Re: Crypting filesystem...

[Christian Kujau <evil@g-house.de>]

Michelle Konzack schrieb:
> Hello, 
>
> for some years (under SLINK) I have used a Module which use DES for 
> crypting a filesystem. Now I have a new need to crypt a filesystem. 
>
> After searching I have found several ways to Do it, but I do not 
> know what to use. 
>
> Some people have suggest cryptoapi-core-source and cryptoloop-source. 

i've set up a crypted fs some weeks ago and i installed 
cryptoapi-core-source and cryptoloop-source. both are src packages and 
are unpacked under /usr/src. modules/cryptoapi-core and 
modules/cryptoloop is created, some README's describe hwo to build them.

cryptoapi is the underlying layer, cryptoloop is _one_ way to use this 
layer, that's why you need both.

> I am using WOODY release 1 with Linux 2.4.19. 
>
> What about performance ? Some of my systems must run on a P200 MMX 
> because the clients (not rich countriey) have no money to spend more... 

i _think_ i've read somewhere (but i don't know where...), that 
cryptoloop does not support DES anymore. but cryptoapi does (module is 
cipher-des.o here), so you can give it a try. i've setup my crypted fs 
with the serpent(128bit), which is said to be fast (so says the Loopback 
Encrypted Filesystem HOWTO). under normal use, say, reading writing 
small amounts of data to/from the crypted fs the performance is good, 
almost no performance loss is noticed (it's a PPC 604r, must be 300Mhz 
or so). but when i write/read large amounts of data (e.g. i'm burning a 
CD with 12x over nfs from this server with the crypted fs), the load 
gets pretty high (here: 6-7). so for i busy fileserver, i'd suggest to 
buy a fast CPU...

> Does the cryption work with disk iImages (loop device) made with dd 
> from ZIP-Disks and cdroms ??

see Loopback Encrypted Filesystem HOWTO. that's why it's called 
cryptoloop :-)
when dd'ing from cdrom you get a iso9660 fs perhaps, whic is supported 
by the linux kernel anyway. what fs do you usually use on ZIP-disks?

cheers,
Christian.


erm, while thinking about my own crypto filesystem, i too hav a problem, 
i'll just include it here, maybe you have some thoughts on it:

-------
'cause i'm lazy, i setup my crypto-fs via

losetup -k 128 -p 12 -e serpent /dev/loop6 /dev/sdb2

"-p 12" means "look up the file stored in inode 12, there is the secret 
pasphrase inside", so i don't need to type in the passphrase upon 
booting. but now i really _want_ to type in the passphrase rather than 
storing it on the disk. "-p" is documented very little in the manpage. 
it's working, yes, but without "-p" and typing in the passphrase losetup 
does not set up the device correctly and mounting fails. there is no 
typo, the typed in passphrase is right, but losetup still fails. does 
losetup expect something else in "-p" then?
------