Encrypted file systems

| sed -e "s/.* = //"‘

shell> echo $IMG_SIZE

shell> [ "0$IMG_SIZE" -ne 0 ] && mkisofs -r private_collection/ \

| cdrecord speed=2 dev=0,6,0 tsize=${IMG_SIZE}s data

-# don’t forget the s --^ ^-- read data from STDIN

The first command is an empty run to determine the size of the image (you need the mkisofs from the cdrecord distribution for this to work). You need to specify all parameters you will use on the final run (e.g. -J or -hfs ). If your writer does not need to know the size of the image to be written, you can leave this dry run out. The printed size must be passed as a tsize-parameter to cdrecord (it is stored in the environment variable IMG_SIZE ). The second command is a sequence of mkisofs and cdrecord , coupled via a pipe.

3.3.2.4 Making a copy of a data CD

It is possible to make a 1:1 copy of a data CD. But you should be aware of the fact that any errors while reading the original (due to dust or scratches) will result in a defective copy. Please note that both methods will fail on audio CDs!

First case: you have a CD-writer and a separate CD-ROM drive. By issuing the command cdrecord -v dev=0,6,0 speed=2 -isosize /dev/scd0

you read the data stream from the CD-ROM drive attached as /dev/scd0 and write it directly to the CD-writer.

Second case: you don’t have a separate CD-ROM drive. In this case you have to use the CD-writer to read out the CD-ROM first:

dd if=/dev/scd0 of=cdimage

This command reads the content of the CD-ROM from the device /dev/scd0 and writes it into the file cdimage . The content of this file is equivalent to what mkisofs produces, so you can proceed as described earlier in this document (which is to take the file cdimage as input for cdrecord ).

3.3.3 Encrypted file systems

Linux has native filesystem encryption support. You can choose from a number of encryption algorithms: Twofish, AES, DES and others. For our example we choose AES.

As of linux 2.6 it is possible to use the devicemapper, a generic linux framework to map one block device to another. Devicemap-per is used for software RAID and LVM. It is used as the filter between the filesystem on a virtual blockdevice and the encrypted

data to be written to a harddisk. This enables the filesystem to present itself decrypted while everything read and written will be encrypted on disk. A virtual block device is created in /dev/mapper, which can be used as any other block device. All data to and from it goes to an encryption or decryption filter before being mapped to another blockdevice.

This is an example to set up an encrypted filesystem. All relevant modules should be loaded at boot time:

# echo aes >> /etc/modules

# echo dm_mod >> /etc/modules

# echo dm_crypt >> /etc/modules

# modprobe -a aes dm_mod dm_crypt

Create the device mapperblock device and use (for example) hda3 for it. Choose your password using: cryptsetup -y create crypt /dev/hda3 Map the device:

# echo "crypt /dev/hda3 none none" >> /etc/crypttab

# echo "/dev/mapper/crypt /crypt reiserfs defaults 0 1" >> /etc/fstab

Make a filesystem:

# mkfs.reiserfs /dev/mapper/crypt

Now mount your encrypted filesystem. You will be prompted for the password you chose with cryptsetup. You will be asked to provide it at every boot:

# mkdir /crypt

# mount /crypt

3.4 Questions and answers

Filesystem and Devices

1. Why was it necessary to develop the Linux File Hierarchy?

The location of certain files and utilities not being standardized led to problems with development and upgrading between various distributions of Linux.Linux File Hierarchy[67]

2. Does the inode part of the UNIX filesystem structure contain the name of a file?

No, an inode contains all the information on a file, except its name.UNIX filesystem structure[67]

3. What is the fastest way to erase all data in an ext2 filesystem mounted at /mnt?

The command mkfs -t ext2 /mnt will erase all data in the /mnt filesystem by creating a new, empty filesystem. Part of the data may still be recoverable, of course.Erasing all data in a filesystem[68]

4. Which file in the pseudo directory /proc contains basically the same information about swap as does the command free?

The file /proc/meminfo contains similar information.Swap information[70]

5. What would you type before rebooting a system to ensure that the ext filesystems are not checked during boot?

Use e.g. tune2fs -c 5 -C 0 /dev/hda1 as well as for all other devices, in order to postpone filesystem checking for 5 remounts.Use tune2fs[74]

6. What switches would you use in order to run debugfs in read-only mode?

Debugfs operates in read-only mode by default, therefore no switches are needed.Use debug2fs[75]

7. What is the main purpose of auto-mounting?

It avoids the necessity of having to use the mount command in a number of situations. Mounting and unmounting is done automatically upon accessing the directory upon which the mount is to be done. This is useful in networked environments and for removable devices, such as USB attached disks and CD-ROMs.Autofs and automounter[79]

8. What happens if you combine the floppy drive and the cdrom drive into the same supplementary (autofs) file?

Each file will have only one automount program running for it, so if one entry fails, the other will not work either. One supplementary file per entry[80]

9. Which two commands are used for creating a mountable CD-ROM?

mkisofs is used to create the ISO9660 image and cdrecord is used to write that image to a CD-ROM.CD-ROM filesystem [80]

Chapter 4