■debian Wheezyでcryptmountを試す。
debian Wheezyにdm_cryptを導入
http://d.hatena.ne.jp/labunix/20130516
$ apt-cache show cryptmount | grep ^Depends | sed s/", "/"&\n"/g
Depends: libc6 (>= 2.3.3),
libdevmapper1.02.1 (>= 2:1.02.20),
libgcrypt11 (>= 1.4.5),
libuuid1 (>= 2.16)
$ sudo apt-get install -y cryptmount
■「cryptmount-setup」は「cryptmount」のCUIインターフェイスとなるシェルです。
$ dpkg -L cryptmount | grep bin/
/usr/bin/cryptmount
/usr/sbin/cryptmount-setup
$ grep -i bin /usr/sbin/cryptmount-setup
CM_BINEXE="/usr/bin/cryptmount"
tgts=`${CM_BINEXE} --list | awk '{printf"%s ", $1}'`
if ${CM_BINEXE} --list "${TargetName}" >/dev/null 2>&1; then
${CM_BINEXE} --generate-key 32 "${TargetName}"
${CM_BINEXE} --prepare "${TargetName}"
${CM_BINEXE} --release "${TargetName}"
■では早速。途中「random key」の作成に時間がかかります。
$ sudo cryptmount-setup | tee cryptmount.log
------------------------------
cryptmount setup script
This program will allow you to setup a secure filing-system that will
be managed by "cryptmount". You will be able to select basic features
such as the location and size of the filesystem - if you want more
advanced features, you should consult the cryptmount manual page.
cryptmount version 4.3.1, (C)Copyright 2007-2009 RW Penney
cryptmount comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under
certain conditions - see the file 'COPYING' in the source directory.
------------------------------
Each cryptmount filesystem is identifed by a short name which is used
when mounting or configuring that filesystem. This name should be a
single word (without spaces), such as "opaque".
The following target names have already been used: (NONE)
Please enter a target name for your filesystem
[opaque]:
The opaque filesystem can be configured to be owned by a nominated
user, who will be able to create top-level files & directories
without needing to involve the superuser.
Which user should own the filesystem (leave blank for "root")
[]:
In order to access the opaque filesystem, it must be mounted on top
of an empty directory.
Please specify where "opaque" should be mounted
[/home/labunix/crypt]:
The maximum available size of your filesystem needs to be chosen so
that enough space can be reserved on your disk.
Enter the filesystem size (in MB)
[64]:
The actual encrypted filesystem will be stored in a special file,
which needs to be large enough to contain your entire encrypted
filesystem.
Enter a filename for your encrypted container
[/home/labunix/crypto.fs]:
Access to your encrypted filesystem is protected by a key that is
kept in a separate small file. The key is locked by a password that
you must enter whenever you mount the filesystem.
Enter a location for the keyfile
[/etc/cryptmount/opaque.key]:
------------------------------
Your filing system is now ready to be built - this will involve:
- Creating the directory "/home/labunix/crypt"
- Creating a 64MB file, "/home/labunix/crypto.fs"
- Adding an extra entry ("opaque") in /etc/cryptmount/cmtab
- Creating a key-file ("/etc/cryptmount/opaque.key")
- Creating an ext3 filingsystem on "/home/labunix/crypto.fs"
If you do not wish to proceed, no changes will be made to your system.
Please confirm that you want to proceed (enter "yes")
[no]: yes
Making mount-point (/home/labunix/crypt)... done
Creating filesystem container (/home/labunix/crypto.fs)... done
Taking backup of cryptmount master config-file (/etc/cryptmount/cmtab.bckp-setup)... done
Generating filesystem access key (/etc/cryptmount/opaque.key)...
Generating random key; please be patient...
Enter new password for target "opaque":
Confirm password:
Formatting encrypted filesystem...
Enter password for target "opaque":
------------------------------
Your new encrypted filesystem is now ready for use - to access, try:
cryptmount opaque
cd /home/labunix/crypt
After you have finished using the filesystem, try:
cd
cryptmount --unmount opaque
Please take great care NOT to delete or damage your keyfile
("/etc/cryptmount/opaque.key"). Without that file, and the associated
password, it will be virtually impossible to access your encrypted
filesystem. You may want to keep a separate backup copy of the
keyfile.
■マウント
$ sudo cryptmount opaque
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 11/16384 files, 7477/65536 blocks
$ mount | grep opaque
/dev/mapper/opaque on /home/labunix/crypt type ext3 (rw,relatime,errors=continue,user_xattr,acl,barrier=1,data=ordered)
$ sudo cryptmount -l
opaque [to mount on "/home/labunix/crypt" as "ext3"]
$ ls -l /dev/mapper/opaque
brw------- 1 root root 254, 0 5月 17 00:37 /dev/mapper/opaque
■ファイルの作成
$ echo "Hello" | sudo tee crypt/test > /dev/null
$ cat crypt/test
Hello
■ヘルプの参照
$ sudo cryptmount --version
cryptmount-4.3.1
$ sudo cryptmount --help
usage: cryptmount [OPTION [target ...]]
available options are as follows:
-h | --help
-a | --all
-c | --change-password <target>
-k | --key-managers
-l | --list
-m | --mount <target>
-u | --unmount <target>
--generate-key <key-size> <target>
--reuse-key <src-target> <dst-target>
--prepare <target>
--release <target>
--config-fd <num>
--passwd-fd <num>
--swapon <target>
--swapoff <target>
--version
please report bugs to <cryptmount@rwpenney.org.uk>
■アンマウント
$ sudo cryptmount -u opaque
■再マウント、アンマウント
$ sudo cryptmount -m -a
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 12/16384 files, 7478/65536 blocks
$ sudo cryptmount -u -a
■64MBのイメージの実体
$ ls -lh crypto.fs
-rw-r--r-- 1 root root 64M 5月 17 00:44 crypto.fs
■鍵ファイル
$ ls /etc/cryptmount/opaque.key
/etc/cryptmount/opaque.key
■マウントオプション
$ cat /etc/cryptmount/cmtab
opaque {
dev=/home/labunix/crypto.fs
dir=/home/labunix/crypt
fstype=ext3
fsoptions=defaults
cipher=aes
keyformat=builtin
keyfile=/etc/cryptmount/opaque.key
}
■削除する場合(途中で失敗した場合も同様)
$ echo "" >&2 | sudo tee /etc/cryptmount/cmtab; \
sudo rm /etc/cryptmount/opaque.key; \
sudo rm ~/crypto.fs; \
sudo rmdir crypt
