 |
Vanstechelman.eu | |
|
|
Navigation
My posts on Twitter
- lvanstechelman: For Better Password Policies: OWASP Passfault http://t.co/Tyzk2z6V
- lvanstechelman: XSS attack vector: Eval a url http://t.co/XbbtbivM
- lvanstechelman: New Product: Google Drive http://t.co/OlfyF4oO
- lvanstechelman: @ZIONSECURITY According to http://t.co/i073PUwc the attribute must case-insensitively match the string "HttpOnly"
- lvanstechelman: @ZIONSECURITY My logs contain requests containing the GET parameters like requested by the end-user e.g. /user/login?destination=node%2F1
Using an Encrypted Filesystem
If your machine is stolen then the thief will be able to read your confidential data directly off the hard drive. You can protect your data by using an encrypted file system. This method of protection is useful for laptop users who carry around sensitive data and for encrypting your backup data.
First make sure the following stuff in in your 2.6 kernel (if you are using a 2.4 kernel, I would advise you to upgrade to the 2.6, because you will need patches and other stuff if you want to do this on a 2.4)):
Device Drivers ---> Block devices ---> <*> Loopback device support <*> Cryptoloop Suppor Cryptographic options ---> <*> AES cipher algorithms
Then first create a large file and attach it to a loopback device using encryption (you may need to install the loopback module loop.o). Provide a password for this file, then make a filesystem on the loopback device. Mount the new filesystem as normal, copy over the files you want to store securely, then unmount the filesystem. Finally detach the file from the loopback device. You should probably sync to make sure the data is written back to disk immediately. The following creates a 650Mb file suitable for pressing onto a CDR.
# dd if=/dev/zero of=/secure bs=1k count=665600 # losetup -e aes-cbc-256 /dev/loop0 /secure Password: # mkfs -t ext2 /dev/loop0 665600 # mount -t ext2 /dev/loop0 /mnt ... # umount /dev/loop0 # losetup -d /dev/loop0 # sync
To access the encrypted filesystem again simply reattach the file to a loopback device and provide the password. Mount the filesystem then add, edit or remove files as required. When you are finished you can unmount then detach the file from the loopback device.
# losetup -e aes-cbc-256 /dev/loop0 /secure Password: # mount -t ext2 /dev/loop0 /mnt ... # umount /dev/loop0 # losetup -d /dev/loop0 # sync
Here are a couple of bash aliases to make mounting and unmounting the encrypted filesystem easier, just add them to your .bashrc file.
alias mntsec='losetup -e aes-cbc-256 /dev/loop0 /secure; mount -t ext2 /dev/loop0 /mnt' alias umntsec='umount /dev/loop0; losetup -d /dev/loop0; sync'
You can use them like this:
# mntsec Password: ... # umntsec
If you enter the wrong password the mount will fail and you will have to detach the file using losetup -d /dev/loop0 and start again. Don't use DES as it is no longer supported in losetup. You can also use third party crypto kernel modules for loopback encryption including twofish, blowfish, cast128, serpent, MARS, RC6, DFC and IDEA, which provide stronger encryption. Some of the latest distributions may include some of these stronger encryption modules.