Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)This document last modified Thursday, 05-Jun-2008 09:28:09 PDT
Attrition's Data Loss Archive and Database provides a fantastic resource for people interested in identity theft. It gives you an idea how careless organizations are with your personal data. Although a large number of the cases center around a stolen laptop(s), having a desktop machine or server does not make you safe. Unknown person(s) walked in a server room for Tricare, a military medical insurance provider and walked off with several hard drives containing all kinds of personal data: medical records, financial data, social security numbers, etc. The only way to protect these drives from this type of threat is to use an encrypted file system on the drives.
The Linksys NSLU2, affectionately known as the "Slug", is a low cost network storage device. Through it a network user can access the contents of the two USB attached hard disks. However the true power of the Slug is its ability to run Linux. Through the use of Linux, the Slug can run a web server, MySQL, mt-daap and other assorted software. In fact, the different firmwares allow two different solutions for the data theft problem. The Unslung firmware solves the problem with an encrypted filesytem using XOR through a loopback device. This page covers that solution. The SlugOSBE firmware solves the problem with an encrypted filesystem using AES encryption through the dm-crypt software. Either solution allows you to provide file sharing services to your users while being assured if someone steals your drives, they will not be able to easily access files and their contents.
You need to install the cryptsetup package and the associated dm-crypt module.
# ipkg update && ipkg install cryptsetup
# echo "dm-crypt" > /etc/modutils/dm-crypt && update-modules
# /etc/init.d/modutils.sh
First you need to select a parition for your encrypted data. This partition will store your encrypted data and will not be able to resized after its creation. The below example will use /dev/sdb1. Be sure to adjust your commands accordingly. Please note, the format command may take some time depending on the size of the partition, grab some coffee.
# cryptsetup -c aes-cbc-essiv:sha256 -y luksFormat /dev/sdb1
The "-c" option specifies the cipher. In the above example, the cipher is set to ESSIV (aes-cbc-essiv:sha256). The "-y" option tells cryptsetup to query for the passphrase twice. The "luksFormat" option initializes a LUKS partition and sets the initial key either by prompting for a passphrase or via a key file specified on the command line. In this case, the luksFormat will initialize the partition on /dev/sdb1 and prompt for a passphrase. Don't forget the passphrase or you will not be able to recover your data. The cryptsetup man page covers these options and more.
# cryptsetup luksOpen /dev/sdb1 $SOMENAME
The "luksOpen" option opens the LUKS partition specified by the first argument and sets up a mapping specified by the second argument after successful verification of key material specified by either a passphrase or a key file. Substitute $SOMENAME for the name of your mapping. The next step is to create a the file system. The below example creates an ext3 filesystem.
# mkfs.ext3 -m0 /dev/mapper/$SOMENAME
The "-m" option specifies the percentage of the filesystem blocks reserved for the super-user. In this case, the percentage is 0. The mkfs.ext3 man page covers these options and more. The last steps mount the encrypted filesystem.
# mkdir /media/somewhere
# mount /dev/mapper/$SOMENAME /media/somewhere
The first command tells the system to create a directory /media/somewhere. The next command mounts the mapping /dev/mapper/$SOMENAME to the directory, /media/somewhere. After this command, you can access the encrypted filesystem at /media/somewhere.
When you umount the encrypted file system, you are no longer able to access its contents. This means after reboot, you must run the following steps to be able to access the file system.
# cryptsetup luksOpen /dev/sdb1 $SOMENAME
Enter your passphrase
# mount /dev/mapper/$SOMENAME /media/somewhere
You will not be able to automate this process in a boot script, as you will need to supply your partition's password in order to access it.
Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)