LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices

Reply
 
Search this Thread
Old 10-18-2007, 08:55 AM   #1
statguy
Member
 
Registered: Sep 2004
Location: Ontario, Canada
Distribution: Slackware 13.37, 12.2
Posts: 317

Rep: Reputation: 31
Encrypting USB keys


Hello.

First, let me describe what I want achieve and then I will describe what I have tried.

In a nutshell, I would like to be able to use a mixture of "standard" and encrypted USB keys on my openSUSE 10.2 system. By "standard" I mean the basic out-of-the-box keys with a FAT filesystem that are automagically recognized and mounted. For the encrypted keys, it would be nice if I were prompted for the passphrase when I plug them in.

Here is what I've tried so far.

I have searched linuxquestions.org a number of times with terms such as "crypt usb" but not found the answer (or at least have not recognized it).

According to the SUSE documentation installed on my system, the encrypting of removable media, such as a USB key, can be done via the partitioning module of YaST.

So, I plugged in a standard USB key and my system happily attached it. I unmounted the key with the umount command. Some experimentation showed that when I did the "safely remove" thing, the device disappeared from the partition table, but with umount it does not.

I started the partitioning module and selected the existing FAT16 partition on the key (/dev/sdb1). I clicked on "Edit." In the dialog box, I chose to format the partition as ext3 and clicked the box for encryption. Under fstab options I chose to not mount at boot and to make it user mountable. I did not specify a mount point because I was hoping that HAL would take care of everything.

So, I continued and formatted the partition and all seemed good. I removed the key and plugged it back in but nothing happened. I could see the device in the partition table only now it showed up as /dev/sdc1. I removed it and plugged a standard key in. It was mounted in the usual place, but the usual dialog (what do you want to do ...) did not come up. Also it was device /dev/sdc1 also. After a re-boot the device was again /dev/sdb1.

After the reboot, I tried the newly encrypted key again. The device showed up in the partition table and the partition was said to be Linux Native. I created /media/crypt to try a manual mount. The
command

Code:
mount -t ext3 /dev/sdb1 /media/crypt
failed. Obviously, ext3 is not quite correct given I encrypted the filesystem, but I don't know what the correct -t argument should be.

Now, I have a number of questions.

1. Should I specify a mount point so that fstab has the necessary info to mount the thing?

2. If fstab has /dev/sdb1 as an encrypted device, what happens when a standard key is inserted? Will it use /dev/sdc1 for example?

3. Assuming I get this working for one key, what about multiple keys. Is the hashed passphrase on the key so that I can use different passphrases with different keys or do I need to use the same passphrase whenever I use an encrypted key in the /dev/sdb1 slot?

4. Can HAL automate the mounting/unmounting process of encrypted keys?

I hope I'm making myself clear.
 
Old 10-19-2007, 06:25 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
I use encfs for this (which is a FUSE - filesystem in user space). You mount the USB flash drive as usual (make sure it's empty), and create a directory for the unencrypted file to appear in (a mountpoint). Then run, for example:

encfs /media/usbdrive ~/myUsbData

You'll be prompted for the setup - just hit enter - then the password. You can put files in '~/myUsbData/' and they will be written to the USB drive encrypted.

When you are done:

fusermount -u ~/myUsbData

Then unmount the USB drive as normal.

You can create a couple of icons/scripts to mount/unmount the encrypted files. The unmount is just the fusermount and umount. For the mount you can use something like:

Code:
mount /dev/sdb1 /media/usbdrive
/usr/libexec/openssh/gnome-ssh-askpass \
   "Enter password for encrypted personal information" | \
   /usr/bin/encfs -S /media/usbdrive ~/myUsbData
This will use the SSH password prompt routine to put up a GUI prompt for the password.
 
Old 10-19-2007, 10:56 PM   #3
IanDyas
LQ Newbie
 
Registered: Aug 2006
Location: Toronto, Canada
Distribution: Suse 10.0
Posts: 6

Rep: Reputation: 0
I noticed uname said it was still running the old kernel, so I added a menu option to into the boot.msg to make sure it loads the new one. uname -a now says:

linux 2.6.18.8-0.7-default #1 SMP Tue Oct 2 17:21:08 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux

It looks like the right kernel now. Both the network and the mouse are working as well. The only issue left is that the display is incredibly slow. Scrolling in a web browser is sluggish and repositioning windows on the screen is slow. I checked in yast and it says it's using the NVIDIA GeForce 6600 GT Card and the monitor is VESA 1280x1024 @60hz which should be ok. The option to activate 3d acceleration is disabled so I can't change it for some reason. I've downloaded some drivers from nvidia, and I'll try to install them tomorrow.
 
Old 10-19-2007, 11:21 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
IanDyas: You appear to have posted in the wrong thread.
 
Old 10-20-2007, 08:13 AM   #5
statguy
Member
 
Registered: Sep 2004
Location: Ontario, Canada
Distribution: Slackware 13.37, 12.2
Posts: 317

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by macemoneta View Post
I use encfs for this (which is a FUSE - filesystem in user space).
Thanks macemoneta, this looks like it might be a solution for me. It seems to me that I would probably still want an ext3 filesystem on my USB key so that I have all the extended Linux file attributes available. Is that right?
 
Old 10-20-2007, 10:36 AM   #6
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
You might want to consider ext2 instead. The difference is only the journal, and for the smaller sized drives, that doesn't provide much benefit.
 
Old 10-21-2007, 04:02 PM   #7
statguy
Member
 
Registered: Sep 2004
Location: Ontario, Canada
Distribution: Slackware 13.37, 12.2
Posts: 317

Original Poster
Rep: Reputation: 31
Good point. Many thanks.
 
Old 10-25-2007, 10:44 AM   #8
statguy
Member
 
Registered: Sep 2004
Location: Ontario, Canada
Distribution: Slackware 13.37, 12.2
Posts: 317

Original Poster
Rep: Reputation: 31
I tried out encfs and it works nicely. One minor thing came up.

On my system, the fuse kernel module was not loaded. I was informed of this when I tried encfs the first time.

So, a ran "modprobe fuse" and everything was great. Next time I booted, I checked for the fuse module and it was not loaded.

I added the modprobe statement to /etc/init.d/boot.local which seems to have worked.

Is this the correct solution, or is there a different way to have the fuse module loaded on boot.
 
Old 10-25-2007, 10:58 AM   #9
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
There are different methods to get kernel module autoload on each distribution it seems. Your method always works.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypting the usb flash drive vijaush Linux - Kernel 9 12-16-2011 04:32 AM
encrypting tariq07 Linux - Security 1 03-13-2007 01:35 AM
Keys in bind -p or inputrc, what do these keys translate to? muha Linux - Newbie 0 03-06-2006 06:52 AM
Configuring SSH to accept only keys (already have keys) fr0st Linux - Security 3 11-04-2003 03:31 AM
encrypting im1crazyassmofo Linux - General 1 04-20-2003 09:15 PM


All times are GMT -5. The time now is 12:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration