Re: [gentoo-user] [OT] Securing files in a USB stick
Excerpt for file based crypto: 7. Using a file instead of a partition It is just as easy to create an encrypted file system within a file on another file system. This is especially useful if you want to back up this file by burning it to a DVD, etc. You can then easily move the file around to other machines as well. To initially create a 100MB file containing random data use the following command: dd if=/dev/urandom of=/mystuff.aes bs=1k count=10 If you want to change the size of the file, change the count value accordingly. The above command creates 10 blocks of 1k in size, but you can change this to whatever you like. Just make sure it is not too small to hold the file system you chose. You can choose any file name and path you want instead of /mystuff.aes as long as there's enough space on the partition. You can then create the encrypted file system within this file, similar to the way it is done above: losetup -e aes-256 /dev/loop0 /mystuff.aes Now you can create the file system: mkfs.ext3 /dev/loop0 and mount it: mount -t ext3 /dev/loop0 /mnt/crypto Finally, unmount and detach the loop device: umount /mnt/crypto losetup -d /dev/loop0 You can then mount the file system later on as follows: mount /mystuff.aes /mnt/crypto -oencryption=aes-256 === HTH, -Hani 5. Setting up the loop device Cryptoloop can be used either on a file or an entire file system. The following describes how to set it up on a particular partition. This partition can be any partition you like; the following example uses /dev/sda1. I have chosen to use AES as a cipher, but you can substitute any cipher you like that has been enabled in the kernel. You can get a list of the algorithms supported by your currently running kernel by looking into /proc/crypto. An excellent resource, discussing the different cryptographic algorithms, are Bruce Schneier's books, Applied Cryptography and Practical Cryptography. 1. It is recommended that you format your partition and fill it with random data before you create the encrypted file system on it. This will make it harder for an attacker to detect patterns in your encrypted partition. WARNING! Be careful what you type here for your partition. If you do make a mistake, you can easily overwrite the wrong partition with random garbage! Filling a partition with random data can be done as follows: dd if=/dev/urandom of=/dev/sda1 bs=1M You may get an error message that the device is full. You can ignore it. 2. Select a cipher and key size. A list of ciphers supported by your kernel can be obtained from /proc/crypto. I recommend that you use AES with a 256-bit key. 3. Set up the loop device. This is done using the losetup command from the util-linux package. The following command creates an encrypted filesystem using the loop device 0 using the AES cipher with a 256-bit key on the device /dev/sda1: losetup -e aes-256 /dev/loop0 /dev/sda1 The command prompts for a password. Select a strong password and try to remember it without having to stick a Post-It note to your monitor. There is one big downside to using Cryptoloop. Since the password is hashed to create the encryption key, it is not easy to change the password later on. The most straight-forward way of changing the password is to create a new encrypted partition or file and move all data into it. For this reason, make sure you select a strong password from the start. 4. Create a file system. You can chose whatever file system you like. The following creates an ext3 file system using the loop device: mkfs.ext3 /dev/loop0 5. Mount the encrypted file system. First you need to create a mount point, such as /mnt/crypto: mkdir /mnt/crypto Then you need to mount the file system. At this stage you need to tell mount explicitly which loop device to use: mount -t ext3 /dev/loop0 /mnt/crypto 6. You can now play with your encrypted file system until you are bored. 7. Unmount the file system. After you are done playing, unmount the filesystem: umount /mnt/crypto 8. Detach the loop device. The loop device is still attached to your partition. Detach it with: losetup -d /dev/loop0 6. Mounting the encrypted file system For all operations on the Cryptoloop device, it is important that the necessary modules are loaded. You need to load at least the Cryptoloop module and the modules for each cipher with modprobe. If the features are compiled directly into the kernel, this is not necessary. In order to mount the encrypted file system created above, you can use the standard mount command from util-linux: mount -t ext3 /dev/sda1 /mnt/crypto/ -oencryption=aes-256 You will be prompted for the password and the file system will be mounted just as any other. Since the encryption option implies th
Re: [gentoo-user] [OT] Securing files in a USB stick
Here are a couple of good articles on this: 1. http://www.linuxjournal.com/article/2590 2. http://www.news.com.au/common/story_page/0,4057,11178414%255E13762,00.html --James On Sunday 06 March 2005 23:10, Daevid Vincent wrote: > Please post the info/directions on how to do this. > > > -Original Message- > > From: Kiawud [mailto:[EMAIL PROTECTED] > > Sent: Sunday, March 06, 2005 10:30 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [gentoo-user] [OT] Securing files in a USB stick > > > > You might want to look at creating an encrypted file (which is then > > mounted as a filesystem via crypto/loop). That way, you can move the > > fie where ever you want (USB Stick included) and mount using a > > passphrase. > > > > If this interests you, I have some information on how to do this. > > -- > gentoo-user@gentoo.org mailing list -- -- -- --This Message Powered by Linux-- --Registered Linux User 227032-- James R. Campbell, Owner Reliant Data Systems 875 Pebble Lane Florissant, MO 63033 (314) 616-1651 (Phone) http://www.reliant-data.com pgphfIozISuMI.pgp Description: PGP signature
RE: [gentoo-user] [OT] Securing files in a USB stick
Please post the info/directions on how to do this. > -Original Message- > From: Kiawud [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 06, 2005 10:30 AM > To: [EMAIL PROTECTED] > Subject: Re: [gentoo-user] [OT] Securing files in a USB stick > > You might want to look at creating an encrypted file (which is then > mounted as a filesystem via crypto/loop). That way, you can move the > fie where ever you want (USB Stick included) and mount using a > passphrase. > > If this interests you, I have some information on how to do this. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
You might want to look at creating an encrypted file (which is then mounted as a filesystem via crypto/loop). That way, you can move the fie where ever you want (USB Stick included) and mount using a passphrase. If this interests you, I have some information on how to do this. -Hani -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] [OT] Securing files in a USB stick
I use AxCrypt for my USB FOB on windows. Just double-click a file, enter a
passphrase (which I make fairly long) and the file decrypts temporarily
while open. Dunno if there is a version for linux or not.
- Alex
-Original Message-
From: Andrew Cowie [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 05, 2005 9:58 PM
To: gentoo-user
Subject: Re: [gentoo-user] [OT] Securing files in a USB stick
On Thu, 2005-03-03 at 17:54 +0100, Jose Gonzalez Gomez wrote:
> > > I would like to put some sensitive information in my USB stick, so
> > > I can take it with me (ssh private keys,
I had the same issue. I travel a *lot*, and so sooner or later a hard drive
will die, or a laptop will get stolen, or...
So I carry (wear around my neck) a USB key. Whenever I've done more than a
few lines of work on something, I just simple copy it onto the usbkey
- a draft document, some source code - no big deal.
But corporate documents, my archive of presentations, my web site code and
source code-in-progress, taken together, that certainly needs to be
encrypted.
> > Use GPG and encrypt the files.
So a few months ago, I wrote something to make tarballs of important
hierarchies in my home directory and then sign/encrypt them, and then push
them to { usbkey | remote server }. I just use standard GPG encryption with
myself as the recipient.
That, of course, implies I have my private key to decrypt those tarballs...
> I've been reading a bit about GPG (I haven't used it before) and it
> seems ... only difference between them seem to be that GPG trust is
> based on a decentralized web of trust
[ remember that trust is irrelevant if you are using asymmetric encryption
when "sending" something to yourself - you by definition have the private
half of the your own key pair. (In GPG terms, that's "ultimate trust") ]
> I guess in this case I should include the private key as a unencrypted
> file in my USB stick and protect it with a good password, as it will
> be used whenever I need to decrypt any file. Am I right?
Even more important than all the documents and what-not are my ssh keys and
pgp keys + trustdb. Naturally, if I'm storing those against the possibility
of loosing my machine (naturally causes or otherwise), using asymmetric
encryption is no good because I wouldn't have the private key available to
recover the data!
So, as suggested elsewhere in this thread, I store the private crypto
information in a separate tarball which I encrypt using gpg's symmetric
facility.
++
Naturally, a script to do all this is a natural idea. Well, I wrote one, and
it got out of hand. :) You're welcome to use it. It's called "geode".
http://www.operationaldynamics.com/reference/software/scripts/#geode
[You'll need to customize it a bit, as it's obviously specific to my paths
and usage cases]
If nothing else it's a good example of how to use some of the more obscure
gpg options.
It's also a good example of how to use zenity (a little command line
front-end for creating GTK dialog boxes). I used it to ask for the pass
phrases and to pop up a progress bar of how far it has worked through the
.tar.bz2 creation.
AfC
Sydney
--
Andrew Frederick Cowie
Managing Director
OPERATIONAL DYNAMICS
A management consultancy in the IT Operations space. We are available
worldwide and specialize in technology strategy, changes & upgrades,
enterprise architecture, and performance improvement for mission critical
systems & the people who run them.
Sydney: +61 2 9977 6866
New York: +1 646 472 5054
Toronto: +1 416 848 6072
London: +44 207 1019201
http://www.operationaldynamics.com/
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
On Thu, 2005-03-03 at 17:54 +0100, Jose Gonzalez Gomez wrote:
> > > I would like to put some sensitive information in my USB
> > > stick, so I can take it with me (ssh private keys,
I had the same issue. I travel a *lot*, and so sooner or later a hard
drive will die, or a laptop will get stolen, or...
So I carry (wear around my neck) a USB key. Whenever I've done more than
a few lines of work on something, I just simple copy it onto the usbkey
- a draft document, some source code - no big deal.
But corporate documents, my archive of presentations, my web site code
and source code-in-progress, taken together, that certainly needs to be
encrypted.
> > Use GPG and encrypt the files.
So a few months ago, I wrote something to make tarballs of important
hierarchies in my home directory and then sign/encrypt them, and then
push them to { usbkey | remote server }. I just use standard GPG
encryption with myself as the recipient.
That, of course, implies I have my private key to decrypt those
tarballs...
> I've been reading a bit about GPG (I haven't used it before) and it
> seems ... only difference between
> them seem to be that GPG trust is based on a decentralized web of
> trust
[ remember that trust is irrelevant if you are using asymmetric
encryption when "sending" something to yourself - you by definition have
the private half of the your own key pair. (In GPG terms, that's
"ultimate trust") ]
> I guess in this case I should include the private key as a unencrypted
> file in my USB stick and protect it with a good password, as it will
> be used whenever I need to decrypt any file. Am I right?
Even more important than all the documents and what-not are my ssh keys
and pgp keys + trustdb. Naturally, if I'm storing those against the
possibility of loosing my machine (naturally causes or otherwise), using
asymmetric encryption is no good because I wouldn't have the private key
available to recover the data!
So, as suggested elsewhere in this thread, I store the private crypto
information in a separate tarball which I encrypt using gpg's symmetric
facility.
++
Naturally, a script to do all this is a natural idea. Well, I wrote one,
and it got out of hand. :) You're welcome to use it. It's called
"geode".
http://www.operationaldynamics.com/reference/software/scripts/#geode
[You'll need to customize it a bit, as it's obviously specific to my
paths and usage cases]
If nothing else it's a good example of how to use some of the more
obscure gpg options.
It's also a good example of how to use zenity (a little command line
front-end for creating GTK dialog boxes). I used it to ask for the pass
phrases and to pop up a progress bar of how far it has worked through
the .tar.bz2 creation.
AfC
Sydney
--
Andrew Frederick Cowie
Managing Director
OPERATIONAL DYNAMICS
A management consultancy in the IT Operations space. We are
available worldwide and specialize in technology strategy,
changes & upgrades, enterprise architecture, and performance
improvement for mission critical systems & the people who
run them.
Sydney: +61 2 9977 6866
New York: +1 646 472 5054
Toronto: +1 416 848 6072
London: +44 207 1019201
http://www.operationaldynamics.com/
signature.asc
Description: This is a digitally signed message part
RE: [gentoo-user] [OT] Securing files in a USB stick
> I guess in this case I should include the private key as a > unencrypted file in my USB stick and protect it with a good > password, as it will be used whenever I need to decrypt any > file. Am I right? Yes, or even better keep the (well-passworded) private key in another location (on another stick, on the 'net in a secure spot, etc.) --- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
Jose Gonzalez Gomez wrote: On Thu, 3 Mar 2005 09:55:10 -0500, Covington, Chris <[EMAIL PROTECTED]> wrote: I would like to put some sensitive information in my USB stick, so I can take it with me (ssh private keys, Use GPG and encrypt the files. I've been reading a bit about GPG (I haven't used it before) and it seems to use the same public key encryption concept as the certificates used in S/MIME or SSL/TLS. The only difference between them seem to be that GPG trust is based on a decentralized web of trust while digital certificates are based on a root certification authority. Am I right? Yes and no. You can do simmetrical encryption with pgp/gpg. []'s Mauro -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
On Thu, 3 Mar 2005 09:55:10 -0500, Covington, Chris <[EMAIL PROTECTED]> wrote: > > I would like to put some sensitive information in my USB > > stick, so I can take it with me (ssh private keys, > > Use GPG and encrypt the files. > I've been reading a bit about GPG (I haven't used it before) and it seems to use the same public key encryption concept as the certificates used in S/MIME or SSL/TLS. The only difference between them seem to be that GPG trust is based on a decentralized web of trust while digital certificates are based on a root certification authority. Am I right? I guess in this case I should include the private key as a unencrypted file in my USB stick and protect it with a good password, as it will be used whenever I need to decrypt any file. Am I right? Thanks, best regards Jose -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
> I would like to put some sensitive information in my USB > stick, so I can take it with me (ssh private keys, Use GPG and encrypt the files. --- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Securing files in a USB stick
On Thu, 3 Mar 2005, Jose Gonzalez Gomez wrote: I would like to put some sensitive information in my USB stick, so I can take it with me (ssh private keys, certificates with private key, maybe some file with bank users and passwords). It's evident that losing that stick could cause me a lot of troubles, so is there any way I can protect the information in it (maybe using a master password), and be able to access it from Linux and Windows? Try a crossplatform encryption program. Keep the software on the keyright itself so you can run it from there (Build it statically for linux if needed) and go from there. A quick search found this: http://quasar.mathstat.uottawa.ca/~selinger/ccrypt/ Christopher Fisk -- Professor: "The thought of caressing that leathery hide makes the tapioca rise in my gullet" Fry: "Professor, please, the fate of the world depends on you getting to second base with Mom." Professor: "Very well, if cop a feel I must, then cop a feel I shall." -- gentoo-user@gentoo.org mailing list
