CentOS Wiki
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Navigation

  • FrontPage
  • Documentation
  • TipsAndTricks
  • HowTos
  • FAQ
  • Events
  • Contribute
  • ReportBugs
  • RecentChanges

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

  • TipsAndTricks
  • EncryptedFilesystem
  • Scripts

LUKS Automation Script

Scripts to automate creation, unmounting, and remounting of LUKS encrypted filesystems via loopback devices.

create_encrypted_fs

# Shell script to set up an encrypted filesystem on a loopback device
# using LUKS.

# From an example by Paul Heinlein at
# http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem
# Mods by Phil Schaffner

# Create an empty file sized to suit your needs. The file created
# will be a sparse file of the size in MB specified on the command line.
# No real blocks are written since we will force block allocation
# later on.

if [ "$#" -lt 2 ]; then
   echo $"Usage: $(basename $0) <path_to_file> <size_in_MB>"
   exit 1
fi

SECRET_PATH=$(dirname $1)
SECRET_FILE=$(basename $1)
SECRET_FS=$SECRET_PATH/$SECRET_FILE
if [ ! -d $SECRET_PATH ]; then
    echo "Directory $SECRET_PATH to hold encrypted filesystem does not exist!"
    exit 1
fi

if [ -f $SECRET_FS ]; then
    echo "File $SECRET_FS already exists.  Refusing to overwrite!"
    exit 1
fi

expr "$2 + 1" 2> /dev/null
if [ $? = 0 ]; then
    SECRET_SIZE=$2
else
    echo "Second parameter should be file size in MB."
    exit 1
fi

# Use -P (POSIX) for df as it tends to do line wrapping otherwise.
# Jim Anstadt noticed that
FREE_SPACE=$(df -P -m $SECRET_PATH |grep / | awk '{ print $4 }')
if [ $SECRET_SIZE -gt $FREE_SPACE ]; then
    echo "Not enough space on device for a $SECRET_SIZE MB file!"
    df -m $SECRET_PATH
    exit 1
fi

dd of=$SECRET_FS bs=1M count=0 seek=$SECRET_SIZE
# Lock down normal access to the file
chmod 600 $SECRET_FS

# Associate a loopback device with the file
LOOP_DEV=$(losetup -f)
losetup $LOOP_DEV $SECRET_FS

# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/$SECRET_FILE.
# The -y option specifies that you'll be prompted to type the
# passphrase twice (once for verification).  The first
# command initializes the volume, and sets an initial key. The
# second command opens the partition, and creates a mapping
# (in this case /dev/mapper/$SECRET_FILE).
cryptsetup -y luksFormat $LOOP_DEV
cryptsetup luksOpen $LOOP_DEV $SECRET_FILE

# Check return status and repeat until OK
while [ ! $? = 0 ]; do
    cryptsetup luksOpen $LOOP_DEV $SECRET_FILE
done

# Check its status (optional)
cryptsetup status $SECRET_FILE

# Now, we will write zeros to the new encrypted device. This
# will force the allocation of data blocks. And since the zeros
# are encrypted, this will look like random data to the outside
# world, making it nearly impossible to track down encrypted
# data blocks if someone gains access to the file that holds
# the encrypted filesystem.
dd if=/dev/zero of=/dev/mapper/$SECRET_FILE

# Create a filesystem and verify its status
mke2fs -j -O dir_index /dev/mapper/$SECRET_FILE
tune2fs -l /dev/mapper/$SECRET_FILE

# Mount the new filesystem in a convenient location
mkdir -p /mnt/cryptofs/$SECRET_FILE
mount /dev/mapper/$SECRET_FILE /mnt/cryptofs/$SECRET_FILE
df -m /dev/mapper/$SECRET_FILE

umount_encrypted_fs

# Shell script to unmount an encrypted filesystem on a loopback device
# using LUKS.

# From an example by Paul Heinlein at
# http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem
# Mods by Phil Schaffner

if [ "$#" -lt 1 ]; then
   echo $"Usage: $(basename $0) <path_to_file>"
   exit 1
fi

SECRET_PATH=$(dirname $1)
SECRET_FILE=$(basename $1)
SECRET_FS=$SECRET_PATH/$SECRET_FILE

if [ ! -f $SECRET_FS ]; then
    echo "File $SECRET_FS does not exist!"
    exit 1
fi

# Unmount the filesystem
umount /mnt/cryptofs/$SECRET_FILE

# Remove device mapping
cryptsetup luksClose $SECRET_FILE

# Find the loopback device and remove it
LOOP_DEV=$(losetup -a | grep $SECRET_FS | cut -f 1 -d ':')
if [ -z $LOOP_DEV ]; then
    echo "No loopback device found for ${SECRET_FS}!"
else
    losetup -d $LOOP_DEV
fi

remount_encrypted_fs

# Shell script to remount encrypted filesystem on a loopback device
# using LUKS.

# From an example by Paul Heinlein at
# http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem
# Mods by Phil Schaffner

if [ "$#" -lt 1 ]; then
   echo $"Usage: $(basename $0) <path_to_encrypted_file>"
   exit 1
fi

SECRET_PATH=$(dirname $1)
SECRET_FILE=$(basename $1)
SECRET_FS=$SECRET_PATH/$SECRET_FILE

if [ ! -f $SECRET_FS ]; then
    echo "File $SECRET_FS not found!"
    exit 1
fi

# Associate a loopback device with the file
LOOP_DEV=$(losetup -f)
losetup $LOOP_DEV $SECRET_FS

# Set up encryption on the device
cryptsetup luksOpen $LOOP_DEV $SECRET_FILE

# Check return status and repeat until OK
while [ ! $? = 0 ]; do
    cryptsetup luksOpen $LOOP_DEV $SECRET_FILE
done

# Check its status (optional)
cryptsetup status $SECRET_FILE

# Mount the new filesystem in a convenient location
if [ ! -d /mnt/cryptofs/$SECRET_FILE ]; then
    mkdir -p /mnt/cryptofs/$SECRET_FILE
fi

mount /dev/mapper/$SECRET_FILE /mnt/cryptofs/$SECRET_FILE
df -m /dev/mapper/$SECRET_FILE
  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01