LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-08-2005, 03:35 PM   #1
Napalm Llama
Member
 
Registered: Nov 2004
Location: Bristol, UK
Distribution: Gentoo 2005.0
Posts: 224

Rep: Reputation: 30
Encrypting partitions on an external HD.


Hi. I've recently splashed out on a big fat external hard drive, partly to use for moving data around and partly to use for backing up my internal hard drive.

Because there's a good chance that I might leave the drive plugged in at a friend's house (in it's data moving capacity) I want some way of password-protecting the backup partitions so that nobody can go sneakily riffling through my mirrored personal documents!

I've been following the instructions here:
http://www.linux.com/article.pl?sid=04/06/07/2036205
and now have 3 encrypted partitions and a "clear text" one.

At the moment, I'm relying on running:
Code:
# cryptsetup -c aes -h ripemd160 -y -b `blockdev --getsize /dev/sdb5` create bak-sys1 /dev/sdb5
<password>
<password again>
# mount /dev/mapper/bak-sys1
every time I want to mount one of the encrypted partitions to sync the backup!

What I want ideally is some way of adding a config file containing the settings and putting the required data into /etc/fstab so I can simply run
Code:
# mount /mnt/bak-sys1
then type the password and have it done.

There seems to be very little generalised documentation out there on this subject - it's all either very outdated or geared towards encrypting your *entire* hard drive - root filesystem et al.

Is there any way of doing this? Even saving the password somehow in the config file wouldn't hurt, because that file would be safe on my home PC, which I consider to be secure.
 
Old 11-08-2005, 07:27 PM   #2
jailbait
Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Wheezy, Debian Jessie
Posts: 7,590

Rep: Reputation: 188Reputation: 188
"What I want ideally is some way of adding a config file containing the settings and putting the required data into /etc/fstab so I can simply run
code:
# mount /mnt/bak-sys1
then type the password and have it done."

You can create you own script command, for example encmount, which would include these two commands:
cryptsetup -c aes -h ripemd160 -y -b `blockdev --getsize /dev/sdb5` create bak-sys1 /dev/sdb5
mount /dev/mapper/bak-sys1

Then all you would have to enter is:
encmount
<password>
<password>

"Even saving the password somehow in the config file wouldn't hurt, because that file would be safe on my home PC, which I consider to be secure."

Reading a password from a file is considered a poor security practice so most secure programs make it a point to refuse to read passwords from a file.


-------------------------
Steve Stites
 
Old 11-09-2005, 09:02 AM   #3
Napalm Llama
Member
 
Registered: Nov 2004
Location: Bristol, UK
Distribution: Gentoo 2005.0
Posts: 224

Original Poster
Rep: Reputation: 30
That's effectively what I've been doing.

For some reason it's only asking my for the password once per partition now (maybe because I rebooted), but I still have to type it in 3 times.

However, your refinement does look like a good solution - I'll give it a go

[EDIT:]

For any searchers who are interested, having followed the guide linked above to get a working installation, I now use the following script on a regular basis. It doesn't include any error checking (ie. if a command fails, the script carries on regardless) but it suits my purposes pretty well.
If you want to use it, you'll probably need to tweak it a bit to fit your system.

Code:
#!/bin/bash

echo "Now syncing your system backup..."

# Mount the partition
if [ -b /dev/mapper/bak-sys1 ] ; then
        cryptsetup remove bak-sys1
fi
echo "Please enter the password for this encrypted filesystem."
cryptsetup -c aes -h ripemd160  -b `blockdev --getsize /dev/sdb5` create bak-sys1 /dev/sdb5
fsck /dev/mapper/bak-sys1
mount /dev/mapper/bak-sys1 /mnt/bak-sys1

# Sync the backup
cd /
for i in "bin boot etc lib opt root sbin srv usr var"
do
        rsync -a --progress --delete-after /$i /mnt/bak-sys1
done

# Unmount the partition
umount /mnt/bak-sys1
cryptsetup remove bak-sys1


#####################################################################


echo
echo
echo "Now syncing your /home backup..."

# Mount the partition
if [ -b /dev/mapper/bak-home ] ; then
        cryptsetup remove bak-home
fi
echo "Please enter the password for this encrypted filesystem."
cryptsetup -c aes -h ripemd160  -b `blockdev --getsize /dev/sdb7` create bak-home /dev/sdb7
fsck /dev/mapper/bak-home
mount /dev/mapper/bak-home /mnt/bak-home

# Sync the backup
cd /
rsync -a --progress --delete-after /home /mnt/bak-home

# Unmount the partition
umount /mnt/bak-home
cryptsetup remove bak-home

Last edited by Napalm Llama; 11-14-2005 at 06:35 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing SuSE on an external FireWire drive: YaST can't edit partitions on drive kivimaki Linux - Distributions 2 09-13-2004 09:52 PM
external HD, partitions not recognized thallium6 Linux - Hardware 5 06-07-2004 03:26 PM
4 Partitions in Linux, only 1 in Windows on External HD Dman83 Linux - Hardware 3 02-16-2004 01:43 PM
Encrypting Question Bd22 Linux - Security 1 07-11-2003 10:26 PM
encrypting im1crazyassmofo Linux - General 1 04-20-2003 10:15 PM


All times are GMT -5. The time now is 09:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration