EncryptedFilesystemHowto[请有时间的兄弟接手]

参与到Ubuntu的翻译中来
头像
oneleaf
论坛管理员
帖子: 10455
注册时间: 2005-03-27 0:06
系统: Ubuntu 12.04

EncryptedFilesystemHowto[请有时间的兄弟接手]

#1

帖子 oneleaf » 2005-10-01 12:11

Encrypted file-systems

People store all kind of sensitive information on their computers, but much more sensitive information may be stored without your even realizing it in the form of cached web pages, cookies - even browser settings. Clicking "remember me" on a webpage is a convenient browser feature, but imagine a thief steals your computer and now has access to your ebay account, paypal, and everything else connected to your email address - possibly even your bank account information. This problem is magnified when using a laptop, since they are so very easy to steal or even just lose.

Encryption can address this issue. Keep in mind no solution is perfect and a determined intruder might still be able to find a way in. Using encryption, however, greatly reduces the chance of this happening (because if you don't use encryption there isn't a chance your data is available to anyone who wants it - it's a matter of fact).

Keep in mind that encrypting your data WILL lock it up in a reasonably secure vault. This means if you forget your passphrase you WILL be locked out. Likewise, if you write down your passphrase and stick it on a post-it note on your monitor you might as well not use encryption at all. Encryption is a tool, not a black box solution to protecting your privacy.
A Bit of Theory

Please remember that any numbers used here are made up on the fly. They are meant as an exercise of the mind and to give a feeling for the numbers you are dealing with when using encryption. Do your own math based on your own data, habits and requirements if you need to rely on encryption: It is your data you are protecting and your problem should it get out into the open.

From what I know at this point in time the encryption routines employed by the Linux kernel are secure and trustworthy. I have not examined them in depth, so do not blame me if they are not. But this does not mean that your data will stay secure for all times once encrypted: If somebody discovers a flaw in the algorithm used, then your data might end up in the open. If somebody discovers a flaw in the implementation, then your data might end up in the open. If somebody comes up with a breakthrough in technology and/or math, then your data might end up in the open. If you are stupid and loose your keys, then your data will be lost unless somebody finds a flaw in the algorithm or implementation of the crypto engine or someone makes a breakthrough in technology or math.

You have been warned.
How does Linux encrypt my data?

Traditionally in Linux a beefed-up loopback device was used to mount a file. This loopback device then did de-/encrypt the data passing through to it. There were several different and incompatible versions of these loopback encryption engines, most supporting only one crypto algorithm.

With the Linux 2.6 kernel the cryptoloop system was deprecated and might get dropped from the mainline kernels altogether at some point in the 2.6 development cycle. Its functionality is incorporated into the DeviceMapper, a generic framework used to map one blockdevice into another. Apart from encryption this DeviceMapper is the foundation of LVM, software RAIDs and offers additional features like doing snapshots of filesystems.
So how does DeviceMapper work?

The DeviceMapper is a filter, processing data passed in from a virtual blockdevice it provides, before passing it on to another blockdevice.

When used to encrypt data the DeviceMapper is used to create a new blockdevice in /dev/mapper/. This virtual device can be used like any other blockdevice you have on your system (/dev/hdaX, etc). All data passed to this device is encrypted by the DeviceMapper (or better the dm-crypt module of it) using a symmetric encryption algorithm like AES. The encrypted data is then written to another blockdevice that does actually store the data.
So I can not use a file to hold my encrypted data? You keep referring to blockdevices...

You need a blockdevice for the DeviceMapper. Nobody stops you turning a file into one by using the (unencrypted) loopback facility. The loopback system will stay in the mainline kernel, even though the encryption functionality that was used to be build into it is removed.
OK, which encryption engines does the DeviceMapper support?

You can choose all those provided by the crypto-modules of your kernel. The Ubuntu-Kernels come with the full set, including Twofish, AES, DES and others.
Which of those engines should I choose?

I recommend AES. It is reasonably fast and believed to be secure. Avoid DES, it is considered too weak to offer decent protection nowadays.
How many bits should the key used by the algorithm have?

This depends on your needs for security: A longer key is more secure, but it takes longer to de-/encrypt data using it.

With a good crypto algorithm a attacker must use brute force: He has to generate each key and then has to try to unlock the encrypted data with it. So the number of possible keys directly gives the average time needed to break the encryption. So let us play a bit with some numbers:

A 256bit key gives about 1077 (a 1 followed by 77 zeros) different keys while a 128bit key has "only" about 1038 (a 1 followed by 38 zeros). At the moment a PC can generate and test about 3*105 (3 followed by 5 zeros) keys per second. So breaking a 128bit key will take about 1025 years (1 followed by 25 zeros), which is longer than the universe exists. That should be secure enough for most users.

But according to Moore's Law the performance of computers will double each 18 month, so a PC will grow in performance by a factor of about 1000 each 15 years. So if you are a goverment and need to make sure that documents are still secret in 150 years time you must assume that a single PC will be able to generate and test 3*1033 (3 followed by 33 zeros) at that time. So a single PC can break your 128bit key less than 30 minutes, while a 256bit key would still stall an attacker for 1036 years (1 followed by 36 zeros).
I decided on the key size now. How do I protect the key?

Protecting the key is vital: With it the attacker does have instant access to the data. So what can be done to protect this crucial string of bits?

1.

You can use a "one-time key" that is changed at each startup. These keys are usually created by reading /dev/Xrandom during dm-crypt setup. No key is stored this way and no passphrase needed, but this method can only be used on filesystems that can be formated at each reboot (like swap or maybe /tmp if you do not want to retain the information stored there). Using suspend to disk will be impossible with one-time keys used on the swap device.
2.

You can store the key on removable storage. That way it is only accessible when needed. Your data is in the open when the storage is stolen or copied.
3.

You can generate a hash value (== a pseudorandom number) from a keyphrase and use that as a key. The key is not stored on media that way at all, but you can not change the passphrase (a different key is generated then). All people with access to the encrypted data need to know this passphrase. This is a bit impractical in a multi user environment.
4.

You can encrypt the key. The encrypted key is stored on the computer with the encrypted device. You can change the passphrase by reencrypting the key with a different one and you can have several copies of the same key encrypted for several people.
5.

You can encrypt the key and store it on a removeable media.
6.

You can use smartcards, etc. This is the most secure option.

Unfortunately I do not have a smartcard reader, so I can not cover option 6.
I want to use a passphrase. How long does it need to be?

If you decide to use an hash of a passphrase or want to have an encrypted key that is unlocked by a passphrase then it is crucial to pick a long and strong one. As we have seen earlier it is close to impossible to guess the key itself, but an attacker does not have to do that if he can guess the passphrase.

Let us do some more exercises of the mind: Assuming a passphrase can be made up out of letters (both cases), numbers and a limited number of punctuation. This gives about 64 different characters that can be used. 64 different characters can be encoded in 6bits. So if you were using a single letter passphrase then a attacker would need to try a maximum of 64 times to get your key. If your passphrase consists of several random letters, then each one makes the efford 64 times harder! Using words instead of a random sequence of letters makes it significantly easier for an attacker, so do not do that or make the passphrase much longer (I recommend at least doubling the length!).

If you have a 128bit key and want a passphrase that is as strong you need at least 22 random characters in the passphrase. For a 256bit key you need twice the length: 42 characters. A really strong random 8-letter password gives a maximum of 240 or 1012 (a 1 followed by 12 zeros) different passpharses (standard not-so-random-passwords are much weaker!), which is enough to protect a 40bit key. A single fast PC should be able to try those 1012 different passphrases in about 42days (assuming 300000 tries/s). Compare that to the 1025 years it takes to break a 128bit key that might be protected by this passphrase.
Examples
Using dm-crypt

Ubuntu includes the latest encryption widget right in the default install, but there is no easy to use interface to this widget included in the default install. Before we can use ubuntu's encryption capabilities we must install this interface.

1.

Install cryptsetup. This is a small download, it goes quickly.

sudo apt-get install cryptsetup

2.

Then we load some needed modules. We need the dm_mod, dm_crypt and a crypto-Module. There are a variety included in the standard ubuntu-Kernel, the most optimal is likely chosen automatically and already installed.
*

If you would like to verify (or if this tutorial hasn't worked and you want to double-check things) enter the following commands at a terminal:

sudo modinfo /lib/modules/`uname -r`/kernel/crypto/* |grep description
sudo modinfo /lib/modules/`uname -r`/kernel/arch/i386/crypto/* |grep description

This will list the modules available on your machine. The aes module is actually an alias for whatever is installed on your machine. Look for something with aes in it - aes, aes-i586, aes-i386, and so forth. So long as one of these is installed you should be fine. To ensure that these modules are loaded when your computer restarts add them to /etc/modules:

sudo su - (to make yourself root)
echo aes >> /etc/modules
echo dm_mod >> /etc/modules
echo dm_crypt >> /etc/modules

3.

Choose the partition where you want to store the encrypted data (in this example we'll use the hard drive partition /dev/hda7) and create the cryptographic device mapper. This device is like a filter connected to the partition which automatically and transparently decrypts and encrypts the data as needed.

sudo cryptsetup -y create crypt /dev/hda7

4.

Modify the /etc/crypttab and the /etc/fstab file so our crypt-device is restarted and mounted (to /crypt in our example) at boot-time. To do this we write the following lines to the files:

sudo su - (do this as root)
echo "crypt /dev/hda7" >> /etc/crypttab
echo "/dev/mapper/crypt /crypt reiserfs defaults 0 1" >> /etc/fstab

5.

Instead of directly mounting /dev/hda7 when your computer restarts, now it will first restart the encryption "filter." This means every time you restart your computer you will be required to enter your passphrase before proceeding onto a desktop login. There are other options you can enter into the /etc/fstab file which will allow you to mount and unmount your encrypted data at any time (just as you are probably used to doing with CDs and USB drives) but for now we will focus on using the partition as one might use it to encrypt /home (which we will cover more in depth later in this howto)
6.

Now let's create a filesystem on the mapped device:

sudo mkfs.reiserfs /dev/mapper/crypt

*

And you can mount the new (encrypted) drive by entering:

sudo mount /crypt

If you get an error message that it cannot be mounted, make sure you have the target folder created (in this example it would be the folder /crypt)

sudo mkdir /crypt
sudo mount /crypt

It should now work. You can, of course, use any target folder you like. Which brings us to the next step: protecting your privacy via encryption of your home space.

So How Do I Encrypt My Home Directory?

People often ask about how to encrypt their /home directories. This is a good precaution, but not terribly meaningful by itself. For example, if you use kde you will find all sorts of cached webpage information in the /var folder! File system names, user information - all sorts of clues get stored in various other folders on your system. Many experienced admins take this to the next level and encrypt their entire linux installation, leaving only a small /boot partition available to anyone without the passphrase. While this is certainly a valid method, it is also much more complex and not at all easy to do at this point without purchasing non-free (and therefore unverifiable) security products such as drivecrypt or bestcrypt.

A very good compromise is to encrypt all the folders that are likely to contain data as opposed to system files. These include /tmp, /home, /var, /temp (some systems have both) and the often overlooked /swap partition. On many systems this will also include /root, since that is the root user's desktop and is not stored in /home. Problem is if we lock this away and need to reboot the system without mounting the encrypted volume, we may find a system that doesn't work at all. Fortunately there are ways to overcome this, which we will (again) cover later.

So, how to encrypt all this stuff without having to enter five passphrases every time we restart? Some howtos suggest using one "master" partition (usually /home) that contains "key files" which are used to successively unlock the other partitions. There are a couple of problems with this method: first, if one of those files (usually filled with random gibberish so as to make them "unguessable") is damaged it can render the whole system useless until a restore operation is performed (and how often do YOU backup your system?) The other problem is it isn't really "secure" at all since any time your /home partition is mounted the "keys" to all those other partitions are available to anyone who can get access to your computer (even remotely). This is really only slightly different than using those post-its we mentioned earlier.

A better method (although a bit harder to follow) is to stick everything in one partition and mount that. But if we try to use a partition like /encrypted then we will find nothing works, since all those symbolic links to places like /usr/lib are broken. The folder for X11, for example, contains dozens of relative links that will break if we try to just move the /usr partition after the system has been built.

So, we move everything to the one partition that cannot be easily moved: the /usr partition. Then we link everything we moved back to the root folder. If this all sounds complicated don't sweat it, there's a script available that will make it relatively easy. All we need to do is partition the system properly and follow the steps outlined above, reboot and run the script, then kick back with our newly protected system.
Partitioning the System

In order to build a properly protected system (the easy way) we need three partitions: a root, or / partition where everything else lives, a swap partition (encrypted), and a partition for our /home (which will actually be /usr/home). This means finding (or creating) three partitions during or after the installation of ubuntu. If you are putting ubuntu on its own disk this will be relatively easy. If you're one of those undecided souls who cannot commit to making ubuntu your only desktop, this part may not be quite as easy. At any rate that comes under the heading "installation" and is the subject of another howto.

Here is an example of how you would partition the system in order to use the easy-does-it script:

partition mount point fs type
/dev/hda1 / reiserfs
/dev/hda2 /zzz ext2
/dev/hda3 swap swap

Note the partition called /zzz. This is important! The script will look for this later and convert it to /usr. Why don't we make it /usr now? Because we want the system to be bootable even without the encrypted partition mounted. We will create the new /usr space, then swap it out from under the system like a three card monty dealer.

Assuming you now have your partitions created, let's setup the encryption filters and launch the script.

First, the encrypted swap. This is incredibly easy (and a good example of why you should use the device mapper for encryption in ubuntu and stop using the old loopback system).

Enter these commands at your terminal:

sudo swapoff (to unmount the drive)
sudo cryptsetup -d /dev/urandom create cryptoswap /dev/hda3
sudo mkswap /dev/mapper/cryptoswap -L accessisdenied -v1

Keep in mind /dev/hda3 is only used here because it suits our example installation. Use whatever partition you set aside for swap during the installation we just covered.

The above line tells our system to use the linux random number generator /dev/urandom to create a random key for swap when we reboot. Now, like any digital system this isn't really going to be completely random, but it's close enough (we hope) and avoids having to enter an extra passphrase every time we reboot. There are other methods (like using /dev/video0 if you have a tuner card, or using external random number generators) but those are well outside the scope of this tutorial.

Now we will create another mapped device for the encrypted user space. This one is a bit more important and we definitely do NOT want to forget the passphrase, so we have the program ask us twice to confirm the new passphrase:

sudo umount /zzz - (again, make sure nothing's open to /zzz)
sudo cryptsetup -y create cryptohome /dev/hda2

DO NOT forget this passphrase (at least not until you want to!)

So now we have both the "mapper" devices for our new system. All we need to do is configure it to actually use them after a reboot:

sudo mkfs.reiserfs /dev/mapper/cryptohome - (follow the prompts)
sudo su -
echo 'cryptohome /dev/hda2' >> /etc/crypttab
echo 'cryptoswap /dev/hda3 /dev/urandom swap' >> /etc/crypttab

And then to make the system mount these mapped encryption devices, we edit the file /etc/fstab. The friendly, non geeky way to do this is to open a root terminal (or sudo) and type "gedit /etc/fstab". You should see something like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / reiserfs defaults 0 1
/dev/hda2 /zzz ext2 defaults 0 1
/dev/hda3 none swap sw 0 0

We want to edit this file so it looks like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / reiserfs defaults 0 1
/dev/mapper/cryptohome /zzz reiserfs defaults 0 1
/dev/mapper/cryptoswap none swap sw 0 0

Note that all we did was change the "type" of our home partition to use the more advanced reiserfs, and changed the two "file system" entries to point to the mapped virtual devices instead of the physical hard drive partitions.

At this point we have done nothing that should alter your system's ability to restart. So, restart your system and test it out! Don't forget you will be prompted for at least one passphrase this time.
Finishing up

Hopefully your system restarted well and you now see an encrypted /zzz partition in your root folder. Double check this by opening the folder in nautilus and noting the "free disk space" number. Does it change when you enter the /zzz folder? It should - if it doesn't recheck your /etc/fstab and /etc/crypttab files and see where you went wrong. Open Nautilus and browse to /dev/mapper and make sure you have those two mapped devices cryptohome and cryptoswap.

If all is well otherwise, it's a downhill coast from here. We will be using the scripts below, but because of errors introduced by the wiki I suggest you download this script package and untar it.

[WWW] http://poptones.f2o.org/buildsafe-md5-ubuntu.tar.gz

#!/bin/sh
# Module : buildsafe
# Version : 0.1
# Author : "Poptones"
# Created On : Tuesday, September 28 2004
#
# This will build an encrypted userland file system from
# an encrypted partition called /zzz.

if [ `grep 'zzz' /etc/mtab -c` -gt 0 ]; then

# NOTE: there is some sort of bug in the wiki that is causing a ? to appear in the above line
# and I cannot get it to go away. This script will not work until you remove it!

#if we have already run this script don't do this part again!
if [ ! -d /usr/var ]; then

#NOTE AGAIN; see above comment. There is supposed to be NO ? in the above line!

echo 'editing /etc/fstab to mount /zzz at /usr'
cp /etc/fstab /etc/fstab.zzz
sed 's/zzz/usr/g' /etc/fstab.zzz > /etc/fstab

echo 'moving /var partition to /usr/var...'
cp --preserve=all -r /var /usr
echo -n 'done'

echo 'moving /home partition to /usr/home...'
cp --preserve=all -r /home /usr
echo -n 'done'

echo 'moving /tmp partition to /usr/tmp...'
rm -rf /usr/tmp
cp --preserve=all -r /tmp /usr
cd /usr/var
rm -rf tmp
ln -s ../tmp ./tmp
cd /
echo -n 'done'
echo 'now building new /usr partition... relinking...'

rm -rf /var
rm -rf /home
rm -rf /tmp
ln -s /usr/tmp /tmp
ln -s /usr/var /var
ln -s /usr/home /home

echo -n 'done'

fi

echo 'now moving /usr to encrypted partition...'
echo 'please be patient. Depending on system speed'
echo 'this may take a few minutes to more than an hour'

cp --preserve=all -r /usr/* /zzz

echo 'done'
echo 'enter *reboot* for the changes to take effect'
else
echo 'mount point /zzz cannot be found. make sure you have'
echo 'created the mount point /zzz. If you are certain it'
echo 'exists, run this script again after mounting it.'
fi
#file ends here

Reboot your system one more time, pressing ESC to enter the grub menu. Select "failsafe" mode and boot into single user mode, then go to your home directory (if you are not already there) Enter "ls" to get your bearings.

See the file you just saved? Now hold your breath and invoke it by typing

./buildsafe

It should take off almost immediately doing all sorts of scary stuff. Moving the files WILL take some time. Don't get impatient and reboot in the middle of this script our you will find yourself having to reinstall ubuntu from scratch. This script won't overwrite any partitions you didn't give it access to, but if it's not allowed to complete it WILL munge your OS, which is the reason I strongly suggest running it on a fresh installation.

Did you get the reboot prompt? Type "reboot" and press enter, then log in again.
Using Your Encrypted System

Now when you open Nautilus and look at the root of your file system you should see a few slight differences. Notice how the folders /home, /var, and /tmp now have link symbols on them. You will also see the old /zzz folder left behind there. (Don't remove this, we're not done with it.) Notice how your root reports xxxx amount of free space, but when you click into /home or /var it changes. There's still a /usr partition on the other / partition, but it is mounted over or hidden when we enter the passphrase at boot.

If you just press enter at boot you will still get a desktop that works, but it will be the unprotected version. So long as you don't get too wild with the upgrades while using the encrypted partition you should have no troubles going back and forth into the unencrypted desktop. Just keep in mind nothing is protected when you are using that other desktop - every image thumbnailed in every folder you click on, every website you have your system "remember," every email you fetch will remain in that unencrypted space.

If you want to perform an upgrade to the system, just log into the "unprotected" desktop (ie reboot and press enter at the password prompt) and run the upgrade as normal. Then reboot again into failsafe mode (entering the passphrase when asked) and mount your encrypted userland to /zzz by entering the following:

sudo umount /usr
sudo mount -t reiserfs /dev/mapper/cryptohome /zzz

Now run the buildsafe script again. It will see that the system has already been migrated and all the changes will be moved into your encrypted space.
Panaceas and black boxes

Don't forget this is NOT a perfect system. It is still vulnerable to attack by a variety of ways, the most obvious being an attack while online. If you are able to access your encrypted data then anyone else who gets into the system will be as well. If you are on dsl and you leave the system logged into your encrypted space 24/7 and you are hacked, your data is still owned and this has all been for naught. If you are doing something suspicious and you live in a place where authorities can enter your home without your knowledge, and you leave the system up and running with your encrypted userland exposed, your data is still owned. Most importantly, even if you DON'T leave the system up and running when you are not around it can still be attacked by anyone with access to the machine. The simplest method would involve nothing more difficult than replacing your initialization script that mounts the encrypted partition with a version of the script that records your keystrokes before passing them onto the cryptsetup program. For example, by altering just two lines in the file /etc/init.d/cryptdisks from this:

echo "..."
$CRYPTCMD create $dst $src <&1

To something like this:

echo "..."
echo "password"
read PASSWD
echo $PASSWD >> /etc/YouAreNowOwned
$CRYPTCMD create -d /etc/YouAreNowOwned $dst $src > /dev/null

You would never realize the difference when you rebooted, and the attacker would have your passphrase in a common text file.

Get the idea? If someone has physical access to your machine, it's much more difficult (if not impossible) to keep them out. Now, the folks who encrypt their entire system would say "this is why encrypting the whole OS is better." But unless they are booting from a CD there's nothing to stop someone from doing exactly what's shown above. And even if they ARE booting from a CD there are boot sector programs and other attacks that could still come into play. In short, this system will reasonably protect your privacy - keep you safe from the kid in school or the common thief who steals your system, or the spouse you don't want seeing your collection of adult materials or your love notes to another - but it will NOT protect you from a knowledgeable attacker. If you live in a place where possession of certain types of data could cost you your freedom or your life, and you are or plan to be in possession of said data, you need a comprehensive security plan that goes well beyond the scope of this howto.

This point cannot be stressed enough.

Now, given the above truth, there are other steps we can take to help be reasonably sure our system has not been compromised. One thing we can do is make a snapshot of all the files on our system at the time it is fresh and then periodically check it for changes. And wouldn't you know it, we have a script for that as well. The following will NOT protect us from boot sector attacks, but it will keep the system fairly safe from online attacks or even from unsophisticated physical trojan attacks (which is what most people have to be more concerned about).

Below is the other script we will be using (included in the package linked above).

#!/usr/bin/perl
# Module: md5logger.pl
# Source: oneguycoding.com
# Version: unknown (ubuntu version 1.0)
# Created On: Wednesday, 10 November 2004
#
# This module will scan the directories listed below and
# verify them against MD5 hashes of every file it finds
# in the file md5.log

use File::Find;
use Digest::MD5;

umask 0077;

$verbose=0;
$check_rpm = 0;
$update_changed = 1;

$md5dir="/var/log";
$md5file="$md5dir/md5.log";

@flist=();
find(\&findfile, '/sbin' );
find(\&findfile, '/bin' );
find(\&findfile, '/lib' );
find(\&findfile, '/boot' );
find(\&findfile, '/root' );
find(\&findfile, '/srv' );
find(\&findfile, '/initrd' );
find(\&findfile, '/usr/bin' );
find(\&findfile, '/usr/etc' );
find(\&findfile, '/usr/games' );
find(\&findfile, '/usr/include' );
find(\&findfile, '/usr/kerberos' );
find(\&findfile, '/usr/lib' );
find(\&findfile, '/usr/libexec' );
find(\&findfile, '/usr/local' );
find(\&findfile, '/usr/lost+found' );
find(\&findfile, '/usr/sbin' );
find(\&findfile, '/usr/tmp' );
find(\&findfile, '/usr/X11R6' );
find(\&findfile, '/etc' );
find(\&findfile, '/vmlinuz' );
find(\&findfile, '/initrd.img' );

if ( -f "$md5file" ) {
PrivoxyWindowOpen(MD5FILE, "<$md5file") || die "Error: could not open $md5file\n";

# load the hash
while(<MD5FILE>) {
chomp;
($md5,$file) = split(':');
$md5list{$file} = $md5;
}

close(MD5FILE);
}

$update=0;
$filen=$#flist+1;
foreach $file (@flist) {

$filen--;

chomp;

$md5 = md5($file);
next if ( $md5 eq "" );

printf STDOUT "%06d:$md5:$file\n", $filen if $verbose;

next if ( $md5list{$file} eq $md5 );

if ( $md5list{$file} == NULL ) {
$update=1;
print STDERR "Warning: adding $file not found in $md5file\n";
$md5list{$file} = $md5;
if ($check_rpm) {
$output = `rpm -qf $file`;
print STDERR " rpm: $output";
}
}
else {
print STDERR "DANGER: $file has changed";
if ($update_changed) {
print STDERR " (updated)\n";
$md5list{$file} = $md5;
$update = 1;
}
else {
print STDERR " (not updated)\n";
}
if ($check_rpm) {
$output = `rpm -qf $file`;
print STDERR " rpm: $output";
}
}
}

if ($update) {
PrivoxyWindowOpen(MD5FILE,">$md5file") || die "Error: could not write to $md5file\n";

foreach $file (@flist) {
print MD5FILE "$md5list{$file}:$file\n";
}

close(MD5FILE);
}

# create file list
sub findfile {
if ( -f $_ ) {
push @flist, $File::Find::name;
}
};

sub makeFileDir
{
# recursively make a directory tree
# up to the filename in a given file path
#
# If passed this,
# /home/usrdir/Netscape/Users/usrdir/Mail/Inbox
# it creates the subdir as in,
# mkdir -p /home/usrdir/Netscape/Users/usrdir/Mail
#
# first get rid of the file
my $dir = $_[0];
my $path= "";
my $rv;

@dirs=split(/\//,$dir);
$nd=$#dirs;
for ($i = 0; $i < $nd; $i++) {
if ( length($dirs[$i]) != 0 ) {
$path="$path/$dirs[$i]";
mkdir "$path", 0755;
}
}
}

sub md5 {
my $file=$_[0];

if (PrivoxyWindowOpen(FILE,"<$file")) {
binmode(FILE);
$fmd5 = Digest::MD5->new->addfile(*FILE)->hexdigest;
close(FILE);
}
else {
print STDERR "md5: error opening source $file\n";
return "";
}
return "$fmd5";
}

#end of script

Now run the script as root:

sudo perl md5logger.pl

Run this while you are mounted to your encrypted volume and it will be stored (reasonably) safely in the encrypted /usr/var/log folder (I suggest you tar it soon after and keep a copy somewhere safe - maybe encrypt the container it is tarred into). You may elect to add this to your login scripts (although it does take a couple of minutes to run) or you can just run it from time to time manually. It will warn you about every added file and every changed file it finds in the list of folders we have given it - which in this case is pretty much every unencrypted folder in your baseline ubuntu system. It will even report changes to the /root desktop. While many of these changes are normal (every time you enter a command from a root terminal, for example) it will at least give us a short list of files to check (if needed).

What follows from here is the older material from this wiki entry. They are left here because more information is always better than less, but keep in mind the old lofs system (ie the loopback filesystem many of you may be familiar with) is on its way out. I hope the above demonstrated that the new system is really much easier as well as more logical in use, but choice is better than no choice and some people might have legacy data (although I will tell you that I was unable to access the data I had encrypted under Mandrake with any system other than Mandrake, so if you are contemplating a move this might be the time to adopt the new standard). Also keep in mind "loopback" mounting of file systems is NOT recommended at all anymore. If you need only to encrypt a few files or folders there are other utilities that will allow this AND provide greater accessibility (for example, encrypted RAR files or even PGP containers).

If you are contemplating a move from one linux to another, however - and you have your encrypted data safely backed up elsewhere (at least temporarily) the following may prove helpful to you, as it would allow you to move everything to a space where it is "in the clear" but then immediately overwrite it.

1.

Converting the data goes like this:

*

Unmount the device to be converted: sudo umount /dev/vg01/data
*

Optional: fsck the device (to be sure there are no errors to start with): sudo fsck /dev/vg01/data
*

Start up the conversion process: sudo dd if=/dev/vg01/data of=/dev/mapper/crypt bs=4k
*

Check the command twice as this will overwrite the contents of devices involved
*

Wait, this could take some time.
*

Once the conversion has finished fsck the new device again: sudo fsck /dev/mapper/crypt

This can be used in reverse to move a device from being encrypted to be plain. In addition you can use this with 2 different mappings to re-encrypt the device with either a new passphrase or with different options including cypher and key size.
Links

*

[WWW] http://www.saout.de/tikiwiki/tiki-index.php?page=HOWTO
*

[WWW] file:///usr/share/doc/cryptsetup/README.html
*

[WWW] http://www.saout.de/misc/dm-crypt/
*

[WWW] http://www.saout.de/tikiwiki/tiki-index.php

Using losetup

To begin we will create a file, this file will be then mounted as an ext3 and filesystem encrypted with some algorithm.

1.

The first step is to load cryptoloop:

sudo modprobe cryptoloop && lsmod | grep cryptoloop

*

You should see the following output:

cryptoloop 3584 1
loop 16264 2

2.

The numbers might be different but you should see both cryptoloop and loop. The next step is checking what kind of encryption algorithms we have, use the following command (notice the [WWW] backticks):

sudo modinfo /lib/modules/`uname -r`/kernel/crypto/* | grep description

*

On a regular Ubuntu-kernel you will see something like:

description: ARC4 Cipher Algorithm
description: Blowfish Cipher Algorithm
description: Cast5 Cipher Algorithm
description: Cast6 Cipher Algorithm
description: CRC32c (Castagnoli) calculations wrapper for lib/crc32c
description: Null Cryptographic Algorithms
description: Deflate Compression Algorithm for IPCOMP
description: DES & Triple DES EDE Cipher Algorithms
description: Khazad Cryptographic Algorithm
description: MD4 Message Digest Algorithm
description: Michael MIC
description: Serpent Cipher Algorithm
description: SHA1 Secure Hash Algorithm
description: SHA256 Secure Hash Algorithm
description: SHA-512 and SHA-384 Secure Hash Algorithms
description: Quick & dirty crypto testing module
description: Twofish Cipher Algorithm

3.

We will use the Twofish cypher to encrypt our 100mb file as filesystem:

dd if=/dev/zero bs=1M count=100 of=mycryptofile

4.

We create the targetfile, a 100mb sized empty file. The next step is mounting the file with the losetup command using the twofish cypher (be careful, it will ask for a password, do not confuse this with sudo asking for a password. We just authenticated against sudo so sudo does not need a password. Use a new one, and remember it!):

sudo losetup -e twofish /dev/loop0 mycryptofile

5.

Create the ext3 filesystem (we use ext3 because it is the best filesystem for smaller filesystem, while still having a journal):

sudo mkfs.ext3 /dev/loop0

6.

Make the directory where you want to mount the file system:

sudo mkdir /mnt/cryptoloop

7.

And finally mount it:

sudo mount -t ext3 /dev/loop0 /mnt/cryptoloop/

8.

If you do not get any error-messages then you just created a mount point for all your confidential information. Copy files to /mnt/cryptoloop/ and they will be encrypted on the fly. To umount and disable it, use the following commands:

sudo umount /mnt/cryptoloop
sudo losetup -d /dev/loop0

How do you start using it? Repeat step 4 and 7 (*not* 5, you'll erase your data) to start using and step 8 to stop using your encrypted filesystem-in-a-file. BTW remember your password, if you forget it your data will be secure forever, for everybody.

You might want to write two function and an alias for these steps in your ~/.bashrc like:

It's also possible to let mount do the work of calling losetup. All you have to do is to add a entry similar to the following into you /etc/fstab:

echo "mycryptofile /mnt/cryptoloop ext3 noauto,encryption=twofish,user,exec 0 0" >> /etc/fstab

Now you are able to mount/unmount the cryptoloop with a simple:

mount /mnt/cryptoloop
umount /mnt/cryptoloop

*

TODO

Too much information? Split into sections?

From AskoKauppi Tue Dec 21 14:01:50 +0000 2004 From: Asko Kauppi Date: Tue, 21 Dec 2004 14:01:50 +0000 Subject: Message-ID: <20041221140150+0000@[WWW] https://www.ubuntulinux.org>

First of all, a great document, thanks.

Yes, it could do with some restructuring; I'd remove the (old) losetup section altogether, or at least move it to another doc. It only distracts here.

Also, the main 'thread' sort of has two solutions in one. Compare 'crypt', 'cryptohome', they're really the same thing? First samples go with 'crypt', then move to doing essentially the same with 'cryptohome' and 'cryptoswap'. This was not so obvious at first? Maybe add a "if you .. goto chapter .." to highlight this?

The only real issue (and this is Ubuntu code, not this doc) was:

1. Empty lines in /etc/crypttab

Currently, the /etc/init.d/cryptdisk script expects any non-data lines to be comments ('^#'). It should allow for empty lines, too:

grep -v '#' < $TABFILE | grep -v '*$' | while read dst src key opt; do

Without this, empty lines in '/etc/crypttab' will cause weird "missing parameter" output in bootup. Non-destructive, but gives the "oops, all is not as it should!" feeling. Anyhow, this should be fixed?

-ak

From FrankHansen Fri Jan 14 19:40:14 +0000 2005 From: Frank Hansen Date: Fri, 14 Jan 2005 19:40:14 +0000 Subject: Extra Partition? Message-ID: <20050114194014+0000@[WWW] https://www.ubuntulinux.org>

Hi,

just wanted to ask if I understand this: In the "Using dm-crypt" part I have to use an extra partition? Meaning: This doesn't work with a Ubuntu installation where Ubuntu uses all the space on my harddisc? And if so: Is there a workaround (like a loopback device with dm-crypt that a normal user can use without sudo-ing)?

From TobiasHunger Sat Apr 9 23:12:07 +0100 2005 From: TobiasHunger Date: Sat, 09 Apr 2005 23:12:07 +0100 Subject: Re: Extra Partition? Message-ID: <[MAILTO] 20050409231207+0100@www.ubuntulinux.org>

You can use any blockdevice with dm-crypt. This can be a partition on your disk, RAID or LVM as well as a file mounted loop-back. In fact the crypttab allows for file to be given and sets up a loopback device for it, passing that to the dm-crypt config program.

-Hu

From NicoNobody Wed May 25 09:36:43 +0100 2005 From: Nico Nobody Date: Wed, 25 May 2005 09:36:43 +0100 Subject: The "Unable to find swap-space signature" message Message-ID: <20050525093643+0100@[WWW] https://www.ubuntulinux.org>

To fix this error, run sudo mkswap /dev/mapper/name-of-your-encrypted-swap The HOWTO is fixed :-)

Another very useful howto, which looks easier for encrypting your home dir: [WWW] here

CategoryDocumentation CategoryCleanup


https://wiki.ubuntu.com/EncryptedFilesystemHowto
头像
leal
帖子: 1119
注册时间: 2005-08-29 14:49
来自: 杭州
联系:

#2

帖子 leal » 2005-10-02 9:06

加密的文件系统

人们会在自己的计算机上存储各种各样敏感信息,但是更为敏感的信息也可能被存储了下来,以缓存的Web页面、cookies甚至是浏览器设置等形式,而你却无动于衷。点击Web页面上的“记住我”(注:保存自己的网上足迹)是项便利的浏览器特性,不过假设一下:一个贼偷了你的电脑,于是有了权限访问你的ebay帐户、paypal以及和你的email地址相关的一切,甚至可能包括你的银行帐户信息。如果使用的是笔记本,这个问题会更严重,因为笔记本实在太容易被偷或遗失。

加密可以解决这个问题。不过要时刻牢记没有一个解决方案是完美的,一个意志坚定的入侵者仍可能有办法找到进入的途径。然而,使用加密仍能很大程度上减少入侵发生的机会(因为如果不加密,任何想得到你的数据的人都能得到它就不是一种可能,而是成为事实了)。(Need Improvement)

Keep in mind that encrypting your data WILL lock it up in a reasonably secure vault. This means if you forget your passphrase you WILL be locked out. Likewise, if you write down your passphrase and stick it on a post-it note on your monitor you might as well not use encryption at all. Encryption is a tool, not a black box solution to protecting your privacy.
A Bit of Theory

Please remember that any numbers used here are made up on the fly. They are meant as an exercise of the mind and to give a feeling for the numbers you are dealing with when using encryption. Do your own math based on your own data, habits and requirements if you need to rely on encryption: It is your data you are protecting and your problem should it get out into the open.

From what I know at this point in time the encryption routines employed by the Linux kernel are secure and trustworthy. I have not examined them in depth, so do not blame me if they are not. But this does not mean that your data will stay secure for all times once encrypted: If somebody discovers a flaw in the algorithm used, then your data might end up in the open. If somebody discovers a flaw in the implementation, then your data might end up in the open. If somebody comes up with a breakthrough in technology and/or math, then your data might end up in the open. If you are stupid and loose your keys, then your data will be lost unless somebody finds a flaw in the algorithm or implementation of the crypto engine or someone makes a breakthrough in technology or math.

You have been warned.
上次由 leal 在 2005-10-08 15:07,总共编辑 1 次。
用心×恒 | 豆瓣 | 门户 | Blog
头像
millenniumdark
论坛版主
帖子: 4159
注册时间: 2005-07-02 14:41
系统: Ubuntu 14.04 (Kylin)
联系:

#3

帖子 millenniumdark » 2005-10-05 20:23

because if you don't use encryption there isn't a chance your data is available to anyone who wants it - it's a matter of fact

這句話的意思是使用加密是否available還是一個chance,不使用的話,就不是chance了,就是一定的了。

it refers to"your data is available to anyone who wants it"
leal 写了:因为如果你不使用加密,你的数据也就没有机会提供给任何想要它们的人
這麼說,不加密最安全了?

因為,如果不加密,任何想得到你的數据的人都能得到它就不是一种可能,而是事實了。
头像
leal
帖子: 1119
注册时间: 2005-08-29 14:49
来自: 杭州
联系:

#4

帖子 leal » 2005-10-08 15:05

great! :)
用心×恒 | 豆瓣 | 门户 | Blog
头像
leal
帖子: 1119
注册时间: 2005-08-29 14:49
来自: 杭州
联系:

#5

帖子 leal » 2005-10-10 19:01

接下来这段时间有点忙,这篇可能没办法完成。请有时间的兄弟接手啊 :)
用心×恒 | 豆瓣 | 门户 | Blog
xiechy
帖子: 1074
注册时间: 2006-01-18 15:01

#6

帖子 xiechy » 2006-01-18 15:07

俺是新人,刚考完TOEFL,GRE作文已经过了,试试水平了
xk.leng
帖子: 57
注册时间: 2006-01-09 22:53
联系:

#7

帖子 xk.leng » 2006-01-19 11:32

xiechy 写了:俺是新人,刚考完TOEFL,GRE作文已经过了,试试水平了
高人阿 :lol: :lol:
xiechy
帖子: 1074
注册时间: 2006-01-18 15:01

#8

帖子 xiechy » 2006-02-13 16:25

假期太多事了,没能翻完,先貼一贴搞定了的部分,第一次,请多指教,剩下的看若果不是要的很紧,那我继续,否则现在上课了,时间上快不了。
xiechy
帖子: 1074
注册时间: 2006-01-18 15:01

#9

帖子 xiechy » 2006-02-13 16:26

Keep in mind that encrypting your data WILL lock it up in a reasonably secure vault. This means if you forget your passphrase you WILL be locked out. Likewise, if you write down your passphrase and stick it on a post-it note on your monitor you might as well not use encryption at all. Encryption is a tool, not a black box solution to protecting your privacy.
A Bit of Theory

牢记以下这点:加密你的数据将相当于将它们锁在保险库中。这意味着一旦你忘记了你的密码,你自己也将不能得到。同样地,如果你把密码写在纸上然后粘在你的显示器上,那么你还不如根本不使用加密。加密只是一种工具,不是一个黑盒子式的保护你的个人保密权的解决方案。
一点理论

Please remember that any numbers used here are made up on the fly. They are meant as an exercise of the mind and to give a feeling for the numbers you are dealing with when using encryption. Do your own math based on your own data, habits and requirements if you need to rely on encryption: It is your data you are protecting and your problem should it get out into the open.

请记住在此处使用的任何数字都是在忙乱中写出来的。它们只是一种思想的锻炼以及提供一种对当使用加密时你所操作的数字的感觉。如果你需要依赖加密的话,进行计算时使用你自己的数字,习惯和要求:是你要保护你自己的数据并且要解决的是你自己的问题。(注:此处比较难译,不知道是否合适)

From what I know at this point in time the encryption routines employed by the Linux kernel are secure and trustworthy. I have not examined them in depth, so do not blame me if they are not. But this does not mean that your data will stay secure for all times once encrypted: If somebody discovers a flaw in the algorithm used, then your data might end up in the open. If somebody discovers a flaw in the implementation, then your data might end up in the open. If somebody comes up with a breakthrough in technology and/or math, then your data might end up in the open. If you are stupid and loose your keys, then your data will be lost unless somebody finds a flaw in the algorithm or implementation of the crypto engine or someone makes a breakthrough in technology or math.

在这点上据我所知到现在Linux内核所使用的加密程序是安全而可信赖的。我并没有深入的检查过这一点,所以万一不是,别怪我。但这并不意味着一旦你到数据被加密后就万无一失:如果有人发现所使用的算法的纰漏,你到数据将最终解密。如果有人发现算法的实现过程的纰漏,你到数据将最终解密。如果有人在技术或者是数学上取得了突破进展,你到数据将最终解密。换句话说,万一你太疏忽忘记了解密密匙,那么你也就丢失了你到数据,此时你也就只能指望有人能发现算法或是加密实现引擎的纰漏,或是技术或数学上的突破了。

You have been warned.
How does Linux encrypt my data?


你已经被警告过了。
Linux如何加密我的数据呢?

Traditionally in Linux a beefed-up loopback device was used to mount a file. This loopback device then did de-/encrypt the data passing through to it. There were several different and incompatible versions of these loopback encryption engines, most supporting only one crypto algorithm.

传统上在linux中使用一个被强化的回送设备来装载一个文件。这个回送设备接着对通过它本身的数据执行加/解密工作。存在有许多不同并且不兼容的这样的加密引擎,它们中的大部分只支持一种加密算法。

With the Linux 2.6 kernel the cryptoloop system was deprecated and might get dropped from the mainline kernels altogether at some point in the 2.6 development cycle. Its functionality is incorporated into the DeviceMapper, a generic framework used to map one blockdevice into another. Apart from encryption this DeviceMapper is the foundation of LVM, software RAIDs and offers additional features like doing snapshots of filesystems.

伴随着Linux 2.6内核,密码环系统被指责并可能在某个2.6核心的开发周期中从主线核心被完全移除。它的功能被合并到DeviceMapper(一种用于映射一个块设备到另一个块设备的通用架构)中。除了加密,这个DeviceMapper还是LVM,软件RAIDs以及提供文件系统的附加特性例如说进行快照的基础。

So how does DeviceMapper work?

那么DeviceMapper是如何工作的呢?

The DeviceMapper is a filter, processing data passed in from a virtual blockdevice it provides, before passing it on to another blockdevice.

DeviceMapper(设备映射程序)是一个滤镜,它提供一个虚拟的块设备,数据从该虚拟设备转入另一个块设备之前,需要通过此滤镜。

When used to encrypt data the DeviceMapper is used to create a new blockdevice in /dev/mapper/. This virtual device can be used like any other blockdevice you have on your system (/dev/hdaX, etc). All data passed to this device is encrypted by the DeviceMapper (or better the dm-crypt module of it) using a symmetric encryption algorithm like AES. The encrypted data is then written to another blockdevice that does actually store the data.
So I can not use a file to hold my encrypted data? You keep referring to blockdevices...

被用于加密数据时,DeviceMapper习惯上创建一个新的块设备于 /dev/mapper/ 。你可以使用这个虚拟设备就像你使用在你的系统上的任何其他块设备一样(例如 /dev/hdaX )。所有通过此设备的数据被DeviceMapper(更准确地说是它的 dm-crypt 模块)使用一种对称加密算法(就像AES)加密。被加密的数据接下来被写入实际存储数据的另一个块设备中。
那么我不能使用一个文件来保存我的加密的数据吗?你老是提到块设备……

You need a blockdevice for the DeviceMapper. Nobody stops you turning a file into one by using the (unencrypted) loopback facility. The loopback system will stay in the mainline kernel, even though the encryption functionality that was used to be build into it is removed.
OK, which encryption engines does the DeviceMapper support?

对DeviceMapper而言你需要一个块设备。没有人阻止你通过使用(未加密的)环回机制将一个文件转变为一个块设备。此环回系统驻留在(开发)主线核心中,甚至当原本建构在其中的加密功能被移除后仍是。
OK,DeviceMapper支持哪些加密引擎呢?

You can choose all those provided by the crypto-modules of your kernel. The Ubuntu-Kernels come with the full set, including Twofish, AES, DES and others.
Which of those engines should I choose?

你能在你的核心加密模块所提供的方式中任意选择。Ubuntu核心具有它们的全集,包括Twofish,AES,DES及其他。
我应该在这些引擎中选择哪一个呢?

I recommend AES. It is reasonably fast and believed to be secure. Avoid DES, it is considered too weak to offer decent protection nowadays.
How many bits should the key used by the algorithm have?

我推荐AES.它相当快并且相信是安全的.不要使用DES,它在当今被认为不能提供有效的保护.

This depends on your needs for security: A longer key is more secure, but it takes longer to de-/encrypt data using it.

这视乎你的安全需要而定:较长的密码更安全,但也花去系统更多的时间在加/解密上面。

With a good crypto algorithm a attacker must use brute force: He has to generate each key and then has to try to unlock the encrypted data with it. So the number of possible keys directly gives the average time needed to break the encryption. So let us play a bit with some numbers:

当有一个好的加密算法时攻击者必须使用暴力来破解:他必须生成每一个解密密匙然后使用它去尝试解密被加密的数据。所以可能的解密密匙的数量直接决定了破解的平均需求时间。所以让我们来聊聊这些数量。

A 256bit key gives about 1077 (a 1 followed by 77 zeros) different keys while a 128bit key has "only" about 1038 (a 1 followed by 38 zeros). At the moment a PC can generate and test about 3*105 (3 followed by 5 zeros) keys per second. So breaking a 128bit key will take about 1025 years (1 followed by 25 zeros), which is longer than the universe exists. That should be secure enough for most users.

一个256位的解密密匙大概包含10^77(一个一后面跟了77个零)种不同的解密密匙,而一个128位的“只”有10^38(一个一后面跟了38个零)种。目前一台PC能每秒生成并测试大约3*10^5(一个三后面跟了五个零)解密密匙。所以破解一个128位的密匙将花费大约10^25年(一个一后面跟了25个零),而这已经久于宇宙存在的年数了。这对大多数用户应该已经足够安全了。

But according to Moore's Law the performance of computers will double each 18 month, so a PC will grow in performance by a factor of about 1000 each 15 years. So if you are a goverment and need to make sure that documents are still secret in 150 years time you must assume that a single PC will be able to generate and test 3*1033 (3 followed by 33 zeros) at that time. So a single PC can break your 128bit key less than 30 minutes, while a 256bit key would still stall an attacker for 1036 years (1 followed by 36 zeros).
I decided on the key size now. How do I protect the key?

但是按照摩尔定律计算机的性能每十八个月翻一番,所以一台PC将会每十五年增长一千倍。所以如果你是政府机关并且需要使文档在150年内都是秘密,那么你一定假设到那时一台PC能够每秒生成并测试3*10^33个解密密匙了。所以一台PC就就已能够在30分钟内破解你的128位密码,而256位密码仍将能阻滞攻击者长达10^36年(一个一后面跟了36个零)。
我已经确定了密码的长度了。我该如何保护密码呢?

Protecting the key is vital: With it the attacker does have instant access to the data. So what can be done to protect this crucial string of bits?

保护密钥是不可缺少的:有了它攻击者即刻可以获取数据了。那么能做些什么来保护这些关键的位串呢?
1.

You can use a "one-time key" that is changed at each startup. These keys are usually created by reading /dev/Xrandom during dm-crypt setup. No key is stored this way and no passphrase needed, but this method can only be used on filesystems that can be formated at each reboot (like swap or maybe /tmp if you do not want to retain the information stored there). Using suspend to disk will be impossible with one-time keys used on the swap device.

你可以使用一个每次启动都会更改的“一次性密钥”。这些密钥常常是在dm-crypt设置时通过读取/dev/Xramdom来创建的。在这种方法中没有密钥被储存并且不需要密码,但这种模式只能使用在每次重启时都被格式化的文件系统上(例如 swap 分区或是可能的 /tmp,如果你不想保留在那儿的信息)。在swap设备上使用一次性密钥的情况下,挂起到磁盘功能将不可能适用。

2.

You can store the key on removable storage. That way it is only accessible when needed. Your data is in the open when the storage is stolen or copied.
你可以在可移动存储器上储存密码。在这种方法中仅仅当需要时是可存取的。一旦你的该存储器被盗窃或是被拷贝,你的数据也就在公开之下暴露了。

3.

You can generate a hash value (== a pseudorandom number) from a keyphrase and use that as a key. The key is not stored on media that way at all, but you can not change the passphrase (a different key is generated then). All people with access to the encrypted data need to know this passphrase. This is a bit impractical in a multi user environment.

你可以使用一个密码短语生成一个哈希值(==一个假散乱的数)并以此作为一个密钥。这种方法中密钥完全没有储存在媒体上,但你不能改变密码(那样的话就生成另一个密钥了)。所有能够获取加密后的数据人需要知道这个密码。这在多用户环境下有点不切实际。

4.

You can encrypt the key. The encrypted key is stored on the computer with the encrypted device. You can change the passphrase by reencrypting the key with a different one and you can have several copies of the same key encrypted for several people.

你可以加密此密钥。而这个加密后的密钥被储存在有已被加密的设备的计算机上。你可以对一个不同的用户通过重新加密此密钥来改变密码并且你能够有许多个相同解密密钥对不同的人们。
5.

You can encrypt the key and store it on a removeable media.
你可以将密码再次加密然后将其储存在可移动媒体上。
6.

You can use smartcards, etc. This is the most secure option.

你可以使用smartcards之类的东东。这是最安全的选择。

Unfortunately I do not have a smartcard reader, so I can not cover option 6.
I want to use a passphrase. How long does it need to be?

很遗憾,我并没有一个smartcard 读卡器,所以我无法覆盖选项6。
我想使用密码,多长是适合的呢?

If you decide to use an hash of a passphrase or want to have an encrypted key that is unlocked by a passphrase then it is crucial to pick a long and strong one. As we have seen earlier it is close to impossible to guess the key itself, but an attacker does not have to do that if he can guess the passphrase.

如果你决定用一个散列式的密码或是想要令一个已被加密过的被一个密码解密的密码,那么选择一个长和强化的密码是极其重要的。就像我们先前见到的那样,没有其他信息的情况下猜出解密密钥的可能性微乎其微,但当有加密密匙的时候攻击者就不需要裸猜了。

Let us do some more exercises of the mind: Assuming a passphrase can be made up out of letters (both cases), numbers and a limited number of punctuation. This gives about 64 different characters that can be used. 64 different characters can be encoded in 6bits. So if you were using a single letter passphrase then a attacker would need to try a maximum of 64 times to get your key. If your passphrase consists of several random letters, then each one makes the efford 64 times harder! Using words instead of a random sequence of letters makes it significantly easier for an attacker, so do not do that or make the passphrase much longer (I recommend at least doubling the length!).

让我们在想象中做多点练习(注:翻为“让我们想多点”可能更好):假设一个密码可以由字母(大小写均可),数字和有限的几个连字符组成。这大概有64种不同的字符可以选择。64种不同的字符可以用6个位的编码方法表示。所以如果你用一个单字符的密码,那么攻击者最多只要尝试64次就可以试出你的解密密钥了。如果你的密码由许多随机的字符组成,那么每多一个字符就让破解的最大难度增大64倍!使用词组而不是随机的字符序列对攻击者而言可以让这个过程显著地降低难度,所以不要这样做(使用词组),要么就要让密码长得多(我推荐至少双倍长度,相对于不使用词组的情况而言)。

If you have a 128bit key and want a passphrase that is as strong you need at least 22 random characters in the passphrase. For a 256bit key you need twice the length: 42 characters. A really strong random 8-letter password gives a maximum of 240 or 1012 (a 1 followed by 12 zeros) different passpharses (standard not-so-random-passwords are much weaker!), which is enough to protect a 40bit key. A single fast PC should be able to try those 1012 different passphrases in about 42days (assuming 300000 tries/s). Compare that to the 1025 years it takes to break a 128bit key that might be protected by this passphrase.
Examples
Using dm-crypt

如果你有一个128位的解密密钥并且想要一个如你所需的强度的密码,密码至少要有22个随机的字符。对256位的解密密钥而言你需要双倍的长度:42个字符。一个真正强健的8个随机字符的密码能够产生最大2^40或是10^12(1个1后面跟了12个0)种不同的组合(标准的不太随机的密码却弱得多!),而这已经足够用于保护一个40位的解密密钥了。一个快速的pc应该可以在42天内尝试10^12个不同的密码(假设300000次/秒)。与之相应,要破解一个想要被此密码保护的128位的键,需要花费10^25年。
例子
使用 dm-crypt

Ubuntu includes the latest encryption widget right in the default install, but there is no easy to use interface to this widget included in the default install. Before we can use ubuntu's encryption capabilities we must install this interface.

Ubuntu 的默认安装中包含最新的加密组件,但在默认安装中包含的组件的接口不易使用。所以在我们使用ubuntu的加密能力之前,我们要先安装接口界面。

1.

Install cryptsetup. This is a small download, it goes quickly.

安装 cryptsetup。下载量很小,这个过程很快。

sudo apt-get install cryptsetup

2.

Then we load some needed modules. We need the dm_mod, dm_crypt and a crypto-Module. There are a variety included in the standard ubuntu-Kernel, the most optimal is likely chosen automatically and already installed.

接着我们加载一些需要的模块。我们需要dm_mod,dm_crypt及一个crypto 模块。在标准ubuntu核心中包含了许多种(crypto 模块),而且应该已经自动选择并安装了最适宜的了。

If you would like to verify (or if this tutorial hasn't worked and you want to double-check things) enter the following commands at a terminal:

如果你想验证(或者如果这个向导没有成功运行并且你想双击它们)在终端中健入以下命令。

sudo modinfo /lib/modules/`uname -r`/kernel/crypto/* |grep description
sudo modinfo /lib/modules/`uname -r`/kernel/arch/i386/crypto/* |grep description

This will list the modules available on your machine. The aes module is actually an alias for whatever is installed on your machine. Look for something with aes in it - aes, aes-i586, aes-i386, and so forth. So long as one of these is installed you should be fine. To ensure that these modules are loaded when your computer restarts add them to /etc/modules:

这将列出你的机子上所有可用的模块。aes模块实际上是你的机子上的所安装的东西的一个别名。在有aes(这个名字)的东东里面找找,如aes,aes-i586,aes-i386,或是其他类似的。只要这些东西中至少有一个安装了,那么便没有问题。为了确保这些模块在你到计算机重启时加载,将它们加到/etc/modules下:

sudo su - (to make yourself)(获取根用户权限)
echo aes >> /etc/modules
echo dm_mod >> /etc/modules
echo dm_crypt >> /etc/modules

3.

Choose the partition where you want to store the encrypted data (in this example we'll use the hard drive partition /dev/hda7) and create the cryptographic device mapper. This device is like a filter connected to the partition which automatically and transparently decrypts and encrypts the data as needed.

选择你希望存储加密数据的分区(在本例中我们将使用硬盘分区 /dev/hda7)并创建加密设备映像程序。此设备就像一个连接到此分区的滤镜,能够按需进行自动的和透明的加解密工作。

sudo cryptsetup -y create crypt /dev/hda7

4.

Modify the /etc/crypttab and the /etc/fstab file so our crypt-device is restarted and mounted (to /crypt in our example) at boot-time. To do this we write the following lines to the files:

修改 /etc/crypttab 以及 /etc/fstab ,使得我们的加密设备在启动时重新启动并且被装载(在我们的例子中是/crypt).为完成此任务,我们写下下面的命令到文件中.

sudo su - (do it as root 获取根用户权限)

echo "crypt /dev/hda7" >> /etc/crypttab
echo "/dev/mapper/crypt /crypt reiserfs defaults 0 1" >> /etc/fstab

5.

Instead of directly mounting /dev/hda7 when your computer restarts, now it will first restart the encryption "filter." This means every time you restart your computer you will be required to enter your passphrase before proceeding onto a desktop login. There are other options you can enter into the /etc/fstab file which will allow you to mount and unmount your encrypted data at any time (just as you are probably used to doing with CDs and USB drives) but for now we will focus on using the partition as one might use it to encrypt /home (which we will cover more in depth later in this howto)

取代当你的计算机重启时的直接装载 /dev/hda7 ,现在将首先重启加密"滤镜".这意味着每次你重启你的电脑,在进入桌面登入前,你都需要输入你的密码.有另外的选项,你可以输入它们到 /etc/fstab 文件中,可以使得你能够在任何时候装载或卸载你的加密数据(就像你大概已经习惯的对CDs或是驱动器所做的一样)但从现在开始,我们将专注在使用此分区,就像很可能情况:使用它加密 /home(在迟些时候,我们将在这篇文档中更加深入的覆盖这一点)

6.

Now let's create a filesystem on the mapped device:

现在让我们创建一个被映射设备的文件系统。

sudo mkfs.reiserfs /dev/mapper/crypt

*

And you can mount the new (encrypted) drive by entering:

你可以键入以下命令装载新的(被加密了的)驱动器:

sudo mount /crypt

If you get an error message that it cannot be mounted, make sure you have the target folder created (in this example it would be the folder /crypt)

如果你得到一个不能被装载的错误信息,确认你已经创建了目标目录(在此例中是目录 /crypt)

sudo mkdir /crypt
sudo mount /crypt

It should now work. You can, of course, use any target folder you like. Which brings us to the next step: protecting your privacy via encryption of your home space.

现在应该已经可以使用了。当然,你也可以使用任何你想使用的目录。我们开始下一个步骤:通过加密你的主目录空间保护你的私有数据。

So How Do I Encrypt My Home Directory?

那么我应如何加密主目录呢?

People often ask about how to encrypt their /home directories. This is a good precaution, but not terribly meaningful by itself. For example, if you use kde you will find all sorts of cached webpage information in the /var folder! File system names, user information - all sorts of clues get stored in various other folders on your system. Many experienced admins take this to the next level and encrypt their entire linux installation, leaving only a small /boot partition available to anyone without the passphrase. While this is certainly a valid method, it is also much more complex and not at all easy to do at this point without purchasing non-free (and therefore unverifiable) security products such as drivecrypt or bestcrypt.

人们常常询问如何加密他们的 /home 目录。这是一个好的预防措施,而它本身并不具有过多的含义。举个例说,如果你使用kde,你将能够在 /var 目录中找到全部的网页缓存信息!文件系统的名字,用户信息——所有能够得到你的系统上的大量其他目录被存储的线索也是如此。许多有经验的管理员采取更进一步的措施而加密他们的整个LINUX系统,只留下一个小的 /boot 分区不被加密。这确实是一种有效的方式,但它也更复杂并且一点也不容易在不购买非免费的(因此也意味着未能验证的)安全产品(例如说drivecrypt或是bestcrypt)的情况下达到。

A very good compromise is to encrypt all the folders that are likely to contain data as opposed to system files. These include /tmp, /home, /var, /temp (some systems have both) and the often overlooked /swap partition. On many systems this will also include /root, since that is the root user's desktop and is not stored in /home. Problem is if we lock this away and need to reboot the system without mounting the encrypted volume, we may find a system that doesn't work at all. Fortunately there are ways to overcome this, which we will (again) cover later.

一种好的妥协是加密有可能包含相对于系统文件(意指非用户信息)而言的数据的所有目录。这包括了 /tmp, /home, /var, /temp (有些系统两个都有(指已经有/tmp))并且常常忽略 /swap分区。在许多系统内这还包括 /root,因为这是根用户的主目录并且不在 /home 下。问题是一旦我们将这锁上后并且在没有装载被加密的卷的情况下重启电脑的话,我们会发现系统完全不能工作了。幸运的,有办法克服这一点,我们将等会儿(再次)覆盖这点。

So, how to encrypt all this stuff without having to enter five passphrases every time we restart? Some howtos suggest using one "master" partition (usually /home) that contains "key files" which are used to successively unlock the other partitions. There are a couple of problems with this method: first, if one of those files (usually filled with random gibberish so as to make them "unguessable") is damaged it can render the whole system useless until a restore operation is performed (and how often do YOU backup your system?) The other problem is it isn't really "secure" at all since any time your /home partition is mounted the "keys" to all those other partitions are available to anyone who can get access to your computer (even remotely). This is really only slightly different than using those post-its we mentioned earlier.

那么,如何加密所有以上的这些东东(目录)却不用每次都要在重启时输入五次密码呢?有些教程建议使用一个“主”分区(通常是 /home),它含有“密钥文件”,就是能接替的解锁其它分区的文件,来处理。这种方式下有许多问题:首先,一旦这些文件之一(通常填充以随机的无用信息以使得它们“不可推测”)被损坏,会致使整个系统不可用,直到执行了恢复操作(而你每多长时间备份你的系统呢?)。另一个问题是它一点也不真正“安全”,因为无论何时只要你的/home/分区装载了,那些其它分区的“密钥”对任何可以读取你的计算机人都是可获取的了(甚至包括远程的)。这与我们早先提到的“将密码贴在显示器上”真的只有轻微的不同。

A better method (although a bit harder to follow) is to stick everything in one partition and mount that. But if we try to use a partition like /encrypted then we will find nothing works, since all those symbolic links to places like /usr/lib are broken. The folder for X11, for example, contains dozens of relative links that will break if we try to just move the /usr partition after the system has been built.

一个好点的方法(虽然有点难实现)是将所有的东东都放到一个分区上,然后装载此分区。但是如果我们试着用分区例如像 /encrypted 那么我们会发现不起作用,因为要放置的符号连接(像/usr/lib下的)是被损坏的。举个例说,X11所使用的目录含有许许多多相对连接,而如果我们在系统被建立后只是试着移动/usr分区,这些连接会被损坏。

So, we move everything to the one partition that cannot be easily moved: the /usr partition. Then we link everything we moved back to the root folder. If this all sounds complicated don't sweat it, there's a script available that will make it relatively easy. All we need to do is partition the system properly and follow the steps outlined above, reboot and run the script, then kick back with our newly protected system.

所以,我们将所有东东移到一个不能轻易移动的分区中:/usr分区。接着我们将我们移动的所有东西连接回到根目录下。听起来很复杂,但别担心,有一个可用的脚本可以让此事相对容易些。我们要做到只是恰当的对系统分区并照着下面的步骤做,重启并运行脚本,接着就得到我们的新被保护好了的系统了。

Partitioning the System

对系统进行分区

In order to build a properly protected system (the easy way) we need three partitions: a root, or / partition where everything else lives, a swap partition (encrypted), and a partition for our /home (which will actually be /usr/home). This means finding (or creating) three partitions during or after the installation of ubuntu. If you are putting ubuntu on its own disk this will be relatively easy. If you're one of those undecided souls who cannot commit to making ubuntu your only desktop, this part may not be quite as easy. At any rate that comes under the heading "installation" and is the subject of another howto.

为了建立一个恰当的被保护的系统(容易的方法),我们需要三个分区:一个根分区,或是说/分区,作为所有东东存在的地方,一个交换分区(被加密的),和一个我们的/home目录所需要的分区(实际上是 /usr/home)。这意味着要在ubuntu安装过程中或是之后找到(或是创建)这三个分区。如果你将ubuntu单独放在一个硬盘内,这会相对容易些。如果你是那些犹豫不决的灵魂中的一员,不敢将ubuntu作为单独地桌面系统,这一部分就不大容易了。无论如何,这得归到“安装”部分,是另一个教程的内容了。

Here is an example of how you would partition the system in order to use the easy-does-it script:

下面是一个你如何对系统分区以使用easy-does-it脚本的例子:

partition mount point fs type
/dev/hda1 / reiserfs
/dev/hda2 /zzz ext2
/dev/hda3 swap swap

Note the partition called /zzz. This is important! The script will look for this later and convert it to /usr. Why don't we make it /usr now? Because we want the system to be bootable even without the encrypted partition mounted. We will create the new /usr space, then swap it out from under the system like a three card monty dealer.

注意此分区名叫 /zzz。这点很重要!此脚本将在晚些时候搜索此名字并将之转变为/usr。为什么我们现在不将之命名为/usr呢?因为我们希望在加密后的分区不加载的情况下也可以引导此系统。我们将创建新的/usr空间,接着像江湖扑克庄家那样将之换出。

Assuming you now have your partitions created, let's setup the encryption filters and launch the script.

假设你已经创建了你的分区了,让我们安装加密滤镜并运行此脚本。

First, the encrypted swap. This is incredibly easy (and a good example of why you should use the device mapper for encryption in ubuntu and stop using the old loopback system).

首先,加密交换分区。此步骤不可置信的容易(这也是一个好例子说明你应该使用ubuntu中的device mapper来加密而不是使用旧的环回系统)。

Enter these commands at your terminal:

在你的终端中输入以下命令:

sudo swapoff (to unmount the drive)(卸载此(交换)设备)
sudo cryptsetup -d /dev/urandom create cryptoswap /dev/hda3
sudo mkswap /dev/mapper/cryptoswap -L accessisdenied -v1

Keep in mind /dev/hda3 is only used here because it suits our example installation. Use whatever partition you set aside for swap during the installation we just covered.

注意在此处使用 /dev/hda3只是因为它适合我们的设置样本。使用你在前面介绍过的安装设置中的交换分区的分区号作替换。

The above line tells our system to use the linux random number generator /dev/urandom to create a random key for swap when we reboot. Now, like any digital system this isn't really going to be completely random, but it's close enough (we hope) and avoids having to enter an extra passphrase every time we reboot. There are other methods (like using /dev/video0 if you have a tuner card, or using external random number generators) but those are well outside the scope of this tutorial.

上面的命令行告诉我们的系统当我们重启时使用linux随机数字生成器/dev/urandom来创建一个swap的随机密钥。现在,任何数字系统都没能成为完全的随机的,但已经足够接近了(我们希望)并且避免了每次我们重启时都不得不输入的额外密码。还有其他的方式(例如如果你有一个电视调谐卡,也可以使用 /dev/video0,或是使用外部的随机数生成器 ),但这些都不在此指南视野内。

Now we will create another mapped device for the encrypted user space. This one is a bit more important and we definitely do NOT want to forget the passphrase, so we have the program ask us twice to confirm the new passphrase:

现在我们将创建另一个被映射的设备作为被加密的用户空间。此步骤更重要一点,并且我们决不愿意忘记密码,所以我们让此程序询问我们两次来确认此新密码。

sudo umount /zzz - (again, make sure nothing's open to /zzz) (再次强调,确保没有东西对/zzz打开)
sudo cryptsetup -y create cryptohome /dev/hda2

DO NOT forget this passphrase (at least not until you want to!)

千万别遗忘此密码(至少别,直到你想要时)

So now we have both the "mapper" devices for our new system. All we need to do is configure it to actually use them after a reboot:

现在我们拥有我们的新系统所需的两个“映射”设备了。我们所要做的仅仅是配置好系统使得在重启后实际上使用他们。

sudo mkfs.reiserfs /dev/mapper/cryptohome - (follow the prompts) (跟着此提示符)
sudo su -
echo 'cryptohome /dev/hda2' >> /etc/crypttab
echo 'cryptoswap /dev/hda3 /dev/urandom swap' >> /etc/crypttab

And then to make the system mount these mapped encryption devices, we edit the file /etc/fstab. The friendly, non geeky way to do this is to open a root terminal (or sudo) and type "gedit /etc/fstab". You should see something like this:

接着,为了使系统装载这些被映射的加密设备,我们编辑/etc/fstab文件。友好的,非专家(是指那种专注于技术的狂人吗?)形的完成此事的方法是先打开一个根用户终端(或使用sudo),然后键入“gedit /etc/fstab”,你应该看到类似以下的内容:

# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / reiserfs defaults 0 1
/dev/hda2 /zzz ext2 defaults 0 1
/dev/hda3 none swap sw 0 0

We want to edit this file so it looks like this:

我们希望编辑此文件使之看起来像下面这样:

# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / reiserfs defaults 0 1
/dev/mapper/cryptohome /zzz reiserfs defaults 0 1
/dev/mapper/cryptoswap none swap sw 0 0

Note that all we did was change the "type" of our home partition to use the more advanced reiserfs, and changed the two "file system" entries to point to the mapped virtual devices instead of the physical hard drive partitions.

注意我们所做的全部东西只是改变我们的home分区的“类型”使之为更先进的reiserfs格式,并改变另外两个“文件系统”的记录使之指向被映射的虚拟设备而不是先前的物理硬盘驱动器分区。

At this point we have done nothing that should alter your system's ability to restart. So, restart your system and test it out! Don't forget you will be prompted for at least one passphrase this time.

在此刻,在系统重启前,我们啥也做不了。所以,重启你的系统并检验(是否系统有加密特性了)!别忘了这次你会至少被提示一次密码。

Finishing up

结束

Hopefully your system restarted well and you now see an encrypted /zzz partition in your root folder. Double check this by opening the folder in nautilus and noting the "free disk space" number. Does it change when you enter the /zzz folder? It should - if it doesn't recheck your /etc/fstab and /etc/crypttab files and see where you went wrong. Open Nautilus and browse to /dev/mapper and make sure you have those two mapped devices cryptohome and cryptoswap.

若顺利,你的系统会正常重启然后你现在可以看到一个在你的根目录的被加密的 /zzz分区。在nautilus中双击此目录,注意“磁盘空闲空间”的数值。当你进入此/zzz目录时,它改变了吗?它应该会变的——如果它没变,检查你的 /etc/fstab 和 /etc/crypttab 文件并查看哪里错了。打开nautilus浏览/dev/mapper,并确保你有那两个被映射的设备cryptsome和cryptoswap。

If all is well otherwise, it's a downhill coast from here. We will be using the scripts below, but because of errors introduced by the wiki I suggest you download this script package and untar it.

否则若一切正常,那从这以后都是下坡路了(意指会很顺利)。我们将会使用以下的脚本,由于wiki所引入的错误,我建议你下载此脚本的包然后解压它。

[WWW] http://poptones.f2o.org/buildsafe-md5-ubuntu.tar.gz

#!/bin/sh
# Module : buildsafe
# Version : 0.1
# Author : "Poptones"
# Created On : Tuesday, September 28 2004
#
# This will build an encrypted userland file system from
# an encrypted partition called /zzz.

if [ `grep 'zzz' /etc/mtab -c` -gt 0 ]; then

# NOTE: there is some sort of bug in the wiki that is causing a ? to appear in the above line
# and I cannot get it to go away. This script will not work until you remove it!

#if we have already run this script don't do this part again!
if [ ! -d /usr/var ]; then

#NOTE AGAIN; see above comment. There is supposed to be NO ? in the above line!

echo 'editing /etc/fstab to mount /zzz at /usr'
cp /etc/fstab /etc/fstab.zzz
sed 's/zzz/usr/g' /etc/fstab.zzz > /etc/fstab

echo 'moving /var partition to /usr/var...'
cp --preserve=all -r /var /usr
echo -n 'done'

echo 'moving /home partition to /usr/home...'
cp --preserve=all -r /home /usr
echo -n 'done'

echo 'moving /tmp partition to /usr/tmp...'
rm -rf /usr/tmp
cp --preserve=all -r /tmp /usr
cd /usr/var
rm -rf tmp
ln -s ../tmp ./tmp
cd /
echo -n 'done'
echo 'now building new /usr partition... relinking...'

rm -rf /var
rm -rf /home
rm -rf /tmp
ln -s /usr/tmp /tmp
ln -s /usr/var /var
ln -s /usr/home /home

echo -n 'done'

fi

echo 'now moving /usr to encrypted partition...'
echo 'please be patient. Depending on system speed'
echo 'this may take a few minutes to more than an hour'

cp --preserve=all -r /usr/* /zzz

echo 'done'
echo 'enter *reboot* for the changes to take effect'
else
echo 'mount point /zzz cannot be found. make sure you have'
echo 'created the mount point /zzz. If you are certain it'
echo 'exists, run this script again after mounting it.'
fi
#file ends here

Reboot your system one more time, pressing ESC to enter the grub menu. Select "failsafe" mode and boot into single user mode, then go to your home directory (if you are not already there) Enter "ls" to get your bearings.

再重启你的系统一次,按下 ESC 键进入grub菜单。选择“failsafe”模式启动进入单用户模式,接着进入你的主目录(如果你不是已经在这的话)并输入“ls”来得到你的方位。

See the file you just saved? Now hold your breath and invoke it by typing

看到你刚刚保存的文件了吗?现在屏住呼吸,通过键入以下命令调用此脚本:

./buildsafe

It should take off almost immediately doing all sorts of scary stuff. Moving the files WILL take some time. Don't get impatient and reboot in the middle of this script our you will find yourself having to reinstall ubuntu from scratch. This script won't overwrite any partitions you didn't give it access to, but if it's not allowed to complete it WILL munge your OS, which is the reason I strongly suggest running it on a fresh installation.

他将马上执行,做完所有的让人担惊受怕的事务。移动文件将会花费一些时间。

Did you get the reboot prompt? Type "reboot" and press enter, then log in again.
Using Your Encrypted System

刚才你接到重启的提示了吗?键入“reboot”然后按回车,接着再次登入系统。
使用你的已加密的系统
mrzcs
帖子: 6
注册时间: 2005-11-29 23:09
来自: Tianjin
联系:

#10

帖子 mrzcs » 2006-03-16 6:29

Encrypted file-systems
加密文件系统

People store all kind of sensitive information on their computers, but much more sensitive information may be stored without your even realizing it in the form of cached web pages, cookies - even browser settings. Clicking "remember me" on a webpage is a convenient browser feature, but imagine a thief steals your computer and now has access to your ebay account, paypal, and everything else connected to your email address - possibly even your bank account information. This problem is magnified when using a laptop, since they are so very easy to steal or even just lose.
大家把各种各样机密的资料都存储在电脑里,不过,你可能意识不到,有更多更为机密的资料可能会以页面缓存文件,COOKIE文件,甚至浏览器设置等形式储存在电脑之中。点击网页上的“记住我”,是浏览器很便捷的一项功能,但是设想一下,如果小偷把电脑偷走了,他现在可以进入到你的EBAY帐户,支付宝,或者其他和你EMAIL地址相关连的东西,甚至包括你的银行帐户信息。如果使用的是笔记本电脑,此类问题更容以发生,因为笔记本电脑最容易窃得,也更容易丢失。

Encryption can address this issue. Keep in mind no solution is perfect and a determined intruder might still be able to find a way in. Using encryption, however, greatly reduces the chance of this happening (because if you don't use encryption there isn't a chance your data is available to anyone who wants it - it's a matter of fact).
使用加密技术能够解决此类问题。记着,世界上没有无懈可击的办法,执意要进入你电脑的人仍可以找到入侵途经。不过,使用了加密技术,发生此类事情的可能性会大大降低。因为如果使用了加密技术,想得到你资料的人几乎没机会得到它,而且事实确实如此。

Keep in mind that encrypting your data WILL lock it up in a reasonably secure vault. This means if you forget your passphrase you WILL be locked out. Likewise, if you write down your passphrase and stick it on a post-it note on your monitor you might as well not use encryption at all. Encryption is a tool, not a black box solution to protecting your privacy.
记着,加密数据好比把数据锁进了保险柜,这就意味着要是忘了密码,连你自己可都进不去了。这就好比,要是你把密码写在纸上,贴到电脑显示器的记事贴上,你根本就永不着加密技术。加密技术只是一种工具,决不是能保护个人隐私的神秘的解决办法。

A Bit of Theory
谈点儿理论

Please remember that any numbers used here are made up on the fly (On the run; in a hurry). They are meant as an exercise of the mind and to give a feeling for the numbers you are dealing with when using encryption. Do your own math based on your own data, habits and requirements if you need to rely on encryption: It is your data you are protecting and your problem should it get out into the open.
请记着,此处的数字都是随便说的,目的是为了开动一下脑筋,让你体会一下在运用加密技术过程中,你所要面对的那些数字。如果你需要依赖加密技术,请根据你的个人数据,个人习惯和自己的要求来掌握数学知识。毕竟,要保护的是你自己的数据,要解决的也是你个人的问题。

From what I know at this point in time the encryption routines employed by the Linux kernel are secure and trustworthy. I have not examined them in depth, so do not blame me if they are not. But this does not mean that your data will stay secure for all times once encrypted: If somebody discovers a flaw in the algorithm used, then your data might end up in the open. If somebody discovers a flaw in the implementation, then your data might end up in the open. If somebody comes up with a breakthrough in technology and/or math, then your data might end up in the open. If you are stupid and loose your keys, then your data will be lost unless somebody finds a flaw in the algorithm or implementation of the crypto engine or someone makes a breakthrough in technology or math.
就我目前所了解到的知识,Linux 内核所调用的加密例行程序还是比较安全的,也是可信的。我还没有对他们做进一步的测试,所以要是有何问题的话,可别怪我。不过并不是说一旦你的数据加密了就万无一失了。要是有人在你所使用的算法中发现了纰漏,你的资料最后可能会被解密。要是有人在算法的实现过程中发现有瑕疵,你的资料最后也可能会被解密。要是有人在技术上或数学方面取得了突破,你的资料最后可能还是会被解密。要是你蠢到了家,把解密密匙忘了,除非他没发现你算法中的纰漏,也没发现加密引擎实现过程中的瑕疵,或者在技术和数学方面也没有取得突破,否则你的数据也就难保了。
mrzcs
帖子: 6
注册时间: 2005-11-29 23:09
来自: Tianjin
联系:

#11

帖子 mrzcs » 2006-03-16 7:03

You have been warned.
已经警告过你了啊。

How does Linux encrypt my data?
Linux如何加密我的数据呢?

Traditionally in Linux a beefed-up loopback device was used to mount a file. This loopback device then did de-/encrypt the data passing through to it. There were several different and incompatible versions of these loopback encryption engines, most supporting only one crypto algorithm.
传统的Linux是利用增强回路设备(loopback device)来挂载文件, 然后对流经设备的数据进行解密/加密,这些回路加密引擎版本众多,而且互不兼容,大多数都是只能支持一种加密算法。

With the Linux 2.6 kernel the cryptoloop system was deprecated and might get dropped from the mainline kernels altogether at some point in the 2.6 development cycle. Its functionality is incorporated into the DeviceMapper, a generic framework used to map one block device into another. Apart from encryption this DeviceMapper is the foundation of LVM, software RAIDs and offers additional features like doing snapshots of filesystems.
随着Linux 2.6版本核心的问世,cryptoloop系统逐渐被摒弃, 并有可能在2.6内核开发周期中选择一个合适的时机把它从主流内核中彻底丢弃掉。他的功能被整合到设备映射器(DeviceMapper)之中,它是一套可以使一个块设备映射到另外一个块设备上的框架。设备映射器除了能实现加密外,它也是逻辑卷管理,软RAIDS的基础,并提供了一些附加功能,比如对文件系统进行快照。
Aries
帖子: 80
注册时间: 2005-11-25 17:00

#12

帖子 Aries » 2006-03-26 14:31

第一次翻译科技文献,请大家多多指正。

The DeviceMapper is a filter, processing data passed in from a virtual blockdevice it provides, before passing it on to another blockdevice.
设备映射器是一个滤波器,用来加工从一个虚拟的块设备(blockdevice)传到另一个块设备的数据。

When used to encrypt data the DeviceMapper is used to create a new blockdevice in /dev/mapper/. This virtual device can be used like any other blockdevice you have on your system (/dev/hdaX, etc). All data passed to this device is encrypted by the DeviceMapper (or better the dm-crypt module of it) using a symmetric encryption algorithm like AES. The encrypted data is then written to another blockdevice that does actually store the data.
So I can not use a file to hold my encrypted data? You keep referring to blockdevices...
在加密的时候设备映射器会在/dev/mapper/目录下创建一个新的块设备(blockdevice)。这个虚拟的设备和你系统里的其他设备一样(例如/dev/hdaX,等)。传送到这个设备的数据都已经被设备映射器(或者更好的dm-crypt模块)通过使用一个对称的加密算法加密过,像AES。接着这些加密的数据将写入另外一个真正用来存储的块设备。因此不能使用一个文件来存储加密的数据?你需要用块设备。
You need a blockdevice for the DeviceMapper. Nobody stops you turning a file into one by using the (unencrypted) loopback facility. The loopback system will stay in the mainline kernel, even though the encryption functionality that was used to be build into it is removed.

你需要提供一个块设备给设备映射器(DeviceMapper)。没人阻止你用增强回路设备(loopback facility)来转化(没有加密的)文件。但增强回路设备(loopback facility)会占用主线核心,即使它的加密功能被撤销了。

OK, which encryption engines does the DeviceMapper support?
那么设备映射器(DeviceMapper)支持哪些加密引擎呢?

You can choose all those provided by the crypto-modules of your kernel. The Ubuntu-Kernels come with the full set, including Twofish, AES, DES and others.
Which of those engines should I choose?
你可以选择那些由内核提供的所有的加密引擎。Ubuntu的内核包括Twofish、AES、DES等所有的引擎。
我应该选择哪些引擎呢?
I recommend AES. It is reasonably fast and believed to be secure. Avoid DES, it is considered too weak to offer decent protection nowadays.
我推荐AES,它相当迅速而且安全性让人信服。不推荐用DES,因为目前它已经不能提供适当保护了。
How many bits should the key used by the algorithm have?

这个算法的密钥有多少比特?

This depends on your needs for security: A longer key is more secure, but it takes longer to de-/encrypt data using it.
它取决于你对安全的需求:密钥越长越安全,但是它将耗费更长的时间来加密。
Aries
帖子: 80
注册时间: 2005-11-25 17:00

#13

帖子 Aries » 2006-03-26 15:03

补充一下
dm-crypt:=a device-mapper crypto target 。开始没有查到
一个设备映射的密码对象。
Aries
帖子: 80
注册时间: 2005-11-25 17:00

#14

帖子 Aries » 2006-04-01 18:37

接xiechy的班,翻译完了
有翻译不对的地方还希望大家多多指点。
Aries
帖子: 80
注册时间: 2005-11-25 17:00

#15

帖子 Aries » 2006-04-01 18:38

Now when you open Nautilus and look at the root of your file system you should see a few slight differences. Notice how the folders /home, /var, and /tmp now have link symbols on them. You will also see the old /zzz folder left behind there. (Don't remove this, we're not done with it.) Notice how your root reports xxxx amount of free space, but when you click into /home or /var it changes. There's still a /usr partition on the other / partition, but it is mounted over or hidden when we enter the pass phrase at boot.
现在当你打开Nautilus查看你的文件系统根目录,你将看到一些很小变化。在/home、/var、/tmp 文件夹上都有链接标志在上面。你还将看到以前的/zzz文件夹还留在那。(不要删除它,我们没有对它进行处理。) 注意你的根目录提示总共还有xxx的可用空间,当你点击进入/home 或 /var 时它将改变。在其它的/分区下仍然有一个/usr分区, 但当我们在boot输入命令的时候,它是挂载在上面的或是隐藏的。
If you just press enter at boot you will still get a desktop that works, but it will be the unprotected version. So long as you don't get too wild with the upgrades while using the encrypted partition you should have no troubles going back and forth into the unencrypted desktop. Just keep in mind nothing is protected when you are using that other desktop - every image thumbnailed in every folder you click on, every website you have your system "remember," every email you fetch will remain in that unencrypted space.
如果你只是在boot敲回车,你将得到一个工作的桌面,但它是不受保护的。只要你在使用这些加密的分区时不疯狂的升级,在你进入和返回那些没有加密的桌面时没有任何问题。只要记住当你使用其它的桌面时,任何东西都是不受保护的:每一个文件夹的缩略图片(这是猜的),每一个系统“保存”的网站,每一封你接收的邮件都将保存在那些没有加密的空间。
If you want to perform an upgrade to the system, just log into the "unprotected" desktop (ie reboot and press enter at the password prompt) and run the upgrade as normal. Then reboot again into failsafe mode (entering the passphrase when asked) and mount your encrypted userland to /zzz by entering the following:
如果你想给系统升级,就登录“不受保护”的桌面(例如:重新启动,在口令提示符输入回车)像平常一样进行升级。然后重启进入安全模式,然后通过输入下面内容把你加密的userland挂载到/zzz
sudo umount /usr
sudo mount -t reiserfs /dev/mapper/cryptohome /zzz

Now run the buildsafe script again. It will see that the system has already been migrated and all the changes will be moved into your encrypted space.
Panaceas and black boxes
现在再次运行buildsafe脚本。将会发现系统已经被移植了,并且所有的更改在加密的空间里都生效了。
Don't forget this is NOT a perfect system. It is still vulnerable to attack by a variety of ways, the most obvious being an attack while online. If you are able to access your encrypted data then anyone else who gets into the system will be as well. If you are on dsl and you leave the system logged into your encrypted space 24/7 and you are hacked, your data is still owned and this has all been for naught. If you are doing something suspicious and you live in a place where authorities can enter your home without your knowledge, and you leave the system up and running with your encrypted userland exposed, your data is still owned. Most importantly, even if you DON'T leave the system up and running when you are not around it can still be attacked by anyone with access to the machine. The simplest method would involve nothing more difficult than replacing your initialization script that mounts the encrypted partition with a version of the script that records your keystrokes before passing them onto the cryptsetup program.
不要忘了这并不是一个完整的系统。它仍然脆弱易受攻击,在网上是最容易受到攻击的对象。如果你可以访问你加密的数据那么别人只要能进入这个系统也能。如果你在数字信号线路(dsl),每次你让系统运行,登录到加密的空间24/7 你就被攻击了(这句不会),(如果你在dsl上而且你让系统登陆到加密的空间24/7而且你被攻击了,但是你的数据仍然是属于你的.)所拥有数据将丢失。如果你在那些能进入你的本地目录而不需要你的知识的地方做一些可疑的事,让系统运行,你加密的userland暴露着的,你的数据也不会丢失。(大概就是说使别人在你不知情的情况进入了你的空间,你的数据仍然不会丢)最重要的是即使你不让系统运行和你不在它附近运行时,它也会受到任何登录到这台机器的人的攻击。这个最简单的方法和重新设定初始的挂载了加密分区的脚本一样简单,那些加密分区的脚本版本(version)记录了你在传递它们到加密程序之间前的键击。(这大概是说数据丢失的原因)
For example, by altering just two lines in the file /etc/init.d/cryptdisks from this:
echo "..."

例如:只要通过改变/etc/init.d/cryptdisks文件中的两行
$CRYPTCMD create $dst $src <&1

To something like this:
变成这样:
echo "..."
echo "password"
read PASSWD
echo $PASSWD >> /etc/YouAreNowOwned
$CRYPTCMD create -d /etc/YouAreNowOwned $dst $src > /dev/null

You would never realize the difference when you rebooted, and the attacker would have your pass phrase in a common text file.
当你重新启动的时候你不会意识到什么改变,但是攻击者将在一个普通的文档里得到你的口令(密码)。

Get the idea? If someone has physical access to your machine, it's much more difficult (if not impossible) to keep them out. Now, the folks who encrypt their entire system would say "this is why encrypting the whole OS is better." But unless they are booting from a CD there's nothing to stop someone from doing exactly what's shown above. And even if they are booting from a CD there are boot sector programs and other attacks that could still come into play. In short, this system will reasonably protect your privacy - keep you safe from the kid in school or the common thief who steals your system, or the spouse you don't want seeing your collection of adult materials or your love notes to another - but it will NOT protect you from a knowledgeable attacker. If you live in a place where possession of certain types of data could cost you your freedom or your life, and you are or plan to be in possession of said data, you need a comprehensive security plan that goes well beyond the scope of this howto.
明白了吗?如果别人登陆到你的机器,把它们拒之门外就更加困难了(如果不是不可能的话)。现在人们加密他们整个系统讲说“这就是为什么加密整个操作系统(OS)的好处。”但是除非他们从CD启动,否则没有方法能阻止别人做上面所说的事情。即使从一个由启动分区程序的CD启动,攻击者也能进入系统。总之,这个系统只能有限地保护你的安全——使你的系统免遭那些在学校读书的孩子或者普通的小偷(意指窃取电脑信息的盗贼)的攻击,还可以保护你收集的成人资料或者写给别人的情书不被你的配偶知道,但它不能保护你不受一个经验丰富的攻击者攻击。如果你拥有一些十分重要的数据,你需要一个可以很好操作的周密的安全计划。
This point cannot be stressed enough.
这一点要特别强调。
Now, given the above truth, there are other steps we can take to help be reasonably sure our system has not been compromised. One thing we can do is make a snapshot of all the files on our system at the time it is fresh and then periodically check it for changes. And wouldn't you know it, we have a script for that as well. The following will NOT protect us from boot sector attacks, but it will keep the system fairly safe from online attacks or even from unsophisticated physical trojan attacks (which is what most people have to be more concerned about).
现在,给出了上面的情况,我们还可以采用其它一些步骤来协助合理的确定我们的系统没有妥协。有一点我们能做的就是在我们系统更新时对所有的系统文件有一个印象,然后定期检查它的更新。难道你不知道我们提到过这一点了。下面的将不会保护我们不受来自启动分区攻击,但是它将保证系统完全不受网络攻击或者简单的物理特洛伊攻击(那些大多数人更加关心的攻击)
Below is the other script we will be using (included in the package linked above).
我们将使用下面的内容(包括在上面链接的包里)
#!/usr/bin/perl
# Module: md5logger.pl
# Source: oneguycoding.com
# Version: unknown (ubuntu version 1.0)
# Created On: Wednesday, 10 November 2004
#
# This module will scan the directories listed below and
# verify them against MD5 hashes of every file it finds
# in the file md5.log

use File::Find;
use Digest::MD5;

umask 0077;

$verbose=0;
$check_rpm = 0;
$update_changed = 1;

$md5dir="/var/log";
$md5file="$md5dir/md5.log";

@flist=();
find(\&findfile, '/sbin' );
find(\&findfile, '/bin' );
find(\&findfile, '/lib' );
find(\&findfile, '/boot' );
find(\&findfile, '/root' );
find(\&findfile, '/srv' );
find(\&findfile, '/initrd' );
find(\&findfile, '/usr/bin' );
find(\&findfile, '/usr/etc' );
find(\&findfile, '/usr/games' );
find(\&findfile, '/usr/include' );
find(\&findfile, '/usr/kerberos' );
find(\&findfile, '/usr/lib' );
find(\&findfile, '/usr/libexec' );
find(\&findfile, '/usr/local' );
find(\&findfile, '/usr/lost+found' );
find(\&findfile, '/usr/sbin' );
find(\&findfile, '/usr/tmp' );
find(\&findfile, '/usr/X11R6' );
find(\&findfile, '/etc' );
find(\&findfile, '/vmlinuz' );
find(\&findfile, '/initrd.img' );

if ( -f "$md5file" ) {
PrivoxyWindowOpen(MD5FILE, "<$md5file") || die "Error: could not open $md5file\n";

# load the hash
while(<MD5FILE>) {
chomp;
($md5,$file) = split(':');
$md5list{$file} = $md5;
}

close(MD5FILE);
}

$update=0;
$filen=$#flist+1;
foreach $file (@flist) {

$filen--;

chomp;

$md5 = md5($file);
next if ( $md5 eq "" );

printf STDOUT "%06d:$md5:$file\n", $filen if $verbose;

next if ( $md5list{$file} eq $md5 );

if ( $md5list{$file} == NULL ) {
$update=1;
print STDERR "Warning: adding $file not found in $md5file\n";
$md5list{$file} = $md5;
if ($check_rpm) {
$output = `rpm -qf $file`;
print STDERR " rpm: $output";
}
}
else {
print STDERR "DANGER: $file has changed";
if ($update_changed) {
print STDERR " (updated)\n";
$md5list{$file} = $md5;
$update = 1;
}
else {
print STDERR " (not updated)\n";
}
if ($check_rpm) {
$output = `rpm -qf $file`;
print STDERR " rpm: $output";
}
}
}

if ($update) {
PrivoxyWindowOpen(MD5FILE,">$md5file") || die "Error: could not write to $md5file\n";

foreach $file (@flist) {
print MD5FILE "$md5list{$file}:$file\n";
}

close(MD5FILE);
}

# create file list
sub findfile {
if ( -f $_ ) {
push @flist, $File::Find::name;
}
};

sub makeFileDir
{
# recursively make a directory tree
# up to the filename in a given file path
#
# If passed this,
# /home/usrdir/Netscape/Users/usrdir/Mail/Inbox
# it creates the subdir as in,
# mkdir -p /home/usrdir/Netscape/Users/usrdir/Mail
#
# first get rid of the file
my $dir = $_[0];
my $path= "";
my $rv;

@dirs=split(/\//,$dir);
$nd=$#dirs;
for ($i = 0; $i < $nd; $i++) {
if ( length($dirs[$i]) != 0 ) {
$path="$path/$dirs[$i]";
mkdir "$path", 0755;
}
}
}

sub md5 {
my $file=$_[0];

if (PrivoxyWindowOpen(FILE,"<$file")) {
binmode(FILE);
$fmd5 = Digest::MD5->new->addfile(*FILE)->hexdigest;
close(FILE);
}
else {
print STDERR "md5: error opening source $file\n";
return "";
}
return "$fmd5";
}

#end of script

Now run the script as root:
下面以root的身份运行:
sudo perl md5logger.pl

Run this while you are mounted to your encrypted volume and it will be stored (reasonably) safely in the encrypted /usr/var/log folder (I suggest you tar it soon after and keep a copy somewhere safe - maybe encrypt the container it is tarred into). You may elect to add this to your login scripts (although it does take a couple of minutes to run) or you can just run it from time to time manually. It will warn you about every added file and every changed file it finds in the list of folders we have given it - which in this case is pretty much every unencrypted folder in your baseline ubuntu system. It will even report changes to the /root desktop. While many of these changes are normal (every time you enter a command from a root terminal, for example) it will at least give us a short list of files to check (if needed).
在你挂载到你加密的卷时运行它,它(合理地)安全地存储在加密的 /usr/var/log 文件夹里(我建议你之后马上将它压缩并且在一个安全的地方保留一个副本,也许放到被压缩加密文件内)。你可能选择把这增添到你启动项里(尽管它将占用一些时间来运行)或者你可以一直手动运行它。增加文件或当给它的文件列表改变时它都会提示你,这种情况下在你基本的ubuntu系统几乎每一个没有加密的文件都有。甚至root的桌面变化都会报告。当有许多普通的改变时(例如,在root终端里你没执行一个命令)它至少会提供给我们一个简短的文件列表来检查(如果需要的话)。
What follows from here is the older material from this wiki entry. They are left here because more information is always better than less, but keep in mind the old lofs system (ie the loopback filesystem many of you may be familiar with) is on its way out. I hope the above demonstrated that the new system is really much easier as well as more logical in use, but choice is better than no choice and some people might have legacy data (although I will tell you that I was unable to access the data I had encrypted under Mandrake with any system other than Mandrake, so if you are contemplating a move this might be the time to adopt the new standard). Also keep in mind "loopback" mounting of file systems is NOT recommended at all anymore. If you need only to encrypt a few files or folders there are other utilities that will allow this AND provide greater accessibility (for example, encrypted RAR files or even PGP containers).
下面接下来的是旧的来自wiki资料。它们被留在这是因为资料总是越多越好的,但是要记住旧的lofs系统(例如:你们所熟悉的指示返回文件系统(loopback filesystem))正在被淘汰。我希望上面展示的新系统真的在使用上更简单更具有逻辑性,但是选择总比没有选择好而且有人可能有遗留的数据(虽然我将告诉你我用任何非Mandrake系统不能获取任何在Mandrake下加密的数据,所以如果你正在考虑,这也许正是时候来采用这种新的标准)。同时也要记住“loopback”挂载的文件系统再也不是推荐的了。如果你只需要加密一些文件或文件夹,有其它软件也支持这些(指加密文件或文件夹)甚至能更好的支持(例如:加密RAR或者PGP集装箱)。
If you are contemplating a move from one linux to another, however - and you have your encrypted data safely backed up elsewhere (at least temporarily) the following may prove helpful to you, as it would allow you to move everything to a space where it is "in the clear" but then immediately overwrite it.
如果你正打算从一台linux移动到到另一台linux,并且你加密的数据已安全备份了(至少临时备份了)下面的内容将对你有所帮助。 因为它将使你能够移动任何东西到另外一个“被清空的”空间,然后迅速的替换它。
1.

Converting the data goes like this:
像这样更改数据:
*

Unmount the device to be converted: sudo umount /dev/vg01/data
* 卸载将被更改的设备:sudo umount /dev/vg01/data

Optional: fsck the device (to be sure there are no errors to start with): sudo fsck /dev/vg01/data
* 可选择:fsck 这个设备(确定在启动的时候没有错误):sudo fsck /dev/vg01/data

Start up the conversion process: sudo dd if=/dev/vg01/data of=/dev/mapper/crypt bs=4k
* 开始更改进程:

Check the command twice as this will overwrite the contents of devices involved
* (检查这个命令两遍)仔细检查你输入的命令因为它将替换设备相关的内容

Wait, this could take some time.
* 等待,这将耗费一些时间

Once the conversion has finished fsck the new device again: sudo fsck /dev/mapper/crypt
当更改完成时,再次fsck这个新设备:
This can be used in reverse to move a device from being encrypted to be plain. In addition you can use this with 2 different mappings to re-encrypt the device with either a new passphrase or with different options including cypher and key size.
Links

* 这在移动正在被加密的设备时也可使用。你也可以在两种情况下使用这个方法:用新密码或不同的选项,包括密码的翻译和密码的长短,重新加密这个设备
链接
[WWW] http://www.saout.de/tikiwiki/tiki-index.php?page=HOWTO
*

[WWW] file:///usr/share/doc/cryptsetup/README.html
*

[WWW] http://www.saout.de/misc/dm-crypt/
*

[WWW] http://www.saout.de/tikiwiki/tiki-index.php

Using losetup

To begin we will create a file, this file will be then mounted as an ext3 and filesystem encrypted with some algorithm.
开始我们将新建一个文件,这个文件将被以ext3的格式挂载,并且文件系统将以某运算法则加密。
1.

The first step is to load cryptoloop:
首先装载cryptoloop:
sudo modprobe cryptoloop && lsmod | grep cryptoloop

*

You should see the following output:
你将看到下面的输出:
cryptoloop 3584 1
loop 16264 2

2.

The numbers might be different but you should see both cryptoloop and loop. The next step is checking what kind of encryption algorithms we have, use the following command (notice the [WWW] backticks):
cryptoloop和loop的数字有可能不同。下一步就是检查我们有哪些加密算法,使用下面的命令(注意 [WWW]backticks):
sudo modinfo /lib/modules/`uname -r`/kernel/crypto/* | grep description

*

On a regular Ubuntu-kernel you will see something like:
若Ubuntu内核正常你将看到:
description: ARC4 Cipher Algorithm
description: Blowfish Cipher Algorithm
description: Cast5 Cipher Algorithm
description: Cast6 Cipher Algorithm
description: CRC32c (Castagnoli) calculations wrapper for lib/crc32c
description: Null Cryptographic Algorithms
description: Deflate Compression Algorithm for IPCOMP
description: DES & Triple DES EDE Cipher Algorithms
description: Khazad Cryptographic Algorithm
description: MD4 Message Digest Algorithm
description: Michael MIC
description: Serpent Cipher Algorithm
description: SHA1 Secure Hash Algorithm
description: SHA256 Secure Hash Algorithm
description: SHA-512 and SHA-384 Secure Hash Algorithms
description: Quick & dirty crypto testing module
description: Twofish Cipher Algorithm

3.

We will use the Twofish cypher to encrypt our 100mb file as filesystem:
我们将使用Twofish翻译来加密我们100Mb的文件作为一个文件系统
dd if=/dev/zero bs=1M count=100 of=mycryptofile

4.

We create the targetfile, a 100mb sized empty file. The next step is mounting the file with the losetup command using the twofish cypher (be careful, it will ask for a password, do not confuse this with sudo asking for a password. We just authenticated against sudo so sudo does not need a password. Use a new one, and remember it!):
我们将创建一个100Mb大的空的压缩文件。下一步是使用losetup命令以twofish翻译 挂载这个文件
sudo losetup -e twofish /dev/loop0 mycryptofile

5.

Create the ext3 filesystem (we use ext3 because it is the best filesystem for smaller filesystem, while still having a journal):
创建ext3文件系统(我们使用ext3是因为它是小的文件系统中最好的文件系统,while still having a journal):
sudo mkfs.ext3 /dev/loop0

6.

Make the directory where you want to mount the file system:
在你想挂载这个文件系统的地方,先创建一个目录
sudo mkdir /mnt/cryptoloop

7.

And finally mount it:
最后挂载它:
sudo mount -t ext3 /dev/loop0 /mnt/cryptoloop/

8.

If you do not get any error-messages then you just created a mount point for all your confidential information. Copy files to /mnt/cryptoloop/ and they will be encrypted on the fly. To umount and disable it, use the following commands:
如果没有任何错误消息,你就为你所有的机密信息创建了一个挂载点。拷贝文件到/mnt/cryptoloop/它们将自动被加密。使用下面的命令来卸载或者关闭它:
sudo umount /mnt/cryptoloop
sudo losetup -d /dev/loop0

How do you start using it? Repeat step 4 and 7 (*not* 5, you'll erase your data) to start using and step 8 to stop using your encrypted filesystem-in-a-file. BTW remember your password, if you forget it your data will be secure forever, for everybody.
你将怎样来使用它呢?重复步骤4和7(不要重复5,否则你会擦除你的数据)来使用它,步骤8来停止使用。BTW记住你的密码,如果你忘了密码,你的数据将永远不被人知道(就是说包括你在内,永远被保密)。
You might want to write two function and an alias for these steps in your ~/.bashrc like:
你也许想在你的~/.bashrc写两个函数来代替那些步骤:
It's also possible to let mount do the work of calling losetup. All you have to do is to add a entry similar to the following into you /etc/fstab:
也可以让挂载来完成调用losetup的工作。 (而完成这些) 你所有需要做的只是在/etc/fstab里增加下面的内容:
echo "mycryptofile /mnt/cryptoloop ext3 noauto,encryption=twofish,user,exec 0 0" >> /etc/fstab

Now you are able to mount/unmount the cryptoloop with a simple:

mount /mnt/cryptoloop
umount /mnt/cryptoloop

*

TODO

Too much information? Split into sections?

From AskoKauppi Tue Dec 21 14:01:50 +0000 2004 From: Asko Kauppi Date: Tue, 21 Dec 2004 14:01:50 +0000 Subject: Message-ID: <20041221140150+0000@[WWW] https://www.ubuntulinux.org>

First of all, a great document, thanks.
多么伟大的一个文档,谢谢。(这里应该是表示语气,我也不知道怎么翻译,这样应该也ok)
Yes, it could do with some restructuring; I'd remove the (old) losetup section altogether, or at least move it to another doc. It only distracts here.
是的,它能够做出一些调整;我完全删除了(老的)losetup部分,至少把它们转移到了另外一个文档。它仅仅转移到这。
Also, the main 'thread' sort of has two solutions in one. Compare 'crypt', 'cryptohome', they're really the same thing? First samples go with 'crypt', then move to doing essentially the same with 'cryptohome' and 'cryptoswap'. This was not so obvious at first? Maybe add a "if you .. goto chapter .." to highlight this?
同样,主要的在一个里两个解答的” thread”类型。比较”crypt”,”cryptohome”,它们真的是不是一样?首先,举一个”crypt”的例子,然后用”cryptohome”还有”cryptoswap”来替换。现在还不是很清楚?如果加上”if you .. goto .. chapter.. ”来突出它呢?
The only real issue (and this is Ubuntu code, not this doc) was:
唯一正确的结论是(这是Ubuntu代码,不是文档):
1. Empty lines in /etc/crypttab
清空 /etc/crypttab 文件
Currently, the /etc/init.d/cryptdisk script expects any non-data lines to be comments ('^#'). It should allow for empty lines, too:
现在 /etc/init.d/cryptdisk 里没有注释行。
grep -v '#' < $TABFILE | grep -v '*$' | while read dst src key opt; do

Without this, empty lines in '/etc/crypttab' will cause weird "missing parameter" output in bootup. Non-destructive, but gives the "oops, all is not as it should!" feeling. Anyhow, this should be fixed?
不这样,在”/etc/crypttab”里空的行,启动时将导致奇怪的“缺少参数”的错误输出。这没有破坏性,但会让人感觉“啊(oops惊呼),不是像想象那样的!(个人觉得译为“怎么回事!”更好)”。无论怎样,这是必须的吗?
-ak

From FrankHansen Fri Jan 14 19:40:14 +0000 2005 From: Frank Hansen Date: Fri, 14 Jan 2005 19:40:14 +0000 Subject: Extra Partition? Message-ID: <20050114194014+0000@[WWW] https://www.ubuntulinux.org>

Hi,
你好,
just wanted to ask if I understand this: In the "Using dm-crypt" part I have to use an extra partition? Meaning: This doesn't work with a Ubuntu installation where Ubuntu uses all the space on my harddisc? And if so: Is there a workaround (like a loopback device with dm-crypt that a normal user can use without sudo-ing)?
只是想问问如果我明白了:在“使用 dm-crypt”部分我还需要使用额外的分区吗?意思是: 安装了Ubuntu后它并不工作,但是Ubuntu占用了我硬盘上的所有空间. 如果这样:那有没有一个工作区(像dm-crypt本地回环设备(loopback device)一样)普通用户模式就可以使用而不需要超级用户?
From TobiasHunger Sat Apr 9 23:12:07 +0100 2005 From: TobiasHunger Date: Sat, 09 Apr 2005 23:12:07 +0100 Subject: Re: Extra Partition? Message-ID: <[MAILTO] 20050409231207+0100@www.ubuntulinux.org>

You can use any blockdevice with dm-crypt. This can be a partition on your disk, RAID or LVM as well as a file mounted loop-back. In fact the crypttab allows for file to be given and sets up a loopback device for it, passing that to the dm-crypt config program.
你可以使用任何dm-crypt的块设备。(你可以使用任何带有dm-crypt的blockdevice.) 这可以是你的硬盘上的一个分区,RAID或LVM和挂载在loop-back上的文件。 事实上crypttab允许文件生成和设置一个loopback 设备,然后再把它转移到dm-crypt配置程序。
-Hu

From NicoNobody Wed May 25 09:36:43 +0100 2005 From: Nico Nobody Date: Wed, 25 May 2005 09:36:43 +0100 Subject: The "Unable to find swap-space signature" message Message-ID: <20050525093643+0100@[WWW] https://www.ubuntulinux.org>

To fix this error, run sudo mkswap /dev/mapper/name-of-your-encrypted-swap The HOWTO is fixed
为了确定错误,运行 sudo mkswap /dev/mapper/name-of-your-encrypted-swap就行了。
Another very useful howto, which looks easier for encrypting your home dir: [WWW] here
另外一个非常有用的howto,看上去比加密你的home文件夹还要简单:[www] here
CategoryDocumentation CategoryCleanup
种类文档 种类清除
回复