1) What?
This blog presents a secure way to protect your personal data. The solution is designed to run on "Unix like" operating systems, e.g.: gnu/Linux, Mac OSX.If you are looking for a solution to secure your professional data, please referrer to your corporate security policy.
2) Problem
You are still wondering how to keep your personal data secure. What about?1) A USB key with plain text files
Con's
- the key is stolen, all your data are compromised.
2) A Google Spreadsheet
Con's
- if Google is hacked
- when you are off line
3) An encrypted zip file
Con's
- if your file is stolen, it might be opened using a brutal force attack
- when you are opening a text file, it is temporally copied to your system temp directory
4) A third party tool
Con's
- why will you pay for a closed source tool? This is a matter of confidence
5) An encrypted partition on your hard drive
Pro's
- yeah, smart idea
Con's
- the data can only be accessed from your laptop, and you might need your personal password when you are far from your personal computer
6) An encrypted file partition stored on an USB Key
Pro's
- Definitely YES!
3) Solution Set-up
You will find similar solutions on the Internet. This one worked pretty well on Ubuntu 10.I recommend that you run all these steps log in as the root user.
Step 1:
Create a 256MB disk file (zero-filled) called file01. I choose to create it under my home directory:
dd if=/dev/zero of=/home/olivier/virtualfs/file01 bs=1024 count=262144Then you might want to change the file owner, e.g.:
chmod olivier.olivier /home/olivier/virtualfs/file01
Step 2:
Get the first free loopback devices:
losetup -fThe command losetup -a lists all the loopback devices already in use.
Step 3:
Attach the first loopback device to your disk file:
losetup /dev/loop0 /home/olivier/virtualfs/file01
Step 4:
Crypt the disk:
cryptsetup luksFormat -c aes -h sha256 /dev/loop0You will be ask for a pass phrase. Choose it carefully. It must not be equal to another of your passwords. Remember the Play Station Network hacking. Re using several times the same password is highly insecure.
Step 5:
Mount the disk in the system:
cryptsetup luksOpen /dev/loop0 secure01
Step 6:
Format the file system, choose your flavor:
mkfs.ext3 /dev/mapper/secure01
Step 7:
Mount the file system:
mk /media/secure01 mount -t ext3 /dev/mapper/secure01 /media/secure01 chmod 777 /media/secure01
Unmount:
umount /media/secure01 cryptsetup luksClose secure01 losetup -d /dev/loop0
4) Automate the Solution
I wrote these two scripts in order to easily mount/unmount the file disk.This is a generic script that enable to handle multiple file disks without bothering the mounting order: the first loop device is auto detect and the unmount is based on the path.
If the script is not executed by the root user, it is ran again using a sudo command (assuming the running user is in the sudoers list).
mount-secure01.sh
#!/bin/sh if [ "`whoami`" != "root" ]; then sudo $0 exit fi DEVICE_FS_PATH="/home/olivier/virtualfs/file01" # check if already mounted if [ -n "`losetup -a | grep $DEVICE_FS_PATH`" ]; then echo "Device already mounted." exit fi DEVICE=`losetup -f` losetup $DEVICE $DEVICE_FS_PATH cryptsetup luksOpen $DEVICE secure01 mount -t ext3 /dev/mapper/secure01 /media/secure01
unmount-secure01.sh
#!/bin/sh
if [ "`whoami`" != "root" ]; then
sudo $0
exit
fi
DEVICE_FS_PATH="/home/olivier/virtualfs/file01"
DEVICE=`losetup -a | grep $DEVICE_FS_PATH | awk -F":" '{print $1}'`
umount /media/secure01
cryptsetup luksClose secure01
losetup -d $DEVICE
You might want to copy the file to a usb key and keep a backup copy on your laptop. If you lost the key, the data will not be compromised. The robber will find a key with an unknown file system, Windows will probably suggest to format it in FAT-32...
Enjoy!
No comments:
Post a Comment