Linux & cryptography
(disk & email encryption in
Linux)
I. In Mandrake
9.1/9.2
OpenPGP email encryption
On-the-fly encryption (hard disk encryption)
Swap encryption
OS maximal encryption
(partitions)
II. In SuSE,
Knoppix, Fedora, etc.
OpenPGP email
encryption
Commands & scripts
I. In Mandrake
9.1/9.2
OpenPGP email
encryption
GPG (GnuPG) is already installed in
all Linux distributions.
The key can be generated by the command gpg --gen-key
a) Email softwares contain OpenPGP plug-ins (KMail,
Mozilla, Evolution):
b) Kgpg (Mandrake 9.2) permits
the PGP keys
graphic management:
On-the-fly
encryption (hard disk
encryption)
a) On-the-fly AES encryption for containers (virtual disks) : the tool DrakLoop
(menu K / Applications / Archive / Other,
or in a terminal the command
drakloop - the RPM package "mountloop" must be
installed -) permits the creation of the
container, which is then automatically mounted when the user logs in:
b) Partitions encryption
(see here)
Swap encryption
The swap partition can be on-the-fly encrypted by AES (it costs almost
nothing in OS speed).
a) Create it during installation
b) After installation, by modifying thee file /etc/fstab :
For exemple, if the swap is on /dev/hda4 :
/dev/hda4 swap swap defaults 0 0
becomes
/dev/hda4 swap swap encrypted 0 0
then reboot Linux.
OS maximal encryption
(partitions)
Some Linux partitions can be on-the-fly encrypted by AES.
a) During the installation : the partitions /home
and /tmp (at every computer
beginning, it will be necessary to enter as many passphrase as
encrypted partitions).
At the beginning of the installation, when it creates the partitions,
choose :
- "Custom partitioning"
- Toggle to "Expert mode"
- Create the partitions
(only /home and /tmp scan be encrypted)
- "Options"
- Add the option : "encrypted"
- Enter the passphrase (at least 20 caracters)
- "Mount point"
b) After installation, you can encrypt the /var
partition (Linux experts only!), by backup it, then modifying /etc/fstab, and restauring /var.
See the Linux Encryption How To http://encryptionhowto.sourceforge.net/Encryption-HOWTO-4.html#ss4.3.
For a total encryption (all partitions) see the Disk-Encryption-HowTo
http://tldp.org/HOWTO/Disk-Encryption-HOWTO/
II. Dans SuSE,
Knoppix, Fedora, etc.
OpenPGP email encryption
(see here)
Commands &
scripts
SuSE, Knoppix :
(see also :
Linux
Encryption HowTo
SuSE
7.2 documentation)
To create your containers, you can use this script written by Michel
Bouissou (<michel@bouissou.net>) : mkcryptfs
See the post on the mailing-list linux-crypto.
Download the source script in text format.
This script has been tested in Mandrake 8.2, 9.0, 9.1, 9.2,
and in
SuSE 7.2.
It should also work on others distributions (like Debian,
Slackware and RedHat), if the kernel is patched or if the system has
crytoapi, or loop-AES, and has modified versions of "mount" and
"losetup".
Be careful, you use this script at your own risks!
MKCRYPTFS script installation :
Ungizp the tar.gz archive, then copy "mkcryptfs" it in
/usr/local/bin.
Edit the script and modify it for SuSE (reda the comments in the
script).
In root, type :
root# chown root:root mkcryptfs
root# chmod 755 mkcryptfs
MKCRYPTFS script use :
- In root, launch the script ; here, if you want to create an
encrypted
container called "secret" with 500 Mb size in the "peter"'s directory
(/home/peter), launch :
mkcryptfs peter secret 500
The passphrase must have at least 20 caracters.
Encrypted container use :
Go back to your user account and mount the disk, here :
mount /home/peter/secret (the passphrase is
asked).
The encrypted "disk" will be the disk located at "/home/peter/secret".
Fedora / RedHat :
See this page : "Setting up an encrypted file system using
CryptoAPI on RedHat 9" http://www.q-vadis.net/index.php?mID=stories&lng=en&art=5
Updated : november 2003
Published under OpenContent
licence
Copyright (c) 1997-2003, pplf
Verbatim copying and distribution of this entire
article
is permitted in any medium, provided this notice is preserved.
Retour
à l'accueil
