Anon wrote:
>>Anon wrote:
>>
>>>>Anon wrote:
>>>>
>>>>
>>>>>Could I then use ReiserFS on top of a file backed loop device?
>>>>
>>>>
>>>>the loop-AES.README also states:
>>>>
>>>> 1. Loop device primer
>>>> [...]
>>>> File backed loops may deadlock under some kernel + file system
>>>> combinations.
>>>> So, if you can choose between device backed and file backed, choose
>>>> device backed even if it means that you have to re-partition your
>>>> disks.
>>>
>>>
>>>I *am* planning on using a device-backed loop.
>>>
>>>
>>>
>>>>so, file backed loops SHOULD be avoided, no matter if encrypted or not,
>>>>with journaling fs on it or without. yes, it's possible and you SHOULD
>>>>try it to see if it works for you. but in "most cases" file backed loops
>>>>are behaving better.
>>>
>>>
>>>I assume you really meant device-backed loops in the last sentance above.
>>>
>>>My interest in using a file-backed loop is so that I can have a loop-AES device-backed loop
>>>containing a loop-AES file-backed loop, for two (or more) layers of encryption.
>>>
>>>I have the impression from the loop-AES.README file a non-journalling file system can be used
>
> in a
>
>>>file-backed loop. It is my understanding from the ReiserFS documentation that using the
>
> "nolog"
>
>>>option during mounting would satisfy the non-journalling criteria, as this option disables
>>>journalling.
>>
>>
>>For that scenario you only 'need' a filesystem for the last layer.
>>
>>You pack an encryption layer onto the partion/device.
>>"losetup" it and losetup the next layer directly onto the newly created
>>/dev/loop<x> device.
>>
>>That way you only stack block-devices and pack a filesystem on the last one.
>>
>>For a (say) 4 layer encryption you would stack;
>>
>>HDD -> Partition
>>-> Loop 1 -> Loop 2 -> Loop 3 -> Loop 4
>>-> Filesystem
>>
>>e.g.
>>sdb -> sdb1 -> loop0 -> loop1 -> loop2 -> loop3 -> <whatever>
>>
>>If you want you can also pack the encryption keys before each layer
>>using the "offset"-options to leave the needed space for the keys and
>>shrink the block-device of each layer by a little bit.
>>
>>That way you had to actually break each encryption layer to even get the
>>needed keys for the next. (Of course the key-sets are also encrypted
>>with by gpg or whatever else layer you may think of)
>
> Thank you for the suggestion. I just read a similar suggestion for Jari, though I need a more
> detailed example to actually implement the suggestion (as in an example fstab and command line
> that properly sets up the stack of loops). I never stacked loops before, and do not yet seem to
> understand how I would stack loops.
>
> While your suggestion with the keys residing in each layer may be convenient, I think it
> needlessly reduces the security to Level 2 as stated in the loop-AES.README. It would be just as
> convenient and easy to store the keys external to the encrypted partion/loops.
Taken the losetup from the README i've just written this shell-script
Example is for 4 layer, but you can be easily changed for more or less.
- snip -
#!/bin/bash
loop=0
# Find next free Loop-device
# return loop-device as output-string and (next) nr via return-value
function nextFreeLoop()
{
while true
do
if [ ! -b "/dev/loop${loop}" ]; then
print "No more loop devices /dev/loop${loop}"
exit 99
fi
# If the loop-device is "free" then break
losetup "/dev/loop${loop}" &>/dev/null || break
let loop=loop+1
done
echo "/dev/loop${loop}"
let loop=loop+1
exit $loop
}
loop0=`nextFreeLoop`
loop=$?
loop1=`nextFreeLoop`
loop=$?
loop2=`nextFreeLoop`
loop=$?
loop3=`nextFreeLoop`
loop=$?
if [ "$loop" = "99" ]; then
print "Not enough free loop-devices"
exit 1
fi
losetup -e AES128 -K /root/secret1.gpg $loop0 /dev/hda666 || exit 1
losetup -e AES128 -K /root/secret2.gpg $loop1 $loop0 || exit 1
losetup -e AES128 -K /root/secret3.gpg $loop2 $loop1 || exit 1
losetup -e AES128 -K /root/secret4.gpg $loop3 $loop2 || exit 1
echo "Setup successfull"
echo "Used Loop-devices: $loop0 $loop1 $loop2 $loop3"
- snip -
After that you can
mkfs (First time) and/or mount $loop3.
If you have other loop-devices the used loop-devices may not be persistent.
But you could also change the script to use fixed-numbers instead.
Or you skip the
--
Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated,
cryptic, powerful, unforgiving, dangerous.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
