# Mount Encrypted Filesystem w/GPG Key How-To

## FishNiX

This is how I setup an encrypted filesystem using an key which I can carry around with me.

If anyone has more suggestions, let me know!

Good Luck!

1. rebuild the kernel with the loopback filesystem and cryptoapi included, and choose your favorite encryption (rc6 for me)

(for a usb keychain drive, you will need scsi support and USB Mass Storage Support)

2. Fill the device with random bits -- I'm not sure if this is necessary, but the cryptoapi how-to suggests it. (it takes a long time)

dd if=/dev/urandom of=/dev/hdd1 bs=1M

3. Setup gpg -- i used this:

http://www.whitehats.ca/main/members/Don/don_gpg_how-to/don_gpg_how-to.html

setup a GOOD passphrase!

4. Mount the device where you will store your masterkey 

mount /dev/sda1 /mnt/hd

5. Create your random key on your device (it will prompt for your userid and then passphrase)

dd if=/dev/urandom bs=45 count=1 2>/dev/null | uuencode -m - | head -2  | tail -1 | gpg -e -a > /mnt/hd//masterkey-secret1.gpg

6. Setup your loopback device

gpg --decrypt < /mnt/hd/masterkey-secret1.gpg | losetup -p 0 -e rc6 -k 256 /dev/loop0 /dev/hdd1

7. Format the device

mke2fs /dev/loop0

8. Delete the loop device

losetup -d /dev/loop0

9. Try mounting it

gpg --decrypt < /mnt/hd/masterkey-secret1.gpg | mount /dev/hdd1 /backups -t ext2 -o loop,encryption=rc6,keybits=256 --pass-fd 0

If all this goes well, try this in /usr/local/bin for mounting things at boot or whenever:

```

#!/usr/bin/perl -w

use strict;

##########

# Encrypted Filesystem Mounter

##########

# This script mounts a device containing a 

# gpg key used to create an encrypted filesystem

# then uses it to mount that encrypted filesystem

##########

# Author: E. Camden Fisher

# efisher@wesleyan.edu

# 030319 2030

##########

# License:

# This work is free for use, modification and distribution.

# It is free (as in beer) and will remain as such, so long as

# this license remains intact.  Should the license be removed,

# the work is no longer free, and cannot be used for any purpose.

##########

# There is no warantee expressed or implied.

# As always, your mileage may vary.

##########

# key file name

my $key = "masterkey-secret1.gpg";

# encryption type

my $encr = "rc6";

# encryption bits

my $bits = "256";

# where to mount device containing the key

my $key_dir = "/mnt/hd";

# what device to mount containing key

my $key_dev = "/dev/sda1";

# what options to use in mount of key device

my $kmnt_opts = "";

# where to mount encrypted device

my $encr_dir = "/backups";

# what device to mount for encrypted system

my $encr_dev = "/dev/hdd1";

# what options to use in mount of encrypted system 

my $emnt_opts = "-t ext2 -o loop,encryption=$encr,keybits=$bits --pass-fd 0";

# what gpg binary to use + decryption flag

my $gpg = "/usr/bin/gpg --decrypt";

# what mount binary to use

my $mount = "/bin/mount";

if (system("$mount $key_dev $key_dir $kmnt_opts")) {

    print "$key_dev failed to mount on $key_dir\n";

    exit 1;

}

else {

    if(system("$gpg < $key_dir/$key | $mount $encr_dev $encr_dir $emnt_opts")) {

        print "Mount of encrypted device failed:\n";

        print "$gpg < $key_dir/$key | $mount $encr_dev $encr_dir $emnt_opts\n";

        exit 1;

   }

}

exit 0;

```

EDIT: This script doesnt seem to work with local.start b/c the user isnt defined yet as root, so it cant find where to get the gpg key used to decrypt the password for the encrypted filesystem -- a su root in the script might fix it, but i havent tried yet! 

References:

http://www.kerneli.org/howto/node3.php

http://www.whitehats.ca/main/members/Don/don_gpg_how-to/don_gpg_how-to.html

https://forums.gentoo.org/viewtopic.php?t=34632&highlight=cryptoapi

http://mail.nl.linux.org/linux-crypto/2002-04/msg00010.html

https://forums.gentoo.org/viewtopic.php?t=42203&highlight=

----------

## FishNiX

I'm having trouble getting this to work:

at this point i'm using -t ext2 -o loop,encryption=$encr,keybits=$bits --pass-fd 0

in my mount command and once the system is up, --pass-fd 0 works perfectly, but when trying to run this from local.start, it wont work claiming "gpg: cannot open /dev/tty: No such device or address"

any ideas?  should i use a different file descriptor?

thanks!

----------

## Chris W

 *Quote:*   

>  2. Fill the device with random bits -- I'm not sure if this is necessary, but the cryptoapi how-to suggests it. (it takes a long time)
> 
> dd if=/dev/urandom of=/dev/hdd1 bs=1M

 

It isn't necessary for function, but it is for security.  This makes the bits of the device containing your encrypted data look essentially the same as the bits that don't.  Much harder to decrypt if you can't find the data amongst the noise  :Smile: 

----------

## FishNiX

 *Chris W wrote:*   

>  *Quote:*    2. Fill the device with random bits -- I'm not sure if this is necessary, but the cryptoapi how-to suggests it. (it takes a long time)
> 
> dd if=/dev/urandom of=/dev/hdd1 bs=1M 
> 
> It isn't necessary for function, but it is for security.  This makes the bits of the device containing your encrypted data look essentially the same as the bits that don't.  Much harder to decrypt if you can't find the data amongst the noise 

 

thanks for the info!

----------

## FishNiX

okay -- so the problem with my mounting script is that the STDIN file descriptor (0) doesnt seem to work in local.start.  

does anyone know why this is or a good way to get around it?

----------

