Readers often ask us a common problem is how to implement a file system encryption method Linux. Before further explore this topic, I want to clarify two points:
First, it is difficult to find enough information in this regard on the Internet. So, I will introduce some really great resources easy to find (actually a few tutorial).
Second, understand the technical details of this problem is very important. This is what I want to explore in this article, and then I will describe how to implement encryption, and then introduce other resources.
It is often said that you want to encrypt data, but they often ignore a fundamental aspect: they want in the end what to encrypt? They want from inside the package to encrypt data, a single file and then stores the data on the hard drive? For example, they wanted to create an entire LibreOffice .odt word processing document, it is encrypted, then the encrypted result as a single file is written to the file system or that they want Linux file system-level encryption processing on their own?
One way is to encrypt data inside a package from a single file and then stores the data on the hard drive. Linux will handle their own or encrypted at the file system level.
Linux to handle encrypted transaction as an example, LibreOffice addition to reading and writing files, do nothing, as it is currently done. Linux will encrypt the file, then the file is actually written to disk, after the decryption back to read the file. This is the approach I take here, but you also made a number of additional problems. Want to raise the right questions, you have to understand the working principle of block storage. You may wish to look at the block storage.
When the operating system handles local drives, the operating system uses the filesystem software to format the drive, and then read and write to a single sector. When you save a file, filesystem software needs to be written to clarify the sector. When reading the file, filesystem will clear data on which sectors, and then read those sectors, you reconstruct files. To manage files, filesystem using different types of indexes, these indexes will also be stored on disk. Different filesystem software uses different ways to organize data, including different security mechanisms; the end result is, with different file systems such as ext4, and NTFS.
The gory details
We have made clear the block-level devices work reasons, consider this: The operating system uses its filesystem software sector write data to the drive. filesystem software determines where the data is written to the sector, how to organize them, including the creation of metadata description file name, organization and other information. But the filesystem software to perform the actual read and write to the drive operation, you need a device driver to do the actual work of the control device itself (the driver has been represented in the / dev directory of the file system hierarchy).
filesystem software can encrypt data before it is written. Alternatively, the filesystem is located between the software and a software device drivers can be encrypted.
At this point, with encryption filesystem software and device drivers between the need to make choices: Do you want filesystem encryption software, then write the data? Or that we are actually a kind of software embedded into how between filesystem software and device drivers? As a result, filesystem will operate as usual, but when it tries to access the device, and its call to change the encryption software to handle the right as shown in FIG. In this article we want to use this method. But first wish to discuss several other issues.
By the way, if you want to see how the presence of a device driver in the Linux system, the / dev directory, you can see this article: http://www.linuxdevcenter.com/pub/a/linux/2007/07/05/devhelloworld -a-simple-introduction-to-device-drivers-under-linux.html? page = 1. It includes programming, but if you are not a programmer, click on to page 2, scroll down to find the labeled Hello, World! Using / dev / hello_world section, read the first paragraph above made specific and detailed Explanation. )
If you want to encrypt an entire partition, consider encrypting the entire drive. But here there is a small problem. If the computer starts from the drive, the drive requires a small partition dedicated to the storage of boot code. The startup code is machine code, the computer reads the execution, in order to start the computer. If the entire hard drive is encrypted, including this part of the data, the computer will need some way to interpret the data. But the computer has not mount the file system, so it can not decrypt it to read the program. See a problem with it? Decryption code needs to be in the BIOS itself inside. However, most computers do not have this code. This means that recording actually starts can not be encrypted. But people have discussed various methods to solve this problem (see: http://www.linuxquestions.org/questions/linux-security-4/full-disk-encryption-on-boot-partition-626270/), such as the startup code on a removable USB drive above.
If your drive is a remote drive, there are several ways to access the data; it is very important for you to understand what type of encryption can be used. The two methods are:
• block-level storage is like using a local drive as the filesystem software so you can read and write directly to a remote sector of the disk.
• file-level storage, your operating system to send files to a remote server, the remote server has its own operating system and filesystem software; the remote server and then write files to its disk.
If the file-level storage, you do not have much choice in terms of encryption. If you want to encrypt data, you need to encrypt it in your application, and then sends the data to be stored on a remote server.
But if the block-level remote storage, there are indeed several ways. For example, if you use a cloud hosting service, so you can connect to a different server volumes assigned, you can usually use block-level storage. Volume may not be physically connected to your hosting server; however, the server can access them as if they were local volumes, and format the volume, a single sector reads and writes as if the drive is locally mounted. This means that if a block-level remote storage, you can perform encryption at the file system level, as if performing encryption on the local computer and the local drive.
Now that we know you want to accomplish the task; the question is how do you achieve it? In fact, Linux has a built software package that way before I introduced the use of software that is embedded in the filesystem between the software and device drivers. The software, called dm-crypt. The dm-crypt encrypt data, and then uses a storage format called LUKS will write data to the storage device (through the device driver).
LUKS (Linux Unified Key Setup) is used in the above format the drive itself, it is actually like to replace the ext4 file system. dm-crypt filesystem system located between the software and device drivers; filesystem software to read and write ext4, and ext4 data to be pushed through the dm-crypt, and dm-crypt with LUKS format to store data on the drive. Thus, in fact, ext4, or NTFS file system like in LUKS encrypted format, "above."
Note: dm-crypt is the name of the subsystem, you can use a lot of tools to deal with it. No single command called the dm-crypt. You can use some program to manage dm-crypt:
• cryptsetup: This command-line program provides you with low-level access rights, in order to manage the creation dm-crypt devices managed this task.
• cryptmount: This program provides more features, a little easier to use, they can be found in this article a few years ago: http://www.enterprisenetworkingplanet.com/netsecur/article.php/3742191/Create-Encrypted -Volumes-With-Cryptmount-and-Linux.htm.
One advantage of dm-crypt system is that it is not necessary to deal directly with disk drivers. Instead, it can save all data into a single file, instead of using the LUKS and whole disk partitions. This means that you can let dm-crypt to create a single file, then you can create the entire file system inside a single file. After that you can separate the file as a single drive to mount, and then access it from any software, just as you would any other drive that.
Since some cloud service providers (such as Amazon Web Services) provides you with full root access, you can access your server is connected to the block device, you can take advantage of dm-crypt; LUKS format can be used to format the block device, then it is ready for your dm-crypt system; after that, you can use the ext4 file system to format it. The end result is fully encrypted drive that resides in the cloud, you can manage this on their own drive. Want to try? This tutorial will introduce the program to encrypt using cryptsetup: http://silvexis.com/2011/11/26/encrypting-your-data-on-amazon-ec2/.
Unlike other cloud service providers like AWS allows you to directly access the block device. For example, Digital Ocean will not allow you to directly access; however, you can still create a file, install dm-crypt to use that file, and then create a so-called "container" inside the file, which represents the file system. In fact, with this process you create an encrypted on your local machine container file is exactly the same. There is a tutorial by Digital Ocean website: https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu- vps, describes how to create dm-crypt LUKS container file. In this tutorial to note: As with block devices, as you can create the entire file system (for example ext4), but here, the file system resides inside the container file.
And that brings us to the topic of how to achieve it all locally. Said step tutorial covers the creation of encrypted drives in the Amazon and in your own hard drive encryption on the local drive to create a sample. But another tutorial (https://www.howtoforge.com/tutorial/how-to-encrypt-a-linux-partition-with-dm-crypt-luks/) gives a step by step instructions, so you created on the local hard drive, it also uses cryptsetup.
If you want to create a local container drive containing the entire encrypted file system, simply follow the above Digital Ocean tutorial steps.
Or, if you want to use another program cryptmount to encrypt an entire partition or create a container file, please pay attention to this tutorial: http://www.enterprisenetworkingplanet.com/netsecur/article.php/3742191/Create-Encrypted-Volumes-With -Cryptmount-and-Linux.htm. Carla Schroder author gives a few clear steps.
That's it. Want to know how to encrypt, it is important first to understand exactly what you're actually trying to accomplish the task: the application to encrypt and decrypt data, or let the operating system handle encryption; the entire partition is encrypted, or just encrypt individual files; do not want to Create a container that holds the encrypted file. After that, you can follow the steps given me several links in this article mentioned in the tutorial, the successful completion of encryption.