Tuesday, April 18, 2006
Seemless Disk and File Encryption
To address some of these issues, some vendors have created volume encryption applications that you can purchase or have been freely distributed with the storage device. For instance Sandisk ships encryption tools with their thumb drives so people can encrypt their data. The problem with commercially available encryption applications are:
Many vendors don't supply the source code to the utilities and therefore you can never be sure that they have not put in back doors or use weak algorithms. Implementation scrutiny is EXTREMELY important when it comes to trusting the strength of the code. Also, community contribution is also extremely important since it can ensure that the addition of the strongest encryption algorithms and bug fixes can be made available.
Most of the utilities are NOT cross-platform.
The applications that are not free might not be attainable for some people to purchase.
What is REALLY needed is a free disk encryption tool that is cross-platform compatible.
The cool pick of the day is a utility called TrueCrypt from http://www.truecrypt.org/ is quite a fine program that is available for Windows and Linux. I hope they add Macintosh to that list of compatibility soon. Since TrueCrypt is Open Source a port to the Macintosh is a possibility.
Under Windows, it was a simple download and install. Under Linux, if they have a binary package for you, it works without a hitch. If they do not, then you must download the tarball and do a compile and install. The requirements are Linux 2.6.5 or later and you of course need Kernel Source and compilation tools.
I chose to install it under Red Hat AS 4... and it was a challenge. Since RHAS 4 does NOT have a complete Kernel development environment EVEN with the Kernel-devel package installed you must do the following:
-
Check your kernel rpms by typing:
rpm -qa | grep kernel
I have the following rpms that are important e.g. kernel, smp-devel, utils, devel:
kernel-2.6.9-34.EL
kernel-smp-devel-2.6.9-34.EL
kernel-utils-2.4-13.1.80
kernel-devel-2.6.9-34.EL
since I use the smp kernel, the kernel-smp-devel package is the important one. If I was using the non-smp kernel then the kernel-devel package would be the important one. - do a uname -a and check what kernel you are using.
2.6.9-34.ELsmp i686 i686 i386 GNU/Linux
are the parts of output that are important for this procedure. - go to /usr/src/kernels and tar and compress the directory that contains your current kernel. I use
tar zcf 2.6.9-34.EL-smp-i686.tar.gz 2.6.9-34.EL-smp-i686 use up2date to retrieve the kernel src package
up2date --get-source kernel --download
it will retrieve the source and put it in the /var/spool/up2date directory.-
then install the package
cd /var/spool/up2date
rpm -i kernel-2.6.9-34.EL.src.rpm it puts the information in the /usr/src/redhat area.
cd /usr/src/redhat/SPECS
rpmbuild -bp --target=i686 kernel-2.6.spec (or whatever spec file you have)-
After that completes, go into the Build area and you will see the Kernel area. NOTE: this step may be skipped unless you need to rebuild your kernel.
cd /usr/src/redhat/BUILD/kernel-2.6.9/linux-2.6.9
for files in arch crypto drivers fs include init ipc kernel lib mm net scripts security sound usr
do
/bin/cp -pr ${files}/* /usr/src/kernels/2.6.9-34.EL-smp-i686/${files}
done -
Next you must now build TrueCrypt
download truecrypt-4.2-source-code.tar.gz from their site and put the souce-code tar ball in /tmp
cp truecrypt-4.2-source-code.tar.gz /tmp
cd /tmp
tar zxf truecrypt-4.2-source-code.tar.gz
cd /tmp/truecrypt-4.2
cd Linux
./build.sh
when the script asks for the kernel source directory type the one that your modules are in (/lib/modules/2.6.9-34.ELsmp/build)
/lib/modules/2.6.9-34.ELsmp/build
./install.sh
when the script asks for the install locations, choose where you want it to go -
If you want, remove the /usr/src/kernels/2.6.9-34.EL-smp-i686 directory
rm -rf /usr/src/kernels/2.6.9-34.EL-smp-i686
cd /usr/src/kernels
tar zxf 2.6.9-34.EL-smp-i686.tar.gz Now you can use truecrypt from the command prompt
/usr/local/bin/truecrypt (use /usr/local/bin/truecrypt -d [MAPPED_VOLUME] to dismount the encrypted volume.
Save your work before trying this, just to be safe. You can try a force module load with modprobe -f truecrypt
What that really means is that you need to create a new kernel image and install it so the module versions match up. Then recompile truecrypt. But if you follow the steps I have provided, you should not have to recompile your kernel. :)
Creating, Mounting and Using the Volume.
To create a volume, I used /usr/local/bin/truecrypt -c and created an encrypted file container under /tmp called testvol
I took all the default answers to the Volume creation questions and made up a password (remember your password when you make yours!!)
Then to mount the encrypted volume under /media/crypt (you must have a mount point; you can create one with mkdir -p /media/crypt) I used:
/usr/local/bin/truecrypt /tmp/testvol /media/crypt
Type in the password you used in the step above and you now have a volume that will be encrypted.
WARNING: The container is VISIBLE decrypted to EVERY user on the system unless you set directory permissions accordingly. The contents are still copyable etc to anyone who can get into that directory. When you dismount the volume, the data is nolonger visible until it is remounted.
You can do all the normal things you normally do with disk volumes with a truecrypt volume. e.g. copy files to and from the volume, run applications from the volume, etc. You can even work right from the encrypted container... such as Opening up a OpenOffice document stored within the encrypted container! The encrypted file container (e.g. /tmp/testvol) can also be copied to a usb thumbdrive for instance. Then you can use the Windows truecrypt to mount the truecrypt file container and see the data! COOL!! and at $0.00 REAL COOL!
Thanks TrueCrypt!!!
Maybe soon I will dicuss more on the Partition Mounting options of truecrypt!!!
