Aerospace Software Ltd.

Mandrake Cryptoloop Filesystems Howto Guide

Mandrake 10.0

Last year, my trusty old Thinkpad notebook was stolen - a few weeks later, I got a VISA bill for $8000... 'nuff sed.

Even though I do military work from time to time, which includes things like encryption and error correction, I never bothered to use encryption for my own protection. It felt too much like work and I thought that setting up an encrypted file system would be very difficult and a bother to use.

Well, I was wrong about a few things - but I am known to be occationally wrong about things - the wife would concur - the simple truth is that setting up encrypted systems is easy and quick and it doesn't slow the system down at all! Consequently, I now recommend to everybody to use encrypted file systems on any machine that is in danger of getting stolen, eg. notebook PCs.

This guide explains how to create secure filesystems on your workstation or server. Quite a few guides have been written on this topic, but I found them confusing and lacking in Mandrake specific information.

Mandrake has a very nice wizard called 'drakloop', that allows you to create cryptographically protected subdirectories very easily. However, there is precious little information available on what exactly this wizard does and while it works very well, sometimes one needs to do something a little different and it would be nice to use the wizard to do the gruntwork and then just tweak things a little - I'm lazy - good engineers are lazy... ;-)

For example, the wizard alows you to easily create an encrypted directory, inside your home directory, but what if you want to encrypt an existing directory? How can you take your existing Documents directory and encrypt it? Going one step further, how can you encrypt your entire existing home directory?

It is possible to encrypt entire partitions during the Mandrake Installation Process, see my RAID How-to Guide. This way, it is possible to encrypt the /swap and /home partitions. This is fine, but what if you want to give each user his own key to his home directory?

Drakloop

First, lets familiarize ourselves with Drakloop, so that we can misuse it later with confidence.

Drakloop is disguised as the 'mountloop' rpm file and it depends on 'openssh-askpass' and 'tcsh' rpms. To install it, run rpmdrake and search for 'loop'.

You can find drakloop in the menus: Click Start, System, Archiving, Drakloop - but this time, run it from a terminal, then it will spit out some information to the terminal screen, to allow us to see what it is doing. So, open a terminal and type:

$ drakloop

Fill the following data:

Directory: secret
Size in MB: 100
Pass Phrase: mary had a little lamb
Encryption: aes256
OK

Drakloop will now create a subdirectory called 'secret' and inside it will be a file called 'encfile'. This file will contain one subdirectory called 'lost and found' and will in reality be padded out with random numbers to the size of 100MB - this will take a little while. The encrypted file will be mounted on its own parent directory - a nice trick.

If you browse to the directory 'secret', it will appear to be a normal directory - you can browse, drag, drop and copy as usual. From now on, when you log out, the encrypted system will be unmounted and when you log in, you will be asked for the pass phrase and it will be mounted again. This works so smoothly, it won't be a bother at all. (Actually, this will only happen as from the next time you reboot. When you create a new encrypted system it will remain open until you reboot - this may be important to note - you can forcefully unmount it - I'll show you later.)

Once drakconf completed its process, you will notice some output in the console window, looking like this:

[herman@mercury aerospace]$ cd
[herman@mercury herman]$ drakloop
1+0 records in
1+0 records out
# /sbin/modprobe aes
# /sbin/modprobe cryptoloop
# /sbin/losetup -p 0 -e aes256 /dev/loop2 secret/encfile
# chown 503 /dev/loop2
$ /sbin/mkfs -t ext2 /dev/loop2
mke2fs 1.34 (25-Jul-2003)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
25688 inodes, 102400 blocks
5120 blocks (5.00%) reserved for the super user
First data block=1
13 block groups
8192 blocks per group, 8192 fragments per group
1976 inodes per group
Superblock backups stored on blocks:
        8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
# /sbin/losetup -d /dev/loop2
# /sbin/modprobe aes
# /sbin/modprobe cryptoloop
# chown 503 /dev/loop2
# /bin/mount -o loop=/dev/loop2,encrypted,encryption=aes256 -p 0 secret/encfile
secret
[herman@mercury herman]$

What happened:

# /sbin/modprobe aes - load the american encryption standard module
# /sbin/modprobe cryptoloop - load the cryptoloop file system module
# /sbin/losetup -p 0 -e aes256 /dev/loop2 secret/encfile - cryptoloop setup
# chown 503 /dev/loop2 - create a cryptoloop device file
$ /sbin/mkfs -t ext2 /dev/loop2 - format the device with ext2 file system
# /bin/mount -o loop=/dev/loop2,encrypted,encryption=aes256 -p 0 secret/encfile secret - mount the file system

In addition, drakloop also updates a hidden file called '.mountlooprc' which now looks like this:

[herman@mercury herman]$ cat .mountlooprc
aes256 secret/encfile secret

Mounting/Unmounting

When you log into your graphical system eg. KDE, you will be prompted for the pass phrase and the system will be mounted automatically, thanks to that '.mountlooprc' file. However, if you spend a lot of time at the command line and do not always run X, then you need to know how to mount the system manually:

$ mountloop aes256 /home/herman/secret/encfile /home/herman/secret ext2
$ umountloop /home/herman/secret

If you simply run 'mountloop' without any parameters it will give you some help to jog your memory:

[herman@mercury herman]$ mountloop
usage: mountloop enc file dir [fs type]

Deleting an Encrypted File System

While playing around with this, you are going to gather some fluff that you may want to remove later. There are two issues when deleting a crypto system. First, it has to free - unused. Then you need to unmount it and only then can you delete it.

Therefore, log out and log in as root instead. Then go and delete the fluff and remember to also clean up the .mountlooprc file with a text editor. Extra unused entries in this file don't cause any problems though.

Note that you can see what is mounted using the 'mount' command:

[herman@mercury herman]$ mount
/dev/ide/host0/bus1/target0/lun0/part5 on / type reiserfs (rw,notail)
none on /proc type proc (rw)
none on /proc/bus/usb type usbdevfs (rw)
none on /dev type devfs (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,mode=0620)
/dev/ide/host0/bus1/target0/lun0/part7 on /home type reiserfs (rw,notail)
/dev/ide/host0/bus1/target0/lun0/part1 on /mnt/windows type vfat
(rw,umask=0,iocharset=iso8859-1,codepage=850)
/home/herman/vault/encfile on /home/herman/vault type ext2
(rw,encrypted,loop=/dev/loop0,encryption=aes256)
secretdir/encfile on /home/herman/secretdir type ext2
(rw,encrypted,loop=/dev/loop1,encryption=aes128)
secret/encfile on /home/herman/secret type ext2
(rw,encrypted,loop=/dev/loop2,encryption=aes256)
[herman@mercury herman]$

While writing this guide, I have collected quite a bit of fluff there.

Encrypt your Existing Documents Directory

Now, we are going to do something useful. Lets encrypt an existing directory. The Documents directory is a good candidate, sine it likely contains most of your super secret stuff, that you don't want a notebook thief to see.

Open a terminal and rename the Documents directory (don't use Konqueror to do that - it will barf). Then create a crypto file system called Documents. Finally copy the contents of the old Documents directory to the new one and delete the old one. Easy!

$ cd
$ mv Documents Documents.plaintext
$ drakloop

Do the Drakloop wizardry with directory name Documents and give it a generous size of say 1000MB.

Once Drakloop calmed down, we need to copy the data. This is a little tricky, since we need to copy directory structures and hidden files as well. The not so obvious problem here is that hidden files start with a dot and if you use the copy command with a dot followed by an asterisk wild card character, then it will not only copy everything in this directory, but also everything in the previous directory '..', recursively!

Linux has protection against recursive copying and will only do that 3 times, but you can still run out of disk space while that is going on and on other Unix systems a recursive copy process can bring the whole system down. It took me a while of paging throug Unix manuals to find a solution. Here it is - deceptively simple:

$ cd
$ cd Documents.plaintext
$ cp -a . /home/herman/Documents

That is: cp dash a space dot space destination-directory.

After verifying that everything works, you can delete the plaintext directory:

$ cd
$ rm -Rf Documents.plaintext

La Voila! You are now the proud owner of an encrypted file system that is actually useful.

Encrypt Your Existing Home Directory

For most people, an encrypted Documents directory is enough, but some people may want to consider a few more things. For example, lots of data is stored in the swap partition, the /tmp and ~/tmp directories. Depending on your level of paranoia, you may want to encrypt those too, but that is beyond the scope of this guide.

A problem with an encrypted home directory, is that you have to mount the crypto system before you launch X. Therefore first ensure that your system will not automatically start X at startup, to give you a chance to log in and run a new startup script. Click Start, System, Configuration, Configure your computer - password - Boot, Autologin, Clear the checkbox 'Launch the graphical environment when your system starts' and select 'No I don't want autologin', OK.

The user home directory contains the whole complicated GUI configuration and bazillions of hidden files and directories. Copying it is a little tricky, but I already showed you how to do that with the Documents directory and this is similar. A complication, is that you have to be the super user 'root' to move or copy a user home directory.

Log out as common user and open a console as root, rename the user directory and use drakloop to create an encrypted file system. Substitute my name for your user name:

# cd /home
# mv herman herman.plaintext
# drakloop

Do the drakloop wizardry and give it the directory name herman. Remember to give it a generous size, but Drakloop may barf if you make it too big. You may have to create the encrypted system by hand if the machine doesn't have enough memory to cope with a large encrypted file. The drakloop discussion up above should help you do that.

Now we are in a pickle. The new encrypted system is owned by root. It will take some undoing to fix that. First let's copy the data:

# cd /home/herman.plaintext
# cp -a . /home/herman

That is: cp dash a space dot space destination-directory.

We have to change the ownership of everything back to herman and not only that, we also have to change the ownership of the encrypted system itself. Remember, we are speaking of a system inside a system and the actual 'encfile' is mounted and currently invisible. Let's first change the ownership of its contents:

# cd /home
# chown -R herman:herman herman

Unmount the crypto system and change the ownership of the file itself:

# cd /home
# umountloop /home/herman
# chown -R herman:herman herman

Finally, we need a way to easily mount and unmount things and start X. Go to the directory /usr/local/bin and create a pair of scripts called 'startme' and 'stopme' - or name them something less corny if you will.

# cd /usr/local/bin
# cat > startme
#! /bin/bash
/usr/bin/mountloop aes256 /home/herman/encfile /home/herman ext2
startx
^D

(Press Control-D to create the file after typing the above)

and this:

# cat > stopme
#! /bin/bash
/usr/bin/umountloop /home/herman
^D

Of course, you can also launch an editor (vi, joe, pico, gedit, kedit) to create the files, but I thought I'll show you a cat trick.

Now make the two scripts executable by user herman:

# chown herman:herman startme
# chown herman:herman stopme
# chmod 754 startme
# chmod 754 stopme

From now on, when you restart the notebook, you should end up at a truly great looking black terminal screen waiting for a login (This alone will already discourage most notebook thieves!). Type your username and password, then run 'startme' and the system will ask for the pass phrase. It will then mount the crypto system and launch your Graphical system.

Not too shabby, considering that you are now the proud owner of a notebook PC with an encrypted home directory!

Recovering an Encrypted File

Recently a motherboard failed and the disk drive had an encrypted file system on it. Normally, you can just stick the drive into and old computer, boot with a CDROM system such as Knoppix and copy the data to another system over a network connection. Most repair shops have an old skeleton chassis for this exact purpose. However, the file system is encrypted, so how now brown cow?

First of all, hunt down the owner of the computer and smack him with a wet noodle, until he gives you the passphrase. Then look in his home directory for the file .mountlooprc and see what encryption algorithm was used.

You can then copy the encrypted file system to another machine. If it already has a .mountlooprc file, append the specification to the bottom, or create one. Now you can run Drakloop, the file system should show up and you can mount it.

'Hope this helps!
Herman