18/04/2005
Usb key encryption frenzy, loopfile encryption
It’s time for something more serious now, time to play with encrypted partitions and loop devices storing the keys on the usb key.
Following the excellent loop-AES.README I created an encrypted loop file that is encrypted with some random keys which are stored inside a file…and that file is encrypted with gpg and stored inside my usb stick. Confused ? Here it goes…
“Create 65 random encryption keys and encrypt those keys using gpg.”
# head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >/mnt/usb-key/keyfile.gpg
Time for the loop file creation. An example of a 100Mb file follows:
# dd if=/dev/urandom of=/my-encrypted-loop.aes bs=1k count=100000
Then encrypt the loop file using our previously generated keys. From losetup man page:
-K gpgkey
Password is piped to gpg so that gpg can decrypt file gpgkey which
contains the real keys that are used to encrypt loop device. If
decryption requires public/private keys and gpghome is not speci-
fied, all users use their own gpg public/private keys to decrypt
gpgkey. Decrypted gpgkey should contain 1 or 64 or 65 keys, each
key at least 20 characters and separated by newline. If decrypted
gpgkey contains 64 or 65 keys, then loop device is put to multi-key
mode. In multi-key mode first key is used for first sector, second
key for second sector, and so on. 65th key, if present, is used as
additional input to MD5 IV computation.
So…
# losetup -K /mnt/usb/keyfile.gpg -e AES256 /dev/loop3 /home/kargig/mytest
# losetup -d /dev/loop3
Now add this to /etc/fstab:
/my-encrypted-loop.aes /mnt/private ext3 defaults,noauto,user,loop=/dev/loop3,encryption=AES256,gpgkey=/mnt/usb-key/keyfile.gpg 0 0
now try this in order to check if the fstab entry is working and to format the loopfile:
# losetup -F /dev/loop3
# mke2fs -j /dev/loop3
# losetup -d /dev/loop3
If everything is fine…you can just try this:
mount /mnt/private
And you should be asked for your gpg passphrase 🙂 If you don’t have your usb key mounted, the loop file(or partition) won’t be mountable. BACKUP your keyfile.gpg!!!
What if you want to change your password ? Simply do this to decrypt the gpg file and re-encrypt it with a new password:
# gpg -d /mnt/usb-key/keyfile.gpg > /mnt/usb-key/clearkeys.txt
# cat /mnt/usb-key/clearkeys.txt | gpg --symmetric -a > /mnt/usb-key/newkeyfile.gpg
(now make sure the keyfile.gpg and newkeyfile.gpg differs, if yes it means that the gpg password was changed...move on)
# mv /mnt/usb-key/newkeyfile.gpg /mnt/usb-key/keyfile.gpg
# rm -f /mnt/usb-key/clearkeys.txt
(thanks to metown for pointing at some errors at the previous post)
What’s left to be done now is make it work like the pam_usb module, ie create a set of scripts(or programs?) so that when I want to mount the encrypted partition it will automatically check the usb key to find a private key to check it against the “partition’s public key” so there won’t be a need for typing a passphrase.
Filed by kargig at 02:31 under General,Linux
6 Comments | 4,002 views
Seems you’re busy doing the same thing that I want to accomplish with the USB memory stick 🙂 but I have it as an internship assignment 😛 I am also trying to find out how to make it work like the pam_usb module.
You might want to check out my wiki (most of which is in dutch) at https://129.125.45.124/wiki/
I will soon post some more progress I’ve done using pam_mount. Still not quite what I want to do…but it’s like playing around with it…
If you want to talk about it sometime, we can arrange a meeting on irc/jabber.
Cheers
Cool, I hang out at irc.freenode.net 🙂 /msg weazle 😛
Hi,
i tried your process for changing the gpg passphrase, but I couldn’t get it to work! Have you actually tried this process?
Also, it seems like the instructions have some typos because you are referencing /mnt/usb-key in some places, and /mnt/usb1/.auth in another?
I cannot find instructions on how to change the key passphrase anywhere else, so if you have gotten this working, I sure would like to know!
Thanks for your comment metown. The procedure was wrong…probably some wrong copy-paste thing…
I think it’s fixed now…If not please report back.
Thanks for the update! I’ve been trying to find a way to do this without writing the unencrypted keyfile to disk, as this is not a very secure thing to do. So far what I’ve found has not been as easy as I thought it would be.
Here is the only way I could find to do it without writing to disk (note it also changes the gpg cipher from CAST5 to AES256 – since my disks are encrypted with that cipher, I didn’t see why my keys should be encrypted with a weaker one):
read -p “Enter passphrase: ” -s p1; echo “”; \
read -p “Enter new passphrase: ” -s p2; echo “”; \
cat keyfile.gpg | gpg –passphrase-fd=3 3 newkeyfile.gpg