加密整個硬碟 (driver) - dm-crypt

ref:

• 簡要操作Linux下加密磁碟
• 硬碟分區與檔案系統加密

需要 cryptsetup
雖然大多數都是配合 LUKS 跟 LVM。但是有點麻煩，所以用罪簡單的方式..
先用 cryptsetup ，把 usb disk sdb 加密，mapping 到 logical volume 上..
-- 會問密碼。

sudo cryptsetup open --type plain /dev/sdb cryptdrv

這樣，到 /dev/mapper 上看，就會出現一個 cryptdrv 的 device (disk)。
可以用mkfs.ext4 format 這格 device (disk)

mkfs.ext4 /dev/mapper/cryptdrv

然後就可以 mount 這個 device(disk) 了，就像一般的 disk 一樣..

mount /dev/mapper/cryptdrv mapper_disk

mount 進來後，就可以當一般的 disk 使用了。

用完 umount 後，再把 mapper 解開..

sudo cryptsetup close --type plain cryptdrv

.. 可以看看 /dev/mapper，已經沒有 cryptdrv 了。

usb disk 可以拿到其他電腦上，用一樣的方法就可以 mount ..

---

但是這一篇 有說，plain 跟luks 還是有很大的差別，plain 的 risk 很大，甚至有機會遇到未加密的狀況。

ecryptfs -- 加密目錄

這個 tool 好像歸類為 "stacked filesystem"，就是掛在現有filesystem 之上。
使用上，就是 加密目錄

這一篇 寫得很清楚，但是看起來比較囉唆。
這一篇 說明用 mount command 來加密目錄。比較簡單。

安裝：需要kernel module : ecryptfs , ecrypted_keys
user land tool : ecryptfs-utils

用 apt 安裝 ecryptfs-utils 之後，手動 : modprobe ecryptfs 之後，就可以用了..
依照上面的例子：要加密 /home/charles-chang/sss 的話...

$sudo mount -t ecryptfs /home/charles-chang/sss /home/charles-chang/sss

之後回答一對加密問題就可以了。

mount OK 後，用 mount 看

/home/charles-chang/sss on /home/charles-chang/sss type ecryptfs (rw,relatime,
ecryptfs_fnek_sig=6860c372da7bc418,ecryptfs_sig=6860c372da7bc418,
ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs)

要 unmount 的話用一般命令 umount 就可以。要 mount 的話就要記住第一次mount 的所有 option 和 passphrase.

雖然是以 目錄 為加密單位，但是目錄裡的每一個file 都是獨立個體，copy 到其他目錄下，用 mount -t ecryptfs 把所在目錄 mount 起來後，可以看到內容。

---

encfs 跟這格的用法好像一樣，但是好像不需要 kernel module.

cryptmount -- user file level 的 加密檔案系統

~$ sudo cryptmount-setup 

------------------------------
cryptmount setup script

This program will allow you to setup a secure filing-system that will 
be managed by "cryptmount". You will be able to select basic features 
such as the location and size of the filesystem - if you want more 
advanced features, you should consult the cryptmount manual page.

cryptmount version 5.2.2, (C)Copyright 2007-2014 RW Penney
cryptmount comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under 
certain conditions - see the file 'COPYING' in the source directory.

------------------------------
Each cryptmount filesystem is identifed by a short name which is used 
when mounting or configuring that filesystem. This name should be a 
single word (without spaces), such as "opaque".
The following target names have already been used:    (NONE)

  Please enter a target name for your filesystem
  [opaque]: 


The opaque filesystem can be configured to be owned by a nominated 
user, who will be able to create top-level files & directories 
without needing to involve the superuser.

  Which user should own the filesystem (leave blank for "root")
  []: 


In order to access the opaque filesystem, it must be mounted on top 
of an empty directory.

  Please specify where "opaque" should be mounted
  [/home/charles-chang/crypt]: 


The maximum available size of your filesystem needs to be chosen so 
that enough space can be reserved on your disk.

  Enter the filesystem size (in MB)
  [64]: 


The actual encrypted filesystem will be stored in a special file, 
which needs to be large enough to contain your entire encrypted 
filesystem.

  Enter a filename for your encrypted container
  [/home/charles-chang/crypto.fs]: 


Access to your encrypted filesystem is protected by a key that is 
kept in a separate small file. The key is locked by a password that 
you must enter whenever you mount the filesystem.

  Enter a location for the keyfile
  [/etc/cryptmount/opaque.key]: 

------------------------------
Your filing system is now ready to be built - this will involve:
 - Creating the directory "/home/charles-chang/crypt"
 - Creating a 64MB file, "/home/charles-chang/crypto.fs"
 - Adding an extra entry ("opaque") in /etc/cryptmount/cmtab
 - Creating a key-file ("/etc/cryptmount/opaque.key")
 - Creating an ext3 filingsystem on "/home/charles-chang/crypto.fs"
If you do not wish to proceed, no changes will be made to your system.

  Please confirm that you want to proceed (enter "yes")
  [no]: Yes
Making mount-point (/home/charles-chang/crypt)... done
Creating filesystem container (/home/charles-chang/crypto.fs)... done
Taking backup of cryptmount master config-file (/etc/cryptmount/cmtab.bckp-setup)... done
Generating filesystem access key (/etc/cryptmount/opaque.key)...
Generating random key; please be patient...
Enter new password for target "opaque": 
Confirm password: 
Password mismatch
Generating random key; please be patient...
Enter new password for target "opaque": 
Confirm password: 
Formatting encrypted filesystem...
Enter password for target "opaque": 
1 
------------------------------
Your new encrypted filesystem is now ready for use - to access, try:
    cryptmount opaque
    cd /home/charles-chang/crypt
After you have finished using the filesystem, try:
    cd
    cryptmount --unmount opaque

Please take great care NOT to delete or damage your keyfile 
("/etc/cryptmount/opaque.key"). Without that file, and the associated 
password, it will be virtually impossible to access your encrypted 
filesystem. You may want to keep a separate backup copy of the 
keyfile.

這樣類似 loop file 的 disk 和 mount option,passowrd 都設好了。
開始 mount:

sudo cryptmount opaque
Enter passowrd for target "opaque":
e2fsck 1.43.3
/dev/mapper/opaaue: clean 11/16384 files. 7477/65536 blocks

用 mount 來看..

/dev/mapper/opaque on /home/charles-chang/crypt type ext3 (rw,relatime,data=ordered)

之後用 man cryptmount 可以看一些動作 : mount, umount, change password. list created files 等等..

---

操作完，從 mount 的 link 可以看到cryptmount 是類似 user file system，encrypt 作在 filesystem 下，在 device 端，
所以上層看到的是 ext3
在 man encryptmount 寫的比較多..
也有說明如何 mount 真正的 disk partition

感覺用 LUKS 比較標準..