On Thursday 27 March 2003 03:59 pm, Michael MacIsaac wrote:
> Is anyone using an encrypted file system on Linux (the data is
> encrypted/decrypted betwee the disk and the OS)? Is there a de facto
> standard or is this still somewhat bleeding edge with Linux? How does it
> compare with MS EFS? ADthanksVANCE.
I have had excellent results using encrypted filesystems built on the loopback
device under SuSE Linux. I haven't done it on zSeries yet, only on Intel, so
I can't tell you about the computational load it imposes on a zSeries CPU.
What you basically do is to take a disk, or a disk partition, and instead of
making a filesystem on it, you connect it to a loopback device (/dev/loop0...7
typically) with an encryption algorithm of your choice specified in the
loopback setup. Then you make the filesystem on the loopback device rather
than on the DASD itself. That filesystem can then be mounted in the usual
way.
Example (Intel device names, SuSE distro):
losetup -e twofish /dev/loop0 /dev/hda5
(You are prompted to create a password for the filesystem.
WARNING: Not possible to change this later without a full
backup/restore of the data.)
mke2fs /dev/loop0
mount /dev/loop0 /some/mount/point
To unmount,
umount /some/mount/point
losetup -d /dev/loop0
To remount later,
losetup -e twofish /dev/loop0 /dev/hda5
(Enter same password used when you created filesystem.)
mount /dev/loop0 /some/mount/point
This also works under Reiserfs; just substitute the appropriate command
to create the filesystem in place of mke2fs. I've not tried it with
ext3, jfs, or xfs, but it probably would work with these as well. And
you can use a pre-created file instead of a DASD device or partition;
just create a file using "dd" from /dev/zero with a specific block count,
then connect the loopback device to that. This allows you to make an
encrypted virtual filesystem within an image file on top of a non-
encrypted DASD-based filesystem.
SuSE, and probably other distros, lets you selecte crypto filesystems
during installation. An init script called boot.crypto takes care of
the mounting of encrypted filesystems based on the contents of the
configuration file /etc/cryptotab. Passwords do have to be entered
manually, though, so you can't do a fully-automated startup.
I've never needed crypto filesystems on a mainframe, but this is great for
a Linux-based laptop in case your machine gets stolen.
Here is a (slightly dated) online reference that may help with more of the
technical concepts:
http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/Encryption-HOWTO-4.html
Scott
--
-----------------------------------------------------------------------------
Scott D. Courtney, Senior Engineer Sine Nomine Associates
[EMAIL PROTECTED] http://www.sinenomine.net/
