Here's my effort at creating a usable crypto-loop script for myself and a
couple of other laptops that I admin to.
As written, it requires a "working crypto-loop" setup, either in the 2.6.x
kernel or a patched and verified working 2.4.x kernel. My cryptoloop script
uses the serpent encryption engine, but anyother one will work if the script
is correctly modified. The default user is "ROOT". I do this because my
script runs, before a user has a chance to login. Upon first invocation, my
script will atempt to setup a fully functionaing crypto-loop to a storage
file in /crypt. It will ask for you for the desirfed size of the storage area
and a passphrase. It will use your passphrase along with an automatically
generated, random key file of 1024 bytes to encrypt the data in the storage
area. The key file is stored in /crypt. The keyfile gives you an added level
of security as it allows you to easily destroy the encryption keyfile and
thus render the storage area and it's contents useless with a command as
simple as "rm /crypt/keyfile.
I've edited my /etc/inittab to capture the ctr-alt-del key sequence and
execute a script that deletes the keyfile and unmounts the crypto-loop. I've
also renamed a number of well known shell utilities to different names and in
their place subsitued simple scrtips that removes the keyfile. unmounts the
loop and then execute the utilities that they were named for. This way, if
someone were to browse my laptop without my knowlege, I have the comfort of
knowing that the encrypted storage will be destroyed and not be easily
compromised. Once the keyfile is gone, the encrypted data is totally gone!
Beware. You've been warned.
So the bottom line is, don't forget your passphrase, never, ever write it down
and protect the keyfile while it's in your care. If you accidentally delete
the keyfile while the crypto-loop is still mounted... recover the contents
before you reboot or it's gone forever.
My script: Place it in /etc/init.d and name it crypto-loop. Add it to default
startup with "rc-update add crypto-loop default", then reboot.
Very simple, very neat and highly reliable. Please send all feed back about my
script to my email address. Thank you, enjoy.
Here's the script, beware word wrap!
#!/sbin/runscript
#
# This crypto-loop script is a complete re-write of the canned gentoo
# crypto-loop script. This script implements the functionality of the gentoo
# script and adds more. The basic differences between the two scripts are:
#
# 1 - Totally ignores the config data in /etc/conf.d/crypto-loop and instead
# uses user configureable variables in this script.
# 2 - Knows when run for the first time and provides a simple means of
# setting up an encrypted storage file system.
# 3 - Provides a simple mechanism for easily destroying the contents of the
# encrypted file system by the simple removal/deleting/shredding of a key
# file.
# 4 - Provides an easy mechanism for creating and mounting an encrypted
storage
# file system during the boot process.
#
# TIP: If at any time you find it necessary to quickly destroy the contents
# of the encrypted storage file, simply delete the key file created in
# the $cryptfile and unmount the device via the command:
# /etc/init.d/crypto-loop stop
# Be warned, once you delete that file, there is no way possible to
# remount the encrypted storage file. Unless ofcourse you keep a backup
# copy of the keyfile somewhere. But that could potentially compromise
#the security aspect of crypto-loop.
#
# To fully enable this rc script, rem out or remove the 4 lines below,
# just after the long line made up of "#" marks.
#
#
# You may edit the following variables to suit your needs.
#
cryptdir=/crypt # directory where things are stored
cryptfile=$cryptdir/cryptfile # filename where the encrypted FS is created
keyfile=$cryptdir/keyfile # filename of the randomn key file
keyfilelength=128 # length of the random key file
mountpoint=/mnt/crypt0 # mount point for user access
loopdev=/dev/loop0 # favorite loop device
encryption=serpent # favorite encryption engine
#user=$USER # who we are
user=root # who we are
mkFileSystem=mkfs.ext3 # command to format cryptfile
fileSystemType=ext3 # favorite file system type
version=1.2.0 # version tracking
# gentoo runlevel dependencies
depend()
{
need checkroot modules
before local
}
# It all starts here.
#
start()
{
local status="0"
ebegin ""
einfo "Crypto-Loop version "$version
einfo " "
#############################################################################
einfo "You must read the notes in the rc script located at
einfo "/etc/init.d/crypto-loop."
eend 1
return 1
# Sanity checks follow!!!!"
#
# test for the presence of the loop module
#
modinfo cryptoloop 1>/dev/null 2>/dev/null
if [[ $? != "0" ]]
then
einfo "The loop module was not found!"
einfo "Recompile your kernel to include loop support."
einfo ""
eend 1
return 1
fi
modprobe loop 1>/dev/null 2>/dev/null
# test for the presence of the cryptoloop module
#
modinfo cryptoloop 1>/dev/null 2>/dev/null
if [[ $? != "0" ]]
then
einfo "The cryptoloop module was not found!"
einfo "Recompile your kernel to include crypto-loop support."
einfo ""
eend 1
return 1
fi
modprobe cryptoloop 1>/dev/null 2>/dev/null
# test for the presence of the desired encryption engine
#
modinfo $encryption 1>/dev/null 2>/dev/null
if [[ "$?" != "0" ]]
then
einfo "Encryption engine named $encryption not found!"
einfo "Recompile your kernel to include it."
eend 1
return 1
fi
modprobe $encryption 1>/dev/null 2>/dev/null
# We are SANE!
# We are being run for the first time!
#
if [ ! -e $cryptfile ]
then
einfo "Attention: The crypto-loop system is not initialized!"
einfo " "
einfo "Initializing it now..."
einfo " "
einfo "What size crypto storage file in megabytes?"
einfo "(press enter to escape)"
read -t10 -p " > " newsize
einfo " "
# user entered nothing
#
if [ -z $newsize ]
then
einfo "Leaving crypto-loop initialization, nothing done..."
einfo ""
eend 1
return 1
fi
# Get the password
#
einfo "Please enter a passphrase that you will use to access this
crypto"
einfo "storage file. Typed characters are not echoed to the screen."
einfo "(press enter when done)"
read -s -t30 -n$keyfilelength -p" > " newpassphrase
echo -e ""
# The user entered nothing
#
if [ -z "$newpassphrase" ]
then
einfo "Leaving crypto-loop initialization, nothing done..."
einfo ""
eend 1
return 1
fi
# Double check the password
#
einfo "Re-enter the passphrase for verification."
einfo "(press enter when done)"
read -s -t30 -n$keyfilelength -p" > " newpassphrase1
echo -e ""
# The passwords don't match...
#
if [ "$newpassphrase" != "$newpassphrase1" ]
then
einfo "The passphrases don't match!"
einfo "Leaving crypto-loop initialization, nothing done..."
einfo ""
eend 1
return 1
fi
# create the cryptoloop storage directory
#
/bin/mkdir $cryptdir 1>/dev/null 2>/dev/null
# create the device mount point
#
/bin/mkdir $mountpoint 1>/dev/null 2>/dev/null
# Create the crypto storage directory and file
#
einfo "Creating a "$newsize" megabyte crypto storage file at:
$cryptfile."
einfo "Depending on the size of the file, this may take a while, be patient."
dd if=/dev/urandom of=$cryptfile bs=1M count=$newsize conv=sync
1>/dev/null 2>/dev/null
chmod 700 $cryptfile
einfo " "
# create a random key
#
dd if=/dev/urandom of=$keyfile bs=1 count=$keyfilelength conv=sync
1>/dev/null 2>/dev/null
chmod 700 $keyfile
# read the key and create the loop
#
key=`cat $keyfile`
echo "$newpassphrase$key" | /sbin/losetup -e
$encryption-$keyfilelength -p0 $loopdev $cryptfile
# format the new loop
#
einfo "Formatting the newly created crypto storage file system."
$mkFileSystem $loopdev 1>/dev/null 2>/dev/null
mkdir -p $mountpoint 1>/dev/null 2>/dev/null
# mount the device
#
/bin/mount -t $fileSystemType -o owner $loopdev $mountpoint 2>/dev/null
if [[ $? -eq "0" ]]
then
chown $user $mountpoint
chmod 700 $mountpoint
einfo "Active crypto loop device at: "$mountpoint" is ready for use."
key=''
newpassphrase=''
else
einfo "Unable to mount crypto loop, does it exist?"
# If it doesn't mount, assume extreme errors and remove loop
#
/sbin/losetup -d $loopdev 1>/dev/null 2>/dev/null
einfo ""
eend 1
return 1
fi
einfo " "
eend 0
return 0
fi # the end of "we are being run for the first time "
if [ ! -e $keyfile ]
then
einfo ""
einfo "FATAL ERROR!"
einfo "Crypto storage file detected, but has no key file!"
einfo "All data is lost! You'll have to clean it up by hand!"
einfo ""
eend 1
return 1
fi
key=`cat $keyfile`
einfo "Please enter your passphrase now."
einfo "Typed characters are not echoed to screen."
einfo "(press enter when done)"
read -s -t20 -n$keyfilelength -p" > " pass
echo ""
# user entered nothing
#
if [[ -z $pass ]]
then
einfo "Leaving crypto-loop initialization, nothing done..."
einfo ""
eend 1
return 1
fi
# Create the crypto loop
# For some reason losetup always reutrns 0 or success even if the password
# is wrong. Beaware of future bug fixes for losetup and then this script...
#
echo "$pass$key" | /sbin/losetup -e $encryption-$keyfilelength -p0
$loopdev $cryptfile
chown $user $mountpoint
key=none
pass=none
# Mount the crypto loop
#
/bin/mount -t $fileSystemType -o owner $loopdev $mountpoint 2>/dev/null
if [[ $? -eq "0" ]]
then
chown $user $mountpoint
chmod 700 $mountpoint
einfo "Crypto loop device at: "$mountpoint" is ready for use."
else
einfo "Unable to establish crypto loop device!"
einfo "Did you enter the correct password?"
# if it doesn't mount, assume extreme errors and delete the loop
#
/sbin/losetup -d $loopdev 1>/dev/null 2>/dev/null
einfo ""
eend 1
return 1
fi
einfo ""
eend 0
return 0
}
stop()
{
ebegin "Unmounting point: "$mountpoint
/bin/umount $mountpoint 1>/dev/null 2>/dev/null
einfo "Uncreating crypto loop: "$loopdev
/sbin/losetup -d $loopdev 1>/dev/null 2>/dev/null
einfo ""
eend 0
return 0
}
--
******************************************************************************
Registered Linux User Number 185956
http://groups.google.com/groups?hl=en&safe=off&group=linux
Join me in chat at #linux-users on irc.freenode.net
This email account no longers accepts attachments or messages containing html.
6:02pm up 105 days, 22:55, 9 users, load average: 0.07, 0.08, 0.02
--
[EMAIL PROTECTED] mailing list
