Linux & cryptography

(disk & email encryption in Linux)


french


I. In Mandrake 9.1/9.2

OpenPGP email encryption

On-the-fly encryption (hard disk encryption)

Swap encryption

OS maximal encryption (partitions)


II. In SuSE, Knoppix, Fedora, etc.

OpenPGP email encryption

Commands & scripts






I. In Mandrake 9.1/9.2


OpenPGP email encryption

GPG (GnuPG) is already installed in all Linux distributions.
The key can be generated by the command gpg --gen-key

a) Email softwares contain OpenPGP plug-ins (KMail, Mozilla, Evolution):

KMail (KDE)



b) Kgpg (Mandrake 9.2) permits the PGP keys graphic management:

Kgpg pour KDE 3




On-the-fly encryption (hard disk encryption)

a) On-the-fly AES encryption for containers (virtual disks) : the tool DrakLoop (menu K / Applications / Archive / Other, or in a terminal the command drakloop - the RPM package "mountloop" must be installed -) permits the creation of the container, which is then automatically mounted when the user logs in:

drakloop


b) Partitions encryption

(see here)


Swap encryption

The swap partition can be on-the-fly encrypted by AES (it costs almost nothing in OS speed).

a) Create it during installation

b) After installation, by modifying thee file /etc/fstab :

For exemple, if the swap is on /dev/hda4 :

/dev/hda4 swap swap defaults 0 0

becomes

/dev/hda4 swap swap encrypted 0 0

then reboot Linux.



OS maximal encryption (partitions)

Some Linux partitions can be on-the-fly encrypted by AES.

a) During the installation : the partitions /home and /tmp (at every computer beginning, it will be necessary to enter as many passphrase as encrypted partitions).

At the beginning of the installation, when it creates the partitions, choose :
- "Custom partitioning"
- Toggle to "Expert mode"
- Create the partitions (only /home and /tmp scan be encrypted)
- "Options"
- Add the option : "encrypted"
- Enter the passphrase (at least 20 caracters)
- "Mount point"

Partition chiffrée dans la Mandrake 8.2



b) After installation, you can encrypt the /var partition (Linux experts only!), by backup it, then modifying /etc/fstab, and restauring /var. See the Linux Encryption How To http://encryptionhowto.sourceforge.net/Encryption-HOWTO-4.html#ss4.3.

For a total encryption (all partitions) see the Disk-Encryption-HowTo http://tldp.org/HOWTO/Disk-Encryption-HOWTO/





II. Dans SuSE, Knoppix, Fedora, etc.


OpenPGP email encryption

(see here)



Commands & scripts

SuSE, Knoppix :

(see also :
Linux Encryption HowTo
SuSE 7.2 documentation)
 

To create your containers, you can use this script written by Michel Bouissou (<michel@bouissou.net>) : mkcryptfs
See the post on the mailing-list linux-crypto. Download the source script in text format.

This script has been tested in Mandrake 8.2, 9.0, 9.1, 9.2, and in SuSE 7.2.

It should also work on others distributions (like Debian, Slackware and RedHat), if the kernel is patched or if the system has crytoapi, or loop-AES, and has modified versions of "mount" and "losetup".

Be careful, you use this script at your own risks!
 

MKCRYPTFS script installation :

Ungizp the tar.gz archive, then copy "mkcryptfs" it in /usr/local/bin.
Edit the script and modify it for SuSE (reda the comments in the script).
In root, type :
root# chown root:root mkcryptfs
root# chmod 755 mkcryptfs

 

MKCRYPTFS script use :

- In root, launch the script ; here, if you want to create an encrypted container called "secret" with 500 Mb size in the "peter"'s directory (/home/peter), launch :
 mkcryptfs peter secret 500
The passphrase must have at least 20 caracters.
 

Encrypted container use :
Go back to your user account and mount the disk, here :
mount /home/peter/secret (the passphrase is asked).
The encrypted "disk" will be the disk located at "/home/peter/secret".
 


Fedora / RedHat :

See this page : "Setting up an encrypted file system using CryptoAPI on RedHat 9" http://www.q-vadis.net/index.php?mID=stories&lng=en&art=5




 

Updated : november 2003
Published under OpenContent licence
Copyright (c) 1997-2003, pplf
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.



Retour à l'accueil