[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: loop-AES with ReiserFS for file-backed loop?

Anon wrote:
>>Anon wrote: 
>>
>>>>Anon wrote:  
>>>>
>>>>
>>>>>Could I then use ReiserFS on top of a file backed loop device?    
>>>>
>>>> 
>>>>the loop-AES.README also states:  
>>>> 
>>>>   1. Loop device primer  
>>>>   [...]  
>>>>   File backed loops may deadlock under some kernel + file system  
>>>>   combinations.  
>>>>   So, if you can choose between device backed and file backed, choose  
>>>>   device backed even if it means that you have to re-partition your  
>>>>   disks.  
>>>
>>> 
>>>I *am* planning on using a device-backed loop.  
>>>  
>>> 
>>>
>>>>so, file backed loops SHOULD be avoided, no matter if encrypted or not,   
>>>>with journaling fs on it or without. yes, it's possible and you SHOULD   
>>>>try it to see if it works for you. but in "most cases" file backed loops   
>>>>are behaving better.  
>>>
>>> 
>>>I assume you really meant device-backed loops in the last sentance above.  
>>>  
>>>My interest in using a file-backed loop is so that I can have a loop-AES device-backed loop  
>>>containing a loop-AES file-backed loop, for two (or more) layers of encryption.  
>>>  
>>>I have the impression from the loop-AES.README file a non-journalling file system can be used 
> 
> in a  
> 
>>>file-backed loop.  It is my understanding from the ReiserFS documentation that using the 
> 
> "nolog"  
> 
>>>option during mounting would satisfy the non-journalling criteria, as this option disables  
>>>journalling.  
>>
>> 
>>For that scenario you only 'need' a filesystem for the last layer. 
>> 
>>You pack an encryption layer onto the partion/device. 
>>"losetup" it and losetup the next layer directly onto the newly created  
>>/dev/loop<x> device. 
>> 
>>That way you only stack block-devices and pack a filesystem on the last one. 
>> 
>>For a (say) 4 layer encryption you would stack; 
>> 
>>HDD -> Partition 
>>-> Loop 1 -> Loop 2 -> Loop 3 -> Loop 4 
>>-> Filesystem 
>> 
>>e.g. 
>>sdb -> sdb1 -> loop0 -> loop1 -> loop2 -> loop3 -> <whatever> 
>> 
>>If you want you can also pack the encryption keys before each layer  
>>using the "offset"-options to leave the needed space for the keys and  
>>shrink the block-device of each layer by a little bit. 
>> 
>>That way you had to actually break each encryption layer to even get the  
>>needed keys for the next. (Of course the key-sets are also encrypted  
>>with by gpg or whatever else layer you may think of) 
> 
> Thank you for the suggestion.  I just read a similar suggestion for Jari, though I need a more 
> detailed example to actually implement the suggestion (as in an example fstab and command line 
> that properly sets up the stack of loops).  I never stacked loops before, and do not yet seem to 
> understand how I would stack loops. 
>  
> While your suggestion with the keys residing in each layer may be convenient, I think it 
> needlessly reduces the security to Level 2 as stated in the loop-AES.README.  It would be just as 
> convenient and easy to store the keys external to the encrypted partion/loops. 

Taken the losetup from the README i've just written this shell-script
Example is for 4 layer, but you can be easily changed for more or less.

- snip -
#!/bin/bash

loop=0
# Find next free Loop-device
# return loop-device as output-string and (next) nr via return-value
function nextFreeLoop()
{
        while true
        do
                if [ ! -b "/dev/loop${loop}" ]; then
                        print "No more loop devices /dev/loop${loop}"
                        exit 99
                fi
		# If the loop-device is "free" then break
                losetup "/dev/loop${loop}" &>/dev/null || break
                let loop=loop+1
        done
        echo "/dev/loop${loop}"
        let loop=loop+1
        exit $loop
}

loop0=`nextFreeLoop`
loop=$?
loop1=`nextFreeLoop`
loop=$?
loop2=`nextFreeLoop`
loop=$?
loop3=`nextFreeLoop`
loop=$?

if [ "$loop" = "99" ]; then
        print "Not enough free loop-devices"
        exit 1
fi

losetup -e AES128 -K /root/secret1.gpg $loop0 /dev/hda666 || exit 1
losetup -e AES128 -K /root/secret2.gpg $loop1 $loop0 || exit 1
losetup -e AES128 -K /root/secret3.gpg $loop2 $loop1 || exit 1
losetup -e AES128 -K /root/secret4.gpg $loop3 $loop2 || exit 1

echo "Setup successfull"
echo "Used Loop-devices: $loop0 $loop1 $loop2 $loop3"
- snip -

After that you can
mkfs (First time) and/or mount $loop3.

If you have other loop-devices the used loop-devices may not be persistent.

But you could also change the script to use fixed-numbers instead.



Or you skip the

-- 
Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated,
cryptic, powerful, unforgiving, dangerous.


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/