Re: Crypting filesystem...
Michelle Konzack schrieb:
for some years (under SLINK) I have used a Module which use DES for
crypting a filesystem. Now I have a new need to crypt a filesystem.
After searching I have found several ways to Do it, but I do not
know what to use.
Some people have suggest cryptoapi-core-source and cryptoloop-source.
i've set up a crypted fs some weeks ago and i installed
cryptoapi-core-source and cryptoloop-source. both are src packages and
are unpacked under /usr/src. modules/cryptoapi-core and
modules/cryptoloop is created, some README's describe hwo to build them.
cryptoapi is the underlying layer, cryptoloop is _one_ way to use this
layer, that's why you need both.
I am using WOODY release 1 with Linux 2.4.19.
What about performance ? Some of my systems must run on a P200 MMX
because the clients (not rich countriey) have no money to spend more...
i _think_ i've read somewhere (but i don't know where...), that
cryptoloop does not support DES anymore. but cryptoapi does (module is
cipher-des.o here), so you can give it a try. i've setup my crypted fs
with the serpent(128bit), which is said to be fast (so says the Loopback
Encrypted Filesystem HOWTO). under normal use, say, reading writing
small amounts of data to/from the crypted fs the performance is good,
almost no performance loss is noticed (it's a PPC 604r, must be 300Mhz
or so). but when i write/read large amounts of data (e.g. i'm burning a
CD with 12x over nfs from this server with the crypted fs), the load
gets pretty high (here: 6-7). so for i busy fileserver, i'd suggest to
buy a fast CPU...
Does the cryption work with disk iImages (loop device) made with dd
from ZIP-Disks and cdroms ??
see Loopback Encrypted Filesystem HOWTO. that's why it's called
when dd'ing from cdrom you get a iso9660 fs perhaps, whic is supported
by the linux kernel anyway. what fs do you usually use on ZIP-disks?
erm, while thinking about my own crypto filesystem, i too hav a problem,
i'll just include it here, maybe you have some thoughts on it:
'cause i'm lazy, i setup my crypto-fs via
losetup -k 128 -p 12 -e serpent /dev/loop6 /dev/sdb2
"-p 12" means "look up the file stored in inode 12, there is the secret
pasphrase inside", so i don't need to type in the passphrase upon
booting. but now i really _want_ to type in the passphrase rather than
storing it on the disk. "-p" is documented very little in the manpage.
it's working, yes, but without "-p" and typing in the passphrase losetup
does not set up the device correctly and mounting fails. there is no
typo, the typed in passphrase is right, but losetup still fails. does
losetup expect something else in "-p" then?