Encrypted File System
From Koset Surakomol
One of the very best ways to protect your information and privacy is to encrypt it. Guess what? Since this is Linux, there's nothing to buy. Under most distros, everything you need is already included.
Fedora
UPDATE Fedora Linux FC10 now has an installation choice to encrypt the volumes with a password. It couldn't be easier!
I'm investigating other means of authentication too.
Apple makes it easy
Apple OS X has a feature called FileVault which encrypts a user's entire account.
To turn it on, open the System Preferences / Security / FileVault / Turn on FileVault
That's it! Now if anyone steals your laptop or desktop Mac, they won't be able to get to your data.
Note, if you're using the TimeMachine facility in OS X (and I recommend that you do), note these caveats:
- It can only back up your files when you log off
- You can only restore your whole account, not single files at a time
- FileVault requires that you log off to recover space used by deleted (modified) files
So, just make sure you log off at least once a week. Rebooting has the same effect.
Windows
Windows has no native facility for encryption. I suggest PGP Whole Disk Encryption or Truecrypt.
No muss for Linux
Knoppix has a built-in way to encrypt a file as your user space. No programming required.
Swap
/etc/fstab:br /dev/hda4 swap swap encrypted 0 0
Home brew
If you don't opt to use Knoppix, here's how to build your own. I distilled the instructions form this freshmeat article.
Load the kernel modules. Note, you can put these commands in /etc/rc.local (or modify /etc/modules.conf appropriately). pre modprobe loop modprobe cryptoloop modprobe aes /pre
Create the file. Note the size is in 512 byte blocks. This will make a 50MB file. Leave off the count and it will use the whole partition. If you're making a huge file system, you might drop to single user mode (init 2) and kill all unnecessary processes. This will help ensure that you have as few fragments as possible. pre dd if=/dev/urandom of=disk-aes count=102400 /pre
Make the loop device using AES encryption, which is just about the best you can have. pre losetup -e aes /dev/loop1 ./disk-aes /pre
Make the file system. Hey, it acts just like a real disk! pre mkfs -t ext2 /dev/loop1 tune2fs -j /dev/loop1 /pre
Mount it. You'll need to be root. pre mkdir /fs mount -o loop,encryption=aes,acl ./disk-aes /fs ls /fs /pre And you're done. You can now read/write files on the /fs directory. You might even want to make it your user home directory.
PS. If you're building a kernel, you need these parameters. pre CONFIG_BLK_DEV_LOOP CONFIG_BLK_DEV_CRYPTOLOOP CONFIG_CRYPTO_AES_586 /pre
Big disk?
With this script you won't have to calculate the size of a big disk. It keeps dumping until the disk is full. Also, you can stop the process with rm -f ~/go pre date ~/go while [ -f ~/go ] ; do rm -f ~/go; dd if=/dev/urandom count=100000000 /a/disk-aes date ~/go disk-aes; done ; date ~/done /pre With this script, it writes in chunks in order to leave a little free space at the end instead of overflowing to the max.
mkencfs.sh
Here's a handy script to get you started. You'll want to modify it for your needs. pre
- mkencfs.sh
echo Loading modules sudo modprobe loop sudo modprobe cryptoloop sudo modprobe aes
echo Creating file container dd if=/dev/urandom of=encrypted.fs count=102400
echo Creating loop file system sudo losetup -e aes /dev/loop2 ./encrypted.fs
echo Creating ext2 file system sudo mkfs -t ext2 /dev/loop2
echo Creating journal sudo tune2fs -j /dev/loop2
echo Mounting loop file system. Note: must be root. sudo mkdir /fs sudo mount -o loop,encryption=aes,acl ./encrypted.fs /fs
echo Contents of new file system: ls /fs
echo Note, to unmount type: echo umount /fs /pre
