*Kernel >=2.6.4 (>=2.6.10 for better security)
*BLK_DEV_DM and DM_CRYPT options enabled in the kernel
*cryptsetup utility
/dev/sda being your usb key:
Verify disk and put random data (for security on known clear text attacks):
Code:
/sbin/badblocks -s -w -t random -v /dev/sda
dd if=/dev/urandom of=/dev/sda
Code:
luksformat -t ext2 /dev/sda
Code:
mkdir /media/cdisk1
Link it with a device mapper, put this in /etc/fstab:
Quote:
| /dev/mapper/cdisk1 /media/cdisk1 ext2 noauto,defaults 0 0 |
Quote:
| cdisk1 /dev/sda none luks,timeout=10 |
Code:
cryptsetup luksOpen /dev/sda cdisk1
mount /media/cdisk1
Code:
umount /media/cdisk1
cryptsetup luksClose cdisk1
On next reboot, /etc/init.d/cryptdisks (in case it is installed by cryptsetup) will look in /etc/crypttab, ask you for the password and mount the disk in /media/cdisk1
Alternatively to mount it you can use pmount. The first argument is the partition or disk, the second is a label you choose (it can be different from above)
Code:
pmount /dev/sda supa_crypt
To use pmount on a non-removable media (eg. /dev/hda6 below), you have to allow this device to be "pmounted":
Quote:
| Originally Posted by pmount.allow # /etc/pmount.allow # pmount will allow users to additionally mount all devices that are # listed here. /dev/hda6 |
If your HAL and udev is configured correctly and your Window manager is HAL-aware, just plug in the usb key and a popup appears to ask you the password. (the media will be mounted in /media/sda in this case, the label is the partition name)
No comments:
Post a Comment