LinuxQuestions.org - Encrypting USB keys

- SUSE / openSUSE (https://www.linuxquestions.org/questions/suse-opensuse-60/)

- - Encrypting USB keys (https://www.linuxquestions.org/questions/suse-opensuse-60/encrypting-usb-keys-592737/)

Encrypting USB keys

Hello.

First, let me describe what I want achieve and then I will describe what I have tried.

In a nutshell, I would like to be able to use a mixture of "standard" and encrypted USB keys on my openSUSE 10.2 system. By "standard" I mean the basic out-of-the-box keys with a FAT filesystem that are automagically recognized and mounted. For the encrypted keys, it would be nice if I were prompted for the passphrase when I plug them in.

Here is what I've tried so far.

I have searched linuxquestions.org a number of times with terms such as "crypt usb" but not found the answer (or at least have not recognized it).

According to the SUSE documentation installed on my system, the encrypting of removable media, such as a USB key, can be done via the partitioning module of YaST.

So, I plugged in a standard USB key and my system happily attached it. I unmounted the key with the umount command. Some experimentation showed that when I did the "safely remove" thing, the device disappeared from the partition table, but with umount it does not.

I started the partitioning module and selected the existing FAT16 partition on the key (/dev/sdb1). I clicked on "Edit." In the dialog box, I chose to format the partition as ext3 and clicked the box for encryption. Under fstab options I chose to not mount at boot and to make it user mountable. I did not specify a mount point because I was hoping that HAL would take care of everything.

So, I continued and formatted the partition and all seemed good. I removed the key and plugged it back in but nothing happened. I could see the device in the partition table only now it showed up as /dev/sdc1. I removed it and plugged a standard key in. It was mounted in the usual place, but the usual dialog (what do you want to do ...) did not come up. Also it was device /dev/sdc1 also. After a re-boot the device was again /dev/sdb1.

After the reboot, I tried the newly encrypted key again. The device showed up in the partition table and the partition was said to be Linux Native. I created /media/crypt to try a manual mount. The
command

Code:

mount -t ext3 /dev/sdb1 /media/crypt

failed. Obviously, ext3 is not quite correct given I encrypted the filesystem, but I don't know what the correct -t argument should be.

Now, I have a number of questions.

1. Should I specify a mount point so that fstab has the necessary info to mount the thing?

2. If fstab has /dev/sdb1 as an encrypted device, what happens when a standard key is inserted? Will it use /dev/sdc1 for example?

3. Assuming I get this working for one key, what about multiple keys. Is the hashed passphrase on the key so that I can use different passphrases with different keys or do I need to use the same passphrase whenever I use an encrypted key in the /dev/sdb1 slot?

4. Can HAL automate the mounting/unmounting process of encrypted keys?

I hope I'm making myself clear.

I use encfs for this (which is a FUSE - filesystem in user space). You mount the USB flash drive as usual (make sure it's empty), and create a directory for the unencrypted file to appear in (a mountpoint). Then run, for example:

encfs /media/usbdrive ~/myUsbData

You'll be prompted for the setup - just hit enter - then the password. You can put files in '~/myUsbData/' and they will be written to the USB drive encrypted.

When you are done:

fusermount -u ~/myUsbData

Then unmount the USB drive as normal.

You can create a couple of icons/scripts to mount/unmount the encrypted files. The unmount is just the fusermount and umount. For the mount you can use something like:

Code:

mount /dev/sdb1 /media/usbdrive

/usr/libexec/openssh/gnome-ssh-askpass \

  "Enter password for encrypted personal information" | \

  /usr/bin/encfs -S /media/usbdrive ~/myUsbData

This will use the SSH password prompt routine to put up a GUI prompt for the password.

I noticed uname said it was still running the old kernel, so I added a menu option to into the boot.msg to make sure it loads the new one. uname -a now says:

linux 2.6.18.8-0.7-default #1 SMP Tue Oct 2 17:21:08 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux

It looks like the right kernel now. Both the network and the mouse are working as well. The only issue left is that the display is incredibly slow. Scrolling in a web browser is sluggish and repositioning windows on the screen is slow. I checked in yast and it says it's using the NVIDIA GeForce 6600 GT Card and the monitor is VESA 1280x1024 @60hz which should be ok. The option to activate 3d acceleration is disabled so I can't change it for some reason. I've downloaded some drivers from nvidia, and I'll try to install them tomorrow.

IanDyas: You appear to have posted in the wrong thread.

Quote:

Originally Posted by macemoneta (Post 2930188)

I use encfs for this (which is a FUSE - filesystem in user space).

Thanks macemoneta, this looks like it might be a solution for me. It seems to me that I would probably still want an ext3 filesystem on my USB key so that I have all the extended Linux file attributes available. Is that right?

You might want to consider ext2 instead. The difference is only the journal, and for the smaller sized drives, that doesn't provide much benefit.

Good point. Many thanks.

I tried out encfs and it works nicely. One minor thing came up.

On my system, the fuse kernel module was not loaded. I was informed of this when I tried encfs the first time.

So, a ran "modprobe fuse" and everything was great. Next time I booted, I checked for the fuse module and it was not loaded.

I added the modprobe statement to /etc/init.d/boot.local which seems to have worked.

Is this the correct solution, or is there a different way to have the fuse module loaded on boot.

There are different methods to get kernel module autoload on each distribution it seems. Your method always works. :)