UbuntuHelp:EncryptedFilesystemsOnRemovableStorageOnHardy
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
- title Encrypted filesystem for removable storage devices
| {i} Please refer to EncryptedFilesystems for further documentation. |
目录
Introduction
Encrypting removable devices (USB flash drives, external hard drives, etc) provides a method to guarantee data security in the event of loss, theft or confiscation. When backing up personal information onto external storage, encryption is a recommended preparation for the filesystem. Recent versions of Gnome will now support encrypted filesystems on removable storage by prompting the user for the passphrase when the device is automounted.
Hardy Heron 8.04 Steps
The following steps are destructive and will erase the existing data on the removable storage. Backup existing files on the removable storage before proceeding, if necessary. The steps are based on using an external SATA hard drive connected via USB2. Using these steps will create a LUKS encrypted filesystem. LUKS-encrypted filesystems can be read both in Linux and in Windows (using FreeOTFE).
Install cryptsetup
The cryptsetup package needs to be installed in order to encrypt filesystems:
sudo apt-get install cryptsetup
Identifying Attached Storage
After attaching (and, if applicable, powering on) the storage, tail the output of dmesg to identify the device name:
dmesg | tail -20 [33884.688746] usb 4-1: new high speed USB device using ehci_hcd and address 9 [33884.764079] usb 4-1: configuration #1 chosen from 1 choice [33884.764868] scsi8 : SCSI emulation for USB Mass Storage devices [33884.765316] usb-storage: device found at 9 [33884.765321] usb-storage: waiting for device to settle before scanning [33888.042416] usb-storage: device scan complete [33888.043707] scsi 8:0:0:0: Direct-Access HDS72505 0KLA360 AF0D PQ: 0 ANSI: 2 CCS [33888.047550] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB) [33888.048292] sd 8:0:0:0: [sdb] Write Protect is off [33888.048300] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.048305] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.049648] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB) [33888.050421] sd 8:0:0:0: [sdb] Write Protect is off [33888.050428] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.050432] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.050438] sdb: unknown partition table [33888.066470] sd 8:0:0:0: [sdb] Attached SCSI disk [33888.066545] sd 8:0:0:0: Attached scsi generic sg2 type 0
From the output above, it is apparent that the device has been added to the system as /dev/sdb. All future commands will refer to /dev/sdb as the device with the encrypted filesystem.
Stronger Encryption Preparation (optional)
Carrying out one of the following one-line commands will take a considerable time to complete - the commands are ordered shortest-to-longest running times (and security strength):
sudo dd if=/dev/zero of=/dev/sdb bs=4K OR sudo badblocks -c 10240 -s -w -t random -v /dev/sdb OR sudo dd if=/dev/urandom of=/dev/sdb bs=4K
- Command 1: Write "zeroes" onto every block on the hard disk
- Command 2: Performs a badblock scan on the hard disk to detect an early failure whilst overwriting the hard drive with random data at the same time
- Command 3: Most secure method - noted to take at least two continuous days to complete
Filesystem Preparation
The filesystem will need to be partitioned prior to running the cryptsetup commands. In the example setup, one partition is created that spans the entire disk:
sudo fdisk /dev/sdb
- Example steps to come
The steps above created the /dev/sdb1 partition that will be referred to in the next steps.
Filesystem Encryption
The "key" used for encrypting in this guide is a passphrase. Other guides specify using generated key files or smartcards. Selecting a long (over 12 characters) passphrase will ensure the strength of the encryption. The dm-crypt, sha256 and aes kernel modules will need to be loaded prior to encrypting the partition:
sudo modprobe dm-crypt sudo modprobe sha256 sudo modprobe aes
If the following error messages appear when loading sha256 and aes:
sudo modprobe sha256 WARNING: Error inserting padlock_sha (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-sha.ko): No such device sudo modprobe aes WARNING: Error inserting padlock_aes (/lib/modules/2.6.24-21-generic/kernel/drivers/crypto/padlock-aes.ko): No such device
it is an indication that the system does not have a hardware cryptographic device (source: Ubuntu Bug #206129 The workaround is to add the following lines (using your favourite editor) to the bottom of /etc/modprobe.d/aliases and re-run the modprobe commands for the sha256 and aes kernel modules:
alias sha256 sha256_generic alias aes aes_generic
When utilising Gnome to mount the encrypted filesystems, it is not required to manually load the kernel modules. Run the following command to encrypt the /dev/sdb1 partition:
sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256
The LUKS-formatting command above has the following options:
- --verify-passphrase - ensures the passphrase is entered twice to avoid an incorrect passphrase being used
- -c aes -s 256 - uses 256-bit AES encryption
- -h sha256 - uses the 256-bit SHA hashing algorithm
Creating a Filesystem
The encrypted partition will now need to be unlocked and mapped to /dev/mapper/securebackup using the following command:
sudo cryptsetup luksOpen /dev/sdb1 securebackup
securebackup can be changed to suit, however for this example the device /dev/mapper/securebackup will be referred to as the encrypted partition. The encrypted partition is now available to be formatted with a filesystem - in this example, ext3 as follows:
sudo mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/securebackup
The mkfs options above are as follows:
- -t ext3 - create an ext3 filesystem
- -m 1 - reduce the reserved super-user space down from the default of 5% to 1% of the total size - useful for large filesystems
- -O dir_index - speed-up lookups in large directories
- -O filetype - store filetype info in directories
- -O sparse_super - create fewer superblock backup copies - useful for large filesystems
Mount Encrypted Filesystem
The easiest way to mount the encrypted filesystem is to disconnect the device and reconnect it. Gnome will automount the device and recognise it as an encrypted filesystem by prompting the user for the passphrase.
Sources
- 7 Steps To An Encrypted Partition (local or removable disk)
- HOWTO: Disk encryption with dm-crypt / LUKS and Debian [Update]
Credits
- Created: 2008-10-26 10:03:06 by NaamanCampbell<
> - Updated: <<DateTime>> by NaamanCampbell<
> - Contributors: NaamanCampbell<
>
