encrypted filesystemsdmsetup losetup and mount
来源:互联网 发布:淘宝刷王者荣耀贵族8 编辑:程序博客网 时间:2024/05/19 13:06
- dmsetup, losetup and mount
- Author
- Commands
- Summary
- Discussion
- Security Considerations
dmsetup, losetup and mount
Author
Commands
#!/bin/bashldev=/dev/loop/0mdev=mdevpass="my_sekkrit_password"# create empty filesystem imagedd if=/dev/zero of=image bs=1M count=10# make a block device out of it using the loopback driver losetup $ldev image# get the exact size of the loopback block deviceblksize=$(blockdev --getsize $ldev)echo "blksize= $blksize"# create a hexadecimal key 128 bits long out of the passphrasekey=$(echo "$pass" | md5sum | cut -d" " -f1)echo "key= $key"# create an encrypted block device representation of the image file# using the aes cipher with the 128 bit key we generated aboveecho "0 $blksize crypt aes-plain $key 0 $ldev 0" | dmsetup create $mdev# create an ext filesystem through the encrypted block devicemkfs -t ext2 /dev/mapper/${mdev}# mount the filesystemmkdir mntmount /dev/mapper/${mdev} ./mnt# spawn a subshell so the user can create some files whose contents# will then be encrypted in the image file.echo "write some files to mnt, then exit from this subshell"bash# undo mount, device mapping, and loopback.umount mntrmdir mntdmsetup remove $mdevlosetup -d $ldev
Summary
We extend the previous article (../dmsetup_and_losetup) by creating a filesystem inside the encrypted image file.
Discussion
This script is only a little more complicated than that of the previous article: It creates an ext2 filesystem inside the image file and mounts it. It is somewhat better parameterized (using ldev, mdev, and pass).
This line:
key=$(echo "$pass" | md5sum | cut -d" " -f1)
derives a 128 bit hexadecimal key, suitable for use in the dmsetup command with the aes cipher, from an arbitrary passphrase by calculaing the md5 checksum of the passphrase. The md5sum command can be run on standard in or on named files. For example, running it on a file named tmp.txt:
$ md5sum tmp.txt
generates the following output:
8448af516bf24b00065a60018992a91a *tmp.txt
In other words, md5sum's output has the form:
<128 bit hexadecimal checksum> <filename>
We discard everything after the checksum using the "cut" command. Our particular "cut" command is saying: assume the input is divided into columns by space characters, and only write out the first column.
Finally, by wrapping the whole command pipe in the bash command quoting construct, "$()", we capture the output in the variable "key".
This line:
mkfs -t ext2 /dev/mapper/${mdev}
creates the filesystem on the mapper device, causing the corresponding cipher text of the filesystem image to be written to the underlying file image_file.
The script then mounts the mapper device at ./mnt and spawns a subshell (the line "bash") to allow the user to create files under mnt. Once finished creating files, the user types "exit", and the script continues executing after the "bash" line. This, by the way, is a useful trick to use when debugging bash scripts with complicated setup sequences: invoke bash in the script right after the complicated setup sequence so the user can determine if the sequence worked.
The final four lines undo mount, loopback, crypto mappings leaving the encrypted filesystem image, image_file, inscrutable to enemey eyes.
To verify that the crypto mapping wasn't a *complete and utter fraud*, you can try mounting image_file without the crypto mapping like this:
mount -o loop image_file ./mnt
To mount the image_file properly, and to view the same files created inside the filesystem during the first run, simply comment out the "dd" command in the above script and run it again. From inside the subshell, you should be able to see the previously created files.
Security Considerations
When building scripts that are serious about protecting data from prying eyes, you need to consider at least two additional factors.
The passphrase should be obtained by having the script read keystrokes directly from "/dev/tty" instead of using script command line arguments. One problem with reading key material from command line arguments is that command lines typed from most shells are typically written to the file ".history" in the user account the shell was running from (which would typically reside on an unencrypted volume). Another problem with using command line arguments is that while the command is running, the full text of the command line can be viewed by any local user by running the "ps" command to get a process list. You might object that once the key is in a variable in a bash session, a command like:echo "... $key ..." | dmsetup create some_dev would reveal the key through the process list. It certainly would, if the "echo" command run in this case were a normal unix command. It is, in our case, a bash built-in command, however, and it's text will not appear in the process list (what will appear in the process list is simply "bash").
Although we have kept the key string out of any unencrypted file and out of the process list, it can still wind up being written to any swap files or partitions enabled on the system. You might think it would be hard to recover a 128 bit hexadecimal string from regions of memory written to a swap file but you would be suprised how easy that is to do. There are two ways to address this: disable any swap devices, or only enable swap devices that have been crypto mapped using dmsetup. The procedure for that uses the same dmsetup command highlighted in this series of articles.
- encrypted filesystemsdmsetup losetup and mount
- losetup和mount -o loop
- mount losetup 查看带文件系统的文件
- How to mount encrypted linux disk/diskIMGfile
- linux mount an encrypted disk/diskimgfile
- losetup
- 【题解】codeforces776G Sherlock and the Encrypted Data
- 【Codeforces776G】Sherlock and the Encrypted Data
- 创建Image, losetup和mount的使用, 并为Image设备加卷标
- Encrypted Chat Room 1_System description and requirements
- Encrypted swap, tmp and home partition in Ubuntu 9.04
- fdisk and mount
- losetup 命令
- losetup -K
- Linux mount Mac and Windows
- linux mount nfs and cifs
- chroot, mount --bind and mount namespace (by quqi99)
- 转:linux mount and commpress/release
- SCP 命令
- 教你如何在gihub上建立项目
- Linux Examples: dm-crypt
- install tomcat in mac
- strdup和strcpy函数的区别
- encrypted filesystemsdmsetup losetup and mount
- Linux内核配置选项
- 浏览器的结构及其工作原理
- OpenCV for Ios 学习笔记(4)-标记检测1
- 删除 Mac OS X 中“打开方式”里重复或无用的程序列表
- Java是类型安全的语言,而C++是非类型安全的
- java反射实例详解
- S3c2440 IIC
- 小明系列故事——买年货