Hi,
I've been using cryptsetup/luks to manage encrypted LVM partitions for a
while now and must say it's very impressive.
The reason for my email is that I've been looking for an encryption
system for a slightly different purpose though: encrypting individual
files for storage to Amazon S3. I realise Amazon S3 naturally encrypts
all stored data but the keys are generated by Amazon, so that isn't
really satisfactory. Stored data is not hidden from Amazon staff or
whosoever obliges Amazon to release their keys.
Obviously there's lots of tools for encrypting individual files, but
what luks (uniquely?) offers is the ability to assign multiple passwords
and change passwords easily when the need arises. If - to use luks
terminology - one could split the luks header/key-slots from the bulk
data and store them separately, this facility would be especially
valuable for encrypting Amazon S3 files. This is because it would allow
passwords to be modified without having to retrieve and restore the bulk
data file, only the changed header/key-slots file. This is especially
important with S3 as Amazon only allows entire files to be uploaded or
downloaded, and bandwidth is charged for. If a file is large, or if
there are lots of files, downloading, re-encrypting and uploading each
can be very expensive.
I've been looking at using luks for this purpose, using the following
approach:
# dd if=/dev/zero of=file.luks bs=1 count=<filesize>
# losetup /dev/loop0 file.luks
# cryptsetup luksFormat /dev/loop0
# cryptsetup luksOpen /dev/loop0 myfilemap
# dd if=<file> of=/dev/mapper/myfilemap
# cryptsetup luksClose myfilemap
# losetup -d /dev/loop0
# dd if=file.luks of=file.luks.header bs=512 count=1032
# dd if=file.luks of=file.luks.data bs=512 skip=1032
Finally, file.luks.header and file.luks.data can be uploaded to Amazon.
I also have tested that it is possible to modify passwords in the
file.luks.header directly e.g.
# losetup /dev/loop0 file.luks.header
# cryptsetup luksDump /dev/loop0
# cryptsetup luksAddKey /dev/loop0
# cryptsetup luksDelKey /dev/loop0 <n>
# losetup -d /dev/loop0
And when the header and data files are subsequently concatenated, one
can regain access to the data.
# cat file.luks.header file.luks.data >file.luks.new
Does anyone have any opinions about the sanity of this approach? Is
there a better tool or approach I'm missing? I would be very grateful
for any feedback.
Kind regards,
Struan Bartlett
Head of IT
--
____________________________________
Struan Bartlett
NewsNow Publishing Limited
http://www.NewsNow.co.uk
Tel: +44 (0)845 838 8890
Fax: +44 (0)834 838 8898
____________________________________
Internet Press Cuttings &
Real-time News
Corporate press alerts
Competitor awareness
Market awareness
Tailored news for web sites
Intranet newsfeeds
____________________________________
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
