labunix's blog


debian Wheezyでcryptmountを試す

■debian Wheezyでcryptmountを試す。

 debian Wheezyにdm_cryptを導入

$ apt-cache show cryptmount | grep ^Depends | sed s/", "/"&\n"/g
Depends: libc6 (>= 2.3.3),
libdevmapper1.02.1 (>= 2:1.02.20),
libgcrypt11 (>= 1.4.5),
libuuid1 (>= 2.16)

$ sudo apt-get install -y cryptmount


$ dpkg -L cryptmount | grep bin/

$ grep -i bin /usr/sbin/cryptmount-setup
    tgts=`${CM_BINEXE} --list | awk '{printf"%s ", $1}'`
        if ${CM_BINEXE} --list "${TargetName}" >/dev/null 2>&1; then
    ${CM_BINEXE} --generate-key 32 "${TargetName}"
    ${CM_BINEXE} --prepare "${TargetName}"
    ${CM_BINEXE} --release "${TargetName}"

■では早速。途中「random key」の作成に時間がかかります。

$ sudo cryptmount-setup | tee cryptmount.log

cryptmount setup script

This program will allow you to setup a secure filing-system that will
be managed by "cryptmount". You will be able to select basic features
such as the location and size of the filesystem - if you want more
advanced features, you should consult the cryptmount manual page.

cryptmount version 4.3.1, (C)Copyright 2007-2009 RW Penney
cryptmount comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under
certain conditions - see the file 'COPYING' in the source directory.

Each cryptmount filesystem is identifed by a short name which is used
when mounting or configuring that filesystem. This name should be a
single word (without spaces), such as "opaque".
The following target names have already been used:    (NONE)

  Please enter a target name for your filesystem

The opaque filesystem can be configured to be owned by a nominated
user, who will be able to create top-level files & directories
without needing to involve the superuser.

  Which user should own the filesystem (leave blank for "root")

In order to access the opaque filesystem, it must be mounted on top
of an empty directory.

  Please specify where "opaque" should be mounted

The maximum available size of your filesystem needs to be chosen so
that enough space can be reserved on your disk.

  Enter the filesystem size (in MB)

The actual encrypted filesystem will be stored in a special file,
which needs to be large enough to contain your entire encrypted

  Enter a filename for your encrypted container

Access to your encrypted filesystem is protected by a key that is
kept in a separate small file. The key is locked by a password that
you must enter whenever you mount the filesystem.

  Enter a location for the keyfile

Your filing system is now ready to be built - this will involve:
 - Creating the directory "/home/labunix/crypt"
 - Creating a 64MB file, "/home/labunix/crypto.fs"
 - Adding an extra entry ("opaque") in /etc/cryptmount/cmtab
 - Creating a key-file ("/etc/cryptmount/opaque.key")
 - Creating an ext3 filingsystem on "/home/labunix/crypto.fs"
If you do not wish to proceed, no changes will be made to your system.

  Please confirm that you want to proceed (enter "yes")
  [no]: yes
Making mount-point (/home/labunix/crypt)... done
Creating filesystem container (/home/labunix/crypto.fs)... done
Taking backup of cryptmount master config-file (/etc/cryptmount/cmtab.bckp-setup)... done
Generating filesystem access key (/etc/cryptmount/opaque.key)...
Generating random key; please be patient...

Enter new password for target "opaque":
Confirm password:
Formatting encrypted filesystem...

Enter password for target "opaque":

Your new encrypted filesystem is now ready for use - to access, try:
    cryptmount opaque
    cd /home/labunix/crypt
After you have finished using the filesystem, try:
    cryptmount --unmount opaque

Please take great care NOT to delete or damage your keyfile
("/etc/cryptmount/opaque.key"). Without that file, and the associated
password, it will be virtually impossible to access your encrypted
filesystem. You may want to keep a separate backup copy of the


$ sudo cryptmount opaque
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 11/16384 files, 7477/65536 blocks

$ mount | grep opaque
/dev/mapper/opaque on /home/labunix/crypt type ext3 (rw,relatime,errors=continue,user_xattr,acl,barrier=1,data=ordered)

$ sudo cryptmount -l
opaque            [to mount on "/home/labunix/crypt" as "ext3"]

$ ls -l /dev/mapper/opaque
brw------- 1 root root 254, 0  517 00:37 /dev/mapper/opaque


$ echo "Hello" | sudo tee crypt/test > /dev/null
$ cat crypt/test


$ sudo cryptmount --version

$ sudo cryptmount --help
usage: cryptmount [OPTION [target ...]]

  available options are as follows:

    -h | --help
    -a | --all
    -c | --change-password <target>
    -k | --key-managers
    -l | --list
    -m | --mount <target>
    -u | --unmount <target>
    --generate-key <key-size> <target>
    --reuse-key <src-target> <dst-target>
    --prepare <target>
    --release <target>
    --config-fd <num>
    --passwd-fd <num>
    --swapon <target>
    --swapoff <target>

  please report bugs to <>


$ sudo cryptmount -u opaque


$ sudo cryptmount -m -a
Enter password for target "opaque":
e2fsck 1.42.5 (29-Jul-2012)
/dev/mapper/opaque: clean, 12/16384 files, 7478/65536 blocks

$ sudo cryptmount -u -a


$ ls -lh crypto.fs
-rw-r--r-- 1 root root 64M  517 00:44 crypto.fs


$ ls /etc/cryptmount/opaque.key


$ cat /etc/cryptmount/cmtab
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details

# Entry automatically generated by setup-script:
opaque {


$ echo "" >&2 | sudo tee /etc/cryptmount/cmtab; \
  sudo rm /etc/cryptmount/opaque.key; \
  sudo rm ~/crypto.fs; \
  sudo rmdir crypt