Difference between revisions of "Encrypted Filespace with EncFS"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(Bonnie++ I/O Speeds)
m (Remount)
Line 44: Line 44:
 
===Remount===
 
===Remount===
 
* And remount it when you need it the same way you created it, this time you will just be prompted for the password you used when you created it.
 
* And remount it when you need it the same way you created it, this time you will just be prompted for the password you used when you created it.
  encfs --public /mnt/locked /mnt/share/locked
+
  encfs /mnt/locked /mnt/share/locked -- -o allow_other
  
 
== What's the point? ==
 
== What's the point? ==

Revision as of 02:22, 3 October 2006

This article based on work done by Ramuk and Andre on Linkstationwiki.org

PowerPC Only : This method only works for the powerpc-hdhlan and powerpc-hdhglan LinkStations.

Contents

Abstract

This article is for people that want to add an encrypted filespace to their Link Station[1]. We will use the powerpc-hdhglan Link Station for our example. EncFS[2] is used to do this. This probably will work on any PPC link station. It may work on a MIPS Link station but you'll have to compile the FUSE[3] module yourself somehow.

Encryption Type : EncFS was chosen because of it's relative ease and speed of use. Loop-AES could be used as well[4], A client side encryption system like Truecrypt[5] could be used from a windows client. The TeraStation people have a nice tutorial on using TrueCrypt[6]

Prerequisites

This article assumes that you have installed FreeLink or OpenLink. You also will need to upgrade to a 2.6 Kernel. Use these instructions: Upgrade to the 2.6-kernel (ppc only)

Method

Install the FUSE module

  • I used the binaries from André's site[7]:
wget  http://hvkls.dyndns.org/downloads/fuse_2.5.3-binaries-ppc.tar.gz 
tar -C / -xvzf fuse_2.5.3-binaries-ppc.tar.gz

Install EncFS

FreeLink

apt-get install encfs

OpenLink

wget http://downloads.linkstationwiki.net/packages/ppc/rlog-1.3.7_ppc.tar.gz
tar -C / xzvf rlog-1.3.7_ppc.tar.gz
wget http://downloads.linkstationwiki.net/packages/ppc/encfs-1.3.1_ppc.tar.gz
tar -C / xzvf encfs-1.3.1_ppc.tar.gz

Create an encrypted partition

  • place it in a shared directory if you want to access it as a file share using Samba.
encfs --public /mnt/locked /mnt/share/locked

/mnt/share here is a shared directory. /mnt/locked is where the encrypted bits will be stored and /mnt/share/locked is where the (de)crypted space will be mounted to. You will be prompted for the type of encryption that you want and for password creation. Look here for more details on using EncFS.

Access Permissions

  • You will have to chmod the created directory so everyone can access it
chmod og+rwx /mnt/share/locked/

Just beware that it takes a long time for files to be encrypted when you copy or move them into this directory, however you can use this directory like any other shared space with Samba. After files are placed in there they can be accessed pretty fast.

Unmount

  • You can unmount the partition at any time in which case the encrypted directory will end up appearing blank.
fusermount -u /mnt/share/locked

Remount

  • And remount it when you need it the same way you created it, this time you will just be prompted for the password you used when you created it.
encfs /mnt/locked /mnt/share/locked -- -o allow_other

What's the point?

Slow to Write
Bar.png
I've been using this solution for awhile now, it's slow to ENcode data but faster to DEcode data. So that saving (ENcoding) a file over 50MB to an encrypted share over samba can be somewhat buggy. So I save files to an unencrypted share and then move them over to the encrypted filespace from the command line. Reading (DEcoding) the files works fine for me for files that are even 1-2GB in size - Ramuk 22:44, 15 August 2006 (EDT)


What's the point of all this? Well you can create an encrypted file space that once mounted functions completely transparently as a shared directory. Once it is unmounted, either manually or automatically (when the system is shut down) the data will only exist in an encrypted form in the encrypted directory you specified. In this example in /mnt/locked , if your linkstation is stolen or lost, as soon as it is unplugged the data will no longer be accessible without the password. Even if someone cracks open the device and takes the hard drive out all they will be able to get is encrypted gibberish in that directory. However they would be able to figure out how MANY files you had in that directory and the SIZE of each file, as EncFS encypts each file individually, not the block device.

Keyfile and Security

The keyfile is stored in the encrypted directory /mnt/locked/.encfs5 you could store it externally (on a USB Key Drive for example) and move it to the proper location if you wanted even more security.


Shell Scripts

#!/bin/bash
# mountcrypt.sh
# You can change these lines to reflect the locations on your system
# or add whatever user comments you want

   usage(){
   echo "mountcrypt [m|mount|u|unmount]"
   echo " either mounts or unmounts our encrypted shared file space to /mnt/share/locked"
   }

   if [ -z $1 ]
   then
           usage
           exit
   fi

# You will have to change the directories to reflect what is on your
# system here

   case "$1" in
           "m" | "mount" )
                   /usr/bin/encfs --public /mnt/locked /mnt/share/locked
                   echo "Encrypted filesystem now mounted"
                   ;;
           "u" | "unmount" )
                   /usr/bin/fusermount -u /mnt/share/locked
                   echo "Encrypted filesystem has been unmounted"
                   ;;
           * )
                   usage
                   ;;
   esac

Bonnie++ I/O Speeds

Here is a speed comparision using Bonnie++[8] as a diagnostic tool. Fifilein is trying to use AES/DMCrypt and his numbers are in the speed comparision too[9] all numbers are from an HG-LS.

Sequential Output Sequential Input Random Sequential Create Random Create
Per Chr Block Rewrite Per Chr Block Seeks Create Read Delete Create Read Delete
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP Files /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP
FifNAS.XFS 300M 2142 99 27711 90 15149 63 2246 99 40324 53 208.8 4 16 290 22 XXXXX XXX 279 18 294 22 XXXXX XXX 163 10
FifNAS.ext3 300M 1663 84 10052 80 11256 55 2222 98 22079 29 192.5 4 16 134 99 XXXXX XXX 7785 95 135 99 XXXXX XXX 492 97
Ramuk.ext3 300M 1946 95 18425 85 14093 63 2166 98 37001 57 154.2 3 16 163 97 XXXXX XXX 7736 97 165 97 XXXXX XXX 850 96
FifNAS AES256.XFS 300M 1506 69 4292 13 2114 9 1483 65 4046 5 184.9 4 16 338 95 XXXXX XXX 312 94 338 95 XXXXX XXX 223 66
FifNAS AES256.ext3 300M 1259 63 2699 20 1766 9 941 78 4021 4 168.4 4 16 132 98 XXXXX XXX 6279 77 133 98 XXXXX XXX 448 88
Ramuk encFS.ext3 300M 1042 49 2088 5 1430 5 1388 63 3619 5 74.0 1 16 112 2 1311 9 704 8 112 2 1568 11 355 4

References

  1. The Linkstation Community Forum / Linkstation HG (ppc) / Encrypted Partitions, and Installing modules (FUSE)
  2. The EncFS Wiki: http://arg0.net/wiki/encfs
  3. The FUSE Wikipedia Page: FUSE:Wikipedia
  4. Comparison of various Encryption Schemes: Encrypt filesystems with EncFS and Loop-AES
  5. Truecrypt - Free open-source disk encryption software for Windows XP/2000/2003 and Linux - http://www.truecrypt.org
  6. terastationwiki:Encryption, NTFS Support, and Windows Share Management
  7. André's site with 2.6 kernel and compiled FUSE binary: http://hvkls.dyndns.org/
  8. Bonnie++ disk benchmark: http://www.coker.com.au/bonnie++/
  9. The Linkstation Community Forum / Everything else / JBOD with ENCFS, Key on USB Stick