{"id":119,"date":"2005-04-18T02:31:49","date_gmt":"2005-04-17T23:31:49","guid":{"rendered":"https:\/\/void.gr\/kargig\/blog\/2005\/04\/18\/usb-key-encryption-frenzy\/"},"modified":"2006-10-11T22:27:45","modified_gmt":"2006-10-11T19:27:45","slug":"usb-key-encryption-frenzy","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2005\/04\/18\/usb-key-encryption-frenzy\/","title":{"rendered":"Usb key encryption frenzy, loopfile encryption"},"content":{"rendered":"<p>It&#8217;s time for something more serious now, time to play with encrypted partitions and loop devices storing the keys on the usb key.<\/p>\n<p>Following the excellent <a href=\"http:\/\/loop-aes.sourceforge.net\/loop-AES.README\">loop-AES.README<\/a> I created an encrypted loop file that is encrypted with some random keys which are stored inside a file&#8230;and that file is encrypted with gpg and stored inside my usb stick. Confused ? Here it goes&#8230;<\/p>\n<p>&#8220;Create 65 random encryption keys and encrypt those keys using gpg.&#8221;<br \/>\n<code># head -c 2925 \/dev\/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >\/mnt\/usb-key\/keyfile.gpg<\/code><\/p>\n<p>Time for the loop file creation. An example of a 100Mb file follows:<br \/>\n<code>#  dd if=\/dev\/urandom of=\/my-encrypted-loop.aes bs=1k count=100000<\/code><\/p>\n<p>Then encrypt the loop file using our previously generated keys. From losetup man page:<\/p>\n<blockquote><p>      -K gpgkey<br \/>\n              Password  is piped to gpg so that gpg can decrypt file gpgkey which<br \/>\n              contains the real keys that are used to  encrypt  loop  device.  If<br \/>\n              decryption  requires  public\/private keys and gpghome is not speci-<br \/>\n              fied, all users use their own gpg public\/private  keys  to  decrypt<br \/>\n              gpgkey.  Decrypted  gpgkey  should contain 1 or 64 or 65 keys, each<br \/>\n              key at least 20 characters and separated by newline.  If  decrypted<br \/>\n              gpgkey contains 64 or 65 keys, then loop device is put to multi-key<br \/>\n              mode. In multi-key mode first key is used for first sector,  second<br \/>\n              key for second sector, and so on.  65th key, if present, is used as<br \/>\n              additional input to MD5 IV computation.\n<\/p><\/blockquote>\n<p>So&#8230;<br \/>\n<code># losetup -K \/mnt\/usb\/keyfile.gpg -e AES256 \/dev\/loop3 \/home\/kargig\/mytest<br \/>\n# losetup -d \/dev\/loop3<br \/>\n<\/code><\/p>\n<p>Now add this to \/etc\/fstab:<br \/>\n<code>\/my-encrypted-loop.aes \/mnt\/private ext3 defaults,noauto,user,loop=\/dev\/loop3,encryption=AES256,gpgkey=\/mnt\/usb-key\/keyfile.gpg 0 0<br \/>\n<\/code><\/p>\n<p>now try this in order to check if the fstab entry is working and to format the loopfile:<br \/>\n<code># losetup -F \/dev\/loop3<br \/>\n# mke2fs -j \/dev\/loop3<br \/>\n# losetup -d \/dev\/loop3<br \/>\n<\/code><\/p>\n<p>If everything is fine&#8230;you can just try this:<\/p>\n<p><code>mount \/mnt\/private<\/code><\/p>\n<p>And you should be asked for your gpg passphrase \ud83d\ude42 If you don&#8217;t have your usb key mounted, the loop file(or partition) won&#8217;t be mountable. BACKUP your keyfile.gpg!!!<\/p>\n<p>What if you want to change your password ? Simply do this to decrypt the gpg file and re-encrypt it with a new password:<br \/>\n<code># gpg -d \/mnt\/usb-key\/keyfile.gpg  > \/mnt\/usb-key\/clearkeys.txt<br \/>\n# cat \/mnt\/usb-key\/clearkeys.txt | gpg --symmetric -a  > \/mnt\/usb-key\/newkeyfile.gpg<br \/>\n(now make sure the keyfile.gpg and newkeyfile.gpg differs, if yes it means that the gpg password was changed...move on)<br \/>\n# mv \/mnt\/usb-key\/newkeyfile.gpg \/mnt\/usb-key\/keyfile.gpg<br \/>\n# rm -f \/mnt\/usb-key\/clearkeys.txt<br \/>\n<\/code><br \/>\n(thanks to metown for pointing at some errors at the previous post)<\/p>\n<p>What&#8217;s left to be done now is make it work like the pam_usb module, ie create a set of scripts(or programs?) so that when I want to mount the encrypted partition it will automatically check the usb key to find a private key to check it against the &#8220;partition&#8217;s public key&#8221; so there won&#8217;t be a need for typing a passphrase. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s time for something more serious now, time to play with encrypted partitions and loop devices storing the keys on the usb key. Following the excellent loop-AES.README I created an encrypted loop file that is encrypted with some random keys which are stored inside a file&#8230;and that file is encrypted with gpg and stored inside [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[1,3],"tags":[],"class_list":["post-119","post","type-post","status-publish","format-standard","hentry","category-general","category-linux"],"aioseo_notices":[],"views":5051,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=119"}],"version-history":[{"count":0,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/119\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}