読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

debian Wheezyでcryptmountを試す

■debian Wheezyでcryptmountを試す。

 debian Wheezyにdm_cryptを導入
 http://d.hatena.ne.jp/labunix/20130516

$ apt-cache show cryptmount | grep ^Depends | sed s/", "/"&\n"/g
Depends: libc6 (>= 2.3.3),
libdevmapper1.02.1 (>= 2:1.02.20),
libgcrypt11 (>= 1.4.5),
libuuid1 (>= 2.16)

$ sudo apt-get install -y cryptmount

■「cryptmount-setup」は「cryptmount」のCUIインターフェイスとなるシェルです。

$ dpkg -L cryptmount | grep bin/
/usr/bin/cryptmount
/usr/sbin/cryptmount-setup

$ grep -i bin /usr/sbin/cryptmount-setup
#!/bin/sh
CM_BINEXE="/usr/bin/cryptmount"
    tgts=`${CM_BINEXE} --list | awk '{printf"%s ", $1}'`
        if ${CM_BINEXE} --list "${TargetName}" >/dev/null 2>&1; then
    ${CM_BINEXE} --generate-key 32 "${TargetName}"
    ${CM_BINEXE} --prepare "${TargetName}"
    ${CM_BINEXE} --release "${TargetName}"

■では早速。途中「random key」の作成に時間がかかります。

$ sudo cryptmount-setup | tee cryptmount.log

------------------------------
cryptmount setup script

This program will allow you to setup a secure filing-system that will
be managed by "cryptmount". You will be able to select basic features
such as the location and size of the filesystem - if you want more
advanced features, you should consult the cryptmount manual page.

cryptmount version 4.3.1, (C)Copyright 2007-2009 RW Penney
cryptmount comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under
certain conditions - see the file 'COPYING' in the source directory.

------------------------------
Each cryptmount filesystem is identifed by a short name which is used
when mounting or configuring that filesystem. This name should be a
single word (without spaces), such as "opaque".
The following target names have already been used:    (NONE)

  Please enter a target name for your filesystem
  [opaque]:


The opaque filesystem can be configured to be owned by a nominated
user, who will be able to create top-level files & directories
without needing to involve the superuser.

  Which user should own the filesystem (leave blank for "root")
  []:


In order to access the opaque filesystem, it must be mounted on top
of an empty directory.

  Please specify where "opaque" should be mounted
  [/home/labunix/crypt]:


The maximum available size of your filesystem needs to be chosen so
that enough space can be reserved on your disk.

  Enter the filesystem size (in MB)
  [64]:


The actual encrypted filesystem will be stored in a special file,
which needs to be large enough to contain your entire encrypted
filesystem.

  Enter a filename for your encrypted container
  [/home/labunix/crypto.fs]:


Access to your encrypted filesystem is protected by a key that is
kept in a separate small file. The key is locked by a password that
you must enter whenever you mount the filesystem.

  Enter a location for the keyfile
  [/etc/cryptmount/opaque.key]:

------------------------------
Your filing system is now ready to be built - this will involve:
 - Creating the directory "/home/labunix/crypt"
 - Creating a 64MB file, "/home/labunix/crypto.fs"
 - Adding an extra entry ("opaque") in /etc/cryptmount/cmtab
 - Creating a key-file ("/etc/cryptmount/opaque.key")
 - Creating an ext3 filingsystem on "/home/labunix/crypto.fs"
If you do not wish to proceed, no changes will be made to your system.

  Please confirm that you want to proceed (enter "yes")
  [no]: yes
Making mount-point (/home/labunix/crypt)... done
Creating filesystem container (/home/labunix/crypto.fs)... done
Taking backup of cryptmount master config-file (/etc/cryptmount/cmtab.bckp-setup)... done
Generating filesystem access key (/etc/cryptmount/opaque.key)...
Generating random key; please be patient...

Enter new password for target "opaque":
Confirm password:
Formatting encrypted filesystem...


Enter password for target "opaque":


------------------------------
Your new encrypted filesystem is now ready for use - to access, try:
    cryptmount opaque
    cd /home/labunix/crypt
After you have finished using the filesystem, try:
    cd
    cryptmount --unmount opaque

Please take great care NOT to delete or damage your keyfile
("/etc/cryptmount/opaque.key"). Without that file, and the associated
password, it will be virtually impossible to access your encrypted
filesystem. You may want to keep a separate backup copy of the
keyfile.

■マウント

$ sudo cryptmount opaque
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 11/16384 files, 7477/65536 blocks

$ mount | grep opaque
/dev/mapper/opaque on /home/labunix/crypt type ext3 (rw,relatime,errors=continue,user_xattr,acl,barrier=1,data=ordered)

$ sudo cryptmount -l
opaque            [to mount on "/home/labunix/crypt" as "ext3"]

$ ls -l /dev/mapper/opaque
brw------- 1 root root 254, 0  517 00:37 /dev/mapper/opaque

■ファイルの作成

$ echo "Hello" | sudo tee crypt/test > /dev/null
$ cat crypt/test
Hello

■ヘルプの参照

$ sudo cryptmount --version
cryptmount-4.3.1

$ sudo cryptmount --help
usage: cryptmount [OPTION [target ...]]

  available options are as follows:

    -h | --help
    -a | --all
    -c | --change-password <target>
    -k | --key-managers
    -l | --list
    -m | --mount <target>
    -u | --unmount <target>
    --generate-key <key-size> <target>
    --reuse-key <src-target> <dst-target>
    --prepare <target>
    --release <target>
    --config-fd <num>
    --passwd-fd <num>
    --swapon <target>
    --swapoff <target>
    --version

  please report bugs to <cryptmount@rwpenney.org.uk>

■アンマウント

$ sudo cryptmount -u opaque

■再マウント、アンマウント

$ sudo cryptmount -m -a
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 12/16384 files, 7478/65536 blocks

$ sudo cryptmount -u -a

■64MBのイメージの実体

$ ls -lh crypto.fs
-rw-r--r-- 1 root root 64M  517 00:44 crypto.fs

■鍵ファイル

$ ls /etc/cryptmount/opaque.key
/etc/cryptmount/opaque.key

■マウントオプション

$ cat /etc/cryptmount/cmtab
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details


# Entry automatically generated by setup-script:
opaque {
    dev=/home/labunix/crypto.fs
    dir=/home/labunix/crypt
    fstype=ext3
    fsoptions=defaults
    cipher=aes
    keyformat=builtin
    keyfile=/etc/cryptmount/opaque.key
}

■削除する場合(途中で失敗した場合も同様)

$ echo "" >&2 | sudo tee /etc/cryptmount/cmtab; \
  sudo rm /etc/cryptmount/opaque.key; \
  sudo rm ~/crypto.fs; \
  sudo rmdir crypt