[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Crypting filesystem...

Michelle Konzack schrieb:
Hello, for some years (under SLINK) I have used a Module which use DES for crypting a filesystem. Now I have a new need to crypt a filesystem. After searching I have found several ways to Do it, but I do not know what to use. Some people have suggest cryptoapi-core-source and cryptoloop-source.

i've set up a crypted fs some weeks ago and i installed cryptoapi-core-source and cryptoloop-source. both are src packages and are unpacked under /usr/src. modules/cryptoapi-core and modules/cryptoloop is created, some README's describe hwo to build them.

cryptoapi is the underlying layer, cryptoloop is _one_ way to use this layer, that's why you need both.

I am using WOODY release 1 with Linux 2.4.19. What about performance ? Some of my systems must run on a P200 MMX because the clients (not rich countriey) have no money to spend more...

i _think_ i've read somewhere (but i don't know where...), that cryptoloop does not support DES anymore. but cryptoapi does (module is cipher-des.o here), so you can give it a try. i've setup my crypted fs with the serpent(128bit), which is said to be fast (so says the Loopback Encrypted Filesystem HOWTO). under normal use, say, reading writing small amounts of data to/from the crypted fs the performance is good, almost no performance loss is noticed (it's a PPC 604r, must be 300Mhz or so). but when i write/read large amounts of data (e.g. i'm burning a CD with 12x over nfs from this server with the crypted fs), the load gets pretty high (here: 6-7). so for i busy fileserver, i'd suggest to buy a fast CPU...

Does the cryption work with disk iImages (loop device) made with dd from ZIP-Disks and cdroms ??

see Loopback Encrypted Filesystem HOWTO. that's why it's called cryptoloop :-) when dd'ing from cdrom you get a iso9660 fs perhaps, whic is supported by the linux kernel anyway. what fs do you usually use on ZIP-disks?


erm, while thinking about my own crypto filesystem, i too hav a problem, i'll just include it here, maybe you have some thoughts on it:

'cause i'm lazy, i setup my crypto-fs via

losetup -k 128 -p 12 -e serpent /dev/loop6 /dev/sdb2

"-p 12" means "look up the file stored in inode 12, there is the secret pasphrase inside", so i don't need to type in the passphrase upon booting. but now i really _want_ to type in the passphrase rather than storing it on the disk. "-p" is documented very little in the manpage. it's working, yes, but without "-p" and typing in the passphrase losetup does not set up the device correctly and mounting fails. there is no typo, the typed in passphrase is right, but losetup still fails. does losetup expect something else in "-p" then?

Reply to: