0KLA360          AF0D PQ: 0 ANSI: 2 CCS
[33888.047550] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
[33888.048292] sd 8:0:0:0: [sdb] Write Protect is off
[33888.048300] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00
[33888.048305] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[33888.049648] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
[33888.050421] sd 8:0:0:0: [sdb] Write Protect is off
[33888.050428] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00
[33888.050432] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[33888.050438]  sdb: unknown partition table
[33888.066470] sd 8:0:0:0: [sdb] Attached SCSI disk
[33888.066545] sd 8:0:0:0: Attached scsi generic sg2 type 0

From the output above, it is apparent that the device has been added to the system as /dev/sdb. All future commands will refer to /dev/sdb as the device with the encrypted filesystem.

Stronger Encryption Preparation (optional)

Re-writing information to the entire device will ensure the integrity of the encryption if the disk is attempted to be "cracked" into. Carrying out one of the following one-line commands will take a considerable time to complete - the commands are ordered shortest-to-longest running times (and security strength):

sudo dd if=/dev/zero of=/dev/sdb bs=4K
OR
sudo badblocks -c 10240 -s -w -t random -v /dev/sdb
OR
sudo dd if=/dev/urandom of=/dev/sdb bs=4K

• Command 1: Write "zeroes" onto every block on the hard disk
• Command 2: Performs a badblock scan on the hard disk to detect an early failure whilst overwriting the hard drive with random data at the same time
• used this command in the example - it provides the best visibility of the progress of the data writing and also scans the device for potential errors
• on the 500GB disk, this command took 9.5 hours to complete
• Command 3: Most secure method - noted to take at least two continuous days to complete

Filesystem Preparation

The filesystem will need to be partitioned prior to running the cryptsetup commands. In the example setup, one partition is created that spans the entire disk:

sudo fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xcd5bdf9b.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.


The number of cylinders for this disk is set to 60801.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

sudo fdisk /dev/sdb

The number of cylinders for this disk is set to 60801.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-60801, default 1): 
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-60801, default 60801): 
Using default value 60801

Command (m for help): p

Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xcd5bdf9b

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1       60801   488384001   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

The steps above created the /dev/sdb1 partition which will be referred to in the remaining steps of this guide.

Filesystem Encryption

The "key" used for encrypting in this guide is a passphrase. Other guides specify using generated key files or smartcards. Selecting a long (over 12 characters) passphrase will ensure the strength of the encryption. The dm-crypt, sha256 and aes kernel modules will need to be loaded prior to encrypting the partition:

sudo modprobe dm-crypt
sudo modprobe sha256
sudo modprobe aes

If the following error messages appear when loading sha256 and aes:

sudo modprobe sha256
WARNING: Error inserting padlock_sha (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-sha.ko): No such device

sudo modprobe aes
WARNING: Error inserting padlock_aes (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-aes.ko): No such device

it is an indication that the system does not have a hardware cryptographic device (source: Ubuntu Bug #206129) The workaround is to add the following lines (using your favourite editor) to the bottom of /etc/modprobe.d/aliases and re-run the modprobe commands for the sha256 and aes kernel modules:

alias sha256 sha256_generic
alias aes aes_generic

When utilising Gnome to mount the encrypted filesystems, it is not required to manually load the kernel modules. Run the following command to encrypt the /dev/sdb1 partition:

sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256

The LUKS-formatting command above has the following options:

• --verify-passphrase - ensures the passphrase is entered twice to avoid an incorrect passphrase being used
• -c aes -s 256 - uses 256-bit AES encryption
• -h sha256 - uses the 256-bit SHA hashing algorithm

Creating a Filesystem

The encrypted partition will now need to be unlocked and mapped to /dev/mapper/securebackup using the following command:

sudo cryptsetup luksOpen /dev/sdb1 securebackup

securebackup can be changed to suit, however for this example the device /dev/mapper/securebackup will be referred to as the encrypted partition. The encrypted partition is now available to be formatted with a filesystem - in this example, ext3 as follows:

sudo mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/securebackup

The mkfs options above are as follows:

• -t ext3 - create an ext3 filesystem
• -m 1 - reduce the reserved super-user space down from the default of 5% to 1% of the total size - useful for large filesystems
• -O dir_index - speed-up lookups in large directories
• -O filetype - store filetype info in directories
• -O sparse_super - create fewer superblock backup copies - useful for large filesystems

Mount Encrypted Filesystem

The easiest way to mount the encrypted filesystem is to disconnect the device and reconnect it. Gnome will automount the device and recognise it as an encrypted filesystem by prompting the user for the passphrase. The first time the encrypted filesystem is mounted, the ownership of the root folder of the device will need to be changed to the current user as follows:

sudo chown naaman:naaman /media/disk

• where naaman is the username and the second naaman is the group name

Sources

• 7 Steps To An Encrypted Partition (local or removable disk)
• HOWTO: Disk encryption with dm-crypt / LUKS and Debian [Update]

Credits

• Created: 2008-10-26 10:03:06 by NaamanCampbell<
  >
• Updated: <<DateTime>> by NaamanCampbell<
  >
• Contributors: NaamanCampbell<
  >