Paranoia without borders or encrypt LVM from files
After reading today's topic from a BSD blog about data encryption, I had the idea to create LVM-volume from one file and encrypt it.
I will not pull the cat by the tail, but immediately show how I did.
In this case, files on one hard disk are encrypted in one partition (/ tmp), but no one forbids placing container files anywhere. Let's get started!
')
Create 5 files of 50 MB each, which will be containers:
Check:
Now turn our safes into devices using losetup :
Now we have 5 devices of 50 MB each in size to store large amounts of data, combining them into one Logical Volume.
If the pvcreate utility is not available, install it.
Now we have a 200MB LV located in / dev / vg0 / lvopt
We encrypt it, for example, using twofish :
That's all you can now check what happened. First, let's format a new device in ext4:
Fill our safe with data to make sure it works. The data will be taken from / dev / zero
Now in LV there is a test file occupying all the available space, let's check:
Now unmount our LV:
And try to read the contents of the device now:
Make sure the device is encrypted!
Container files can be of different sizes and be located on any hard drives, which should make it difficult to detect them, as well as combining them into one device.
I will not pull the cat by the tail, but immediately show how I did.
In this case, files on one hard disk are encrypted in one partition (/ tmp), but no one forbids placing container files anywhere. Let's get started!
')
Create 5 files of 50 MB each, which will be containers:
/tmp # for i in `seq 1 5`; do dd if=/dev/zero of=safe.$i bs=1M count=50; done
50+0 records in
50+0 records out
52428800 bytes (52 MB) copied, 0.235608 s, 223 MB/s
Check:
/tmp # ls
-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.1
-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.2
-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.3
-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.4
-rw-r--r-- 1 root root 50M 2009-11-28 03:02 safe.5
Now turn our safes into devices using losetup :
/tmp # for i in `seq 1 5`; do losetup /dev/loop$i /tmp/safe.$i; done
Now we have 5 devices of 50 MB each in size to store large amounts of data, combining them into one Logical Volume.
If the pvcreate utility is not available, install it.
apt-get install lvm2 (for ubuntu)/tmp # pvcreate /dev/loop{1,2,3,4,5}
Physical volume "/dev/loop1" successfully created
/tmp # vgcreate vg0 /dev/loop{1,2,3,4,5}
Volume group "vg0" successfully created
/tmp # vgscan
Reading all physical volumes. This may take a while...
Found volume group "vg0" using metadata type lvm2
/tmp # lvcreate --size 200M --name lvopt vg0
Logical volume "lvopt" created
Now we have a 200MB LV located in / dev / vg0 / lvopt
We encrypt it, for example, using twofish :
/tmp # cryptsetup -y create datasafe /dev/vg0/lvopt
Enter passphrase:
Verify passphrase:
That's all you can now check what happened. First, let's format a new device in ext4:
mkfs.ext4dev /dev/mapper/datasafe
mke2fs 1.41.9 (22-Aug-2009)
:
mount -t ext4 /dev/mapper/datasafe /mdia/safe/
Fill our safe with data to make sure it works. The data will be taken from / dev / zero
cat /dev/zero >> /media/safe/test
cat: write error: No space left on device
Now in LV there is a test file occupying all the available space, let's check:
df -h
Filesystem Size Used Avail Use% Mounted on
[....]
/dev/mapper/datasafe 194M 193M 0 100% /media/safe
Now unmount our LV:
umount /media/safe/
cryptsetup remove datasafe
And try to read the contents of the device now:
less -f /dev/vg0/lvoptMake sure the device is encrypted!
Container files can be of different sizes and be located on any hard drives, which should make it difficult to detect them, as well as combining them into one device.
Source: https://habr.com/ru/post/76699/
All Articles