Comments on: Encrypted partitions with Ubuntu/Debian

By: Wanderer

Wanderer — Wed, 23 Apr 2008 11:28:24 +0000

“These encrypted removable devices are even supported on Windows (see FreeOFTE)”

Right now I’m a bit frustrated with FreeOTFE, as it doesn’t show other partitions on my flash drive, only the first one, which is unencrypted. AFAIK there is no way to create more than one partition on removable drive in M$ Windows, which really sucks.

By: Phocean.net » Blog Archive » Disk Encryption on Linux

Phocean.net » Blog Archive » Disk Encryption on Linux — Sun, 18 Nov 2007 17:57:34 +0000

[...] mainly used this tutorial, but I derived a little from it about the unlocking system : I did not want to input a password [...]

By: Danbar

Danbar — Sat, 14 Jul 2007 18:12:44 +0000

Our family computer is used be several family members. I created several partitions (one for each member). Now can I have a different password for each user when it comes to save in his/her own partition in order to avoid deleting or mixing up important files? I’m the only administrator as the other are users.
I don’t wish to use the home directory (for each user)in case I have problems with the program. Having partitions gives more security to the computer.
I use dual boot (XP and Ubuntu) and I have the latest edition of Ubuntu (7.04).
Many thanks!

By: Justin

Justin — Mon, 25 Jun 2007 03:40:25 +0000

You need to modprobe aes, dm-crypt, and dm_mod. Then, add these to /etc/modules. Then, run cryptsetup again as root (sudo).

By: pierre

pierre — Sat, 02 Jun 2007 18:13:50 +0000

I have been trying to crypt the USB stick (partition of it, about 70 MB) but is saying that it inexplicably (for me ;) ) failed.
any idea ? I am running Kubuntu 7.04.
cheers
Pierre

pierre@HomePC:~$ mount
[...]
/dev/sdg2 on /media/disk-2 type vfat (rw,nosuid,nodev,noatime,uid=1000,utf8,shor pierre@HomePC:~$ cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/sdg2

WARNING!
========
This will overwrite data on /dev/sdg2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sdg2 contains at least 133 sectors.
Failed to write to key storage.
Command failed.
pierre@HomePC:~$
pierre@HomePC:~$

By: MFH

MFH — Sat, 05 May 2007 00:10:41 +0000

Great tutorial, with one problem: encrypted swap files. The man page for cryptsetup clearly says that exhaustive reads makes it impossible to use /dev/random, etc as sources for keyfiles. Please give more explicit directions on how one can use your method to set up an encrypted swap space. TIA.

By: disk_noir

disk_noir — Tue, 03 Apr 2007 09:44:05 +0000

Great tutorial, espacially the removable disks part is very interesting for me.
But.. do you have any expierience with updating an encrypted system eg from dapper to edgy ? Did such an update work even with encrypted root ?

By: doctor headcrash

doctor headcrash — Thu, 22 Feb 2007 03:56:14 +0000

… my angle braces broke the previous posting.

Let me try with HTML escapes:

$CRYPTCMD $PARAMS create $dst $src < /dev/console

By: doctor headcrash

doctor headcrash — Thu, 22 Feb 2007 03:54:42 +0000

It’s not so much that LUKS is broken under Edgy, it’s the whole getting the passphrase thing under cryptsetup.

Using your LUKS solution as a guide, I hacked around this problem by changing line 318 of /lib/cryptsetup/cryptdisks.functions to read:

$CRYPTCMD $PARAMS create $dst $src

By: john

john — Fri, 16 Feb 2007 10:53:00 +0000

Thanks Daniel, fixed now.

By: Daniel

Daniel — Wed, 14 Feb 2007 18:35:37 +0000

Thanks for this great howto!

I just wanted to point out that luksClose expects the name of the mapping not of the device.

Therefore, step 3 in the USB key section will fail, it should read:

cryptsetup luksClose luks-temp

By: rdg

rdg — Sat, 23 Dec 2006 16:57:06 +0000

Well the simples thing to do would be:

sudo chown -R uid:gid /device/mount/point

or without sudo run by root. But changing the owner back and forth isn’t what we’re looking for all the time (but most cases would be ok with that).

I think looking into the stuff like SGID and SUID on mount directory and umask as well might do the trick. But still – ext3 without the permissions would be perfect.

By: john

john — Sun, 17 Dec 2006 12:29:05 +0000

Marco: FAT32 doesn’t support permissions, so whenever you plug it into a computer, the user plugging it in gets access to it. With EXT3 (and other filesystems that do support permissions) only the root user can access it by default (usually).

To fix this, just plugin your key and type your passphrase to get it mounted. Then set the permissions to something you can access (you’ll need to do this as root).

What permissions you use really depend on your situation. If you only ever plug it into a one-user desktop machine then running chmod 777 /mount/point should be fine.

If you move the key between different Linux computers, you might hit the permission problem again if the users on the machines have different uids.

It might be better just to reformat as FAT32, so you can easily use it anywhere. Remember though, FAT32 has some limitations that might prevent you from copying files with certain characters in it, or files larger than a certain size.

It’d be nice to have a filesystem with the flexibility of EXT3 but with no permissions system, or one which could be overridden on mount. Anyone know of one?

By: Marco

Marco — Sun, 17 Dec 2006 01:16:08 +0000

Hi, thanks for the documentation. Works perfectly. I have a little problem. When I plug the usb disk I’m asked for the password (gnome way) but I haven’t the rights to write on the disk. And since there is nothing about this partition in fstab neither in the crypttab… I’m lost.

By: An old man

An old man — Thu, 07 Dec 2006 19:22:08 +0000

You’re a bloody genius, cheers.