What would be really handy would be a way to expose s3 as a block device accessable locally. I don't know of any projects that are free software that do that though. s3backer is neat, that exposes s3 as a local file system via FUSE. You could use duplicity, a gpg based backup method, and s3sync etc...As someone else mentioned, you can encrypt to multiple keys with gpg. Alternatively though, more inline with what LUKS does, you can just change the password to the private key, -- Roscoe On Sat, Nov 1, 2008 at 6:50 AM, Struan Bartlett <struan.bartlett@xxxxxxxxxxxxx> wrote: > > Hi, > > I've been using cryptsetup/luks to manage encrypted LVM partitions for a > while now and must say it's very impressive. > > The reason for my email is that I've been looking for an encryption system > for a slightly different purpose though: encrypting individual files for > storage to Amazon S3. I realise Amazon S3 naturally encrypts all stored data > but the keys are generated by Amazon, so that isn't really satisfactory. > Stored data is not hidden from Amazon staff or whosoever obliges Amazon to > release their keys. > > Obviously there's lots of tools for encrypting individual files, but what > luks (uniquely?) offers is the ability to assign multiple passwords and > change passwords easily when the need arises. If - to use luks terminology - > one could split the luks header/key-slots from the bulk data and store them > separately, this facility would be especially valuable for encrypting Amazon > S3 files. This is because it would allow passwords to be modified without > having to retrieve and restore the bulk data file, only the changed > header/key-slots file. This is especially important with S3 as Amazon only > allows entire files to be uploaded or downloaded, and bandwidth is charged > for. If a file is large, or if there are lots of files, downloading, > re-encrypting and uploading each can be very expensive. > > I've been looking at using luks for this purpose, using the following > approach: > > # dd if=/dev/zero of=file.luks bs=1 count=<filesize> > # losetup /dev/loop0 file.luks > # cryptsetup luksFormat /dev/loop0 > # cryptsetup luksOpen /dev/loop0 myfilemap > # dd if=<file> of=/dev/mapper/myfilemap > # cryptsetup luksClose myfilemap > # losetup -d /dev/loop0 > # dd if=file.luks of=file.luks.header bs=512 count=1032 > # dd if=file.luks of=file.luks.data bs=512 skip=1032 > > Finally, file.luks.header and file.luks.data can be uploaded to Amazon. I > also have tested that it is possible to modify passwords in the > file.luks.header directly e.g. > > # losetup /dev/loop0 file.luks.header > # cryptsetup luksDump /dev/loop0 > # cryptsetup luksAddKey /dev/loop0 > # cryptsetup luksDelKey /dev/loop0 <n> > # losetup -d /dev/loop0 > > And when the header and data files are subsequently concatenated, one can > regain access to the data. > > # cat file.luks.header file.luks.data >file.luks.new > > Does anyone have any opinions about the sanity of this approach? Is there a > better tool or approach I'm missing? I would be very grateful for any > feedback. > > Kind regards, > > Struan Bartlett > Head of IT > > -- > ____________________________________ > Struan Bartlett > NewsNow Publishing Limited > http://www.NewsNow.co.uk > Tel: +44 (0)845 838 8890 > Fax: +44 (0)834 838 8898 > ____________________________________ > Internet Press Cuttings & > Real-time News > >> Corporate press alerts >> Competitor awareness >> Market awareness >> Tailored news for web sites >> Intranet newsfeeds > > ____________________________________ > > > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > > --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx