On 9/12/20 12:10 PM, rhkra...@gmail.com wrote:
I'm thinking about putting my backup encrypted files in a LUKS filesystem within
a file instead of on a dedicated partition (for a few reasons).
I have two questions about that:
* if I don't have that LUKS filesystem "mounted" and open and I write to it,
I assume (or hope) that nothing will get written and I will get a warning or
error message of some sort?
* doesn't exactly apply to this situation, but, on the other hand, if my
"source" / original / non-backup LUKS system is in a file instead of on a
dedicated partition, and I use commands (like rsync or such) to copy the
unencrypted files not on the LUKS system, but I use options like the ones to
stay on the current filesystem (--one-file-system), I assume (or hope) that the
stuff in the encrypted partition will not get copied?
I assume that you are referring to something like is described here:
https://willhaley.com/blog/encrypted-file-container-disk-image-in-linux/
The procedure described there creates a file encrypted.img that is a luks volume
that requires a filesystem (mkfs.ext4) and mount point to be used as a encrypted
storage. If you want you can leave out --key-file mykey.keyfile and you will be
asked for a pass phrase.
Files can be copied with rsync to the mount point $HOME/Private/ and they will
be encrypted and not visible to the system after the umount and cryptsetup
luksClose commands.
In my experiment the file encrypted.img can be written to or truncated while it
is being used as a mounted encrypted volume but once you umount and luksClose
the file ALL DATA is lost! So to be safe let the file encrypted.img belong to
root (with mode 600) and let a normal user write to the mounted volume at
$HOME/Private/ after the chown command is run for the user. Once the file
encrypted.img is unmounted and closed out with luksClose it can be copied or
moved to other places like a flash drive like any other file.
Warning: If you forget to open and mount the file encrypted.img to
$HOME/Private/ and you copy files to $HOME/Private/ it will appear to work
correctly but they will not be encrypted! If you don't move the files out of
$HOME/Private/ before you correct the mistake and mount encrypted.img you will
not see those files in $HOME/Private/ until you unmount encrypted.img.
Note:
By saying mount encrypted.img I mean the 2 commands: "cryptsetup luksOpen
encrypted.img myEncryptedVolume" and then "mount /dev/mapper/myEncryptedVolume
$HOME/Private/".
The unmount encrypted.img commands are "umount $HOME/Private/" and "cryptsetup
luksClose myEncryptedVolume".
I am not an expert on cryptsetup. I have used these commands before but I was
curious to see if the system it protected encrypted.img while it was being
used. I see that root can muck around with or delete encrypted.img making it
unusable so your only protections are just like other files .... backup!
--
*...Bob*