Re: [lopsa-tech] secure web storage

Wed, 24 Jul 2013 00:09:17 -0700 

Josh Smift wrote:
> I use a couple of external hard drives with whole-disk encryption, but
> that's only for local backups. I keep meaning to look into whether I could
> create a whole-disk-encrypted filesystem-in-a-file, which I could mount,
> back up to, unmount, and then copy off-site. Simpler than encrypting and
> decrypting individual files, harder to do incremental backups.
> 
> Anyone actually done this? It seems like it should be simple, I just
> haven't (a) put the pieces together; (b) thought for more than about
> thirty seconds about potential pitfalls.

Simple enough. I do this. No problems with it in constant (personal) use.
This is tested and working but USE AT YOUR OWN RISK.

    $ # One-time setup. 
    $ dd if=/dev/urandom of=/very/secret/file bs=$((1024*1024)) 
count=$((50*1024)) # 50GiB 
    $ losetup /dev/loop0 /very/secret/file 
    $ cryptsetup luksFormat /dev/loop0

    WARNING! This will overwrite data on /dev/loop0 irrevocably.
    Enter LUKS passphrase: 
    Verify passphrase: 

    $ cryptsetup luksOpen /dev/loop0 T5 # creates T5 mapping

    Enter passphrase for /dev/loop0: 

    $ mke2fs -L MySecretLabel -m0 /dev/mapper/T5

    Filesystem label=MySecretLabel
    OS type: Linux

    $ mkdir /mnt/very # will mount here
    $ mount -text2 /dev/mapper/T5 /mnt/very
    $ df -h /mnt/very

    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/T5         50G   52M   50G   1% /mnt/very

    $ echo "Ultra s3cr3t information." > /mnt/very/foo
    $ umount /mnt/very
    $ cryptsetup luksClose T5 # unmap T5
    $ losetup -d /dev/loop0 # loop setup undone now

Thereafter, you only need to invoke following with argument of "mount" or 
"umount":

    #!/bin/bash
    if [ X$1 = Xmount ] ; then
        losetup /dev/loop0 /very/secret/file
        cryptsetup luksOpen /dev/loop0 T5
        mount -text2 /dev/mapper/T5 /mnt/very
        exit 0
    fi
    if [ X$1 = Xumount ]; then
        umount /mnt/very
        cryptsetup luksClose T5
        losetup -d /dev/loop0
        exit 0
    fi

If you're interested in the security of full-disk encryption (of
which this is a variant), you'll want to see this -
http://opensource.dyc.edu/sites/default/files/random-vs-encrypted.pdf

Good luck,
-- 
Charles Polisher


_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to