Like many people that have multiple locations, I sometimes have to get in my car and sneaker-net a hard drive to another facility. Sometimes I ship them via FedEx. In any event, whenever I take a hard drive out of my business, I run the risk of becoming another statistic. These days, it seems that a month doesn't pass where some high profile data has been breached. It happens frequently enough that there's a blog devoted to it.
Anyway, I've been looking for ways to encrypt the drives I transport. It looks like the "best" way is to use TrueCrypt for encrypting the entire device. It's cross platform (Windows, MacOS, and Linux) and has a great interface and is pretty easy to script.
My problem is that it is a comparative pain in the butt to get running on my platform of choice (CentOS/RHEL5). If you look, the only supported Linux versions are Ubuntu and SLES. Yes, I can compile from the source, and I have to test things, but I don't want to have to manually recompile things on production servers. I suppose I could compile it once and package an RPM if I had the time and knowledge (and the time to acquire the knowledge). Instead, I decided that it wasn't the solution for me, unless it was the only solution available. So I kept searching.
Today I chanced upon what I think is a great solution. Using the dm-crypt software along with built in loop devices, it's possible to encrypt a device without using any non-native software.
In the (hopefully) unlikely event that the link I pointed to goes away, here is the (much abridged) process:
If you're using a file, rather than a device (to have an encrypted volume sitting on an otherwise unencrypted filesystem), create the file, here using 'dd':
dd of=/path/to/secretfs bs=1G count=0 seek=8
Setup the loop to point to your file/device:
losetup /dev/loop0 /path/to/secretfs
Create the encrypted volume with cryptsetup:
cryptsetup -y create secretfs /dev/loop0
Create the filesystem on the device:
mkfs.ext3 /dev/mapper/secretfs
Mount the encrypted filesystem:
mount /dev/mapper/secretfs /mnt/cryptofs/secretfs
And now you have access.
To remove the filesyste, perform the last few steps in reverse:
umount /mnt/cryptofs/secretfs
cryptsetup remove secretfs
losetup -d /dev/loop0
Whenever you want to remount the device, just follow all the steps above that don't use dd or create filesystems.
There you go, an easy way to have encrypted volumes on your CentOS/RHEL machines.
skip to main |
skip to sidebar
A blog for IT Admins who do everything by an IT Admin who does everything
Blogs I frequently don't have time to read
Posts
Blog Archive
-
▼
2008
(184)
-
▼
November
(29)
- Gift ideas for you and the other sysadmins in your...
- More LVM information
- Quality Assurance vs Quality Control
- Doing sysadminy things with Windows PreInstalled E...
- Happy Thanksgiving!
- The case of the 500-mile email
- Infrastructure Switchover
- Interesting bug in fresh CentOS install (or why I'...
- Imagine a beowu...wait, I mean RAID array of these...
- Configuring the Netgear SSL VPN Concentrators (SSL...
- Default vsftpd on CentOS is dumb
- Unix Rosetta Stone
- Wacky SSH Authorized Keys Tricks
- Great tool for network diagramming
- Building and designing systems: Is the cart pullin...
- Host to host security with SSH Keys
- Datacenter that could belong to S.P.E.C.T.R.E.
- Tips for an initial buildout
- Sysadmin Extorts company for better severance package
- Where to put your system monitoring
- Encrypted Filesystems out of the box on CentOS
- Best. Bug. Ever.
- Justify the extistance of IT (from Slashdot)
- The Creative Admin
- WPA TKIP Cracked
- Stupid Unix Tricks (from Slashdot)
- The balance of security and usability
- Scalability in the face of the incoming onslaught
- Sysadmin Mobile Devices
-
▼
November
(29)
People following this blog
Other affiliations / blog groups
I have a monthly column at
My blog is a part of
I'm a member of
My blog is a part of
I'm a member of
Calling all guest bloggers
Do you have an idea for a blog entry that you want to write? Do you have a blog entry that you've already written, but don't have a place to publish it? I'm definitely interested!
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
standalone.sysadmin@gmail.com
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
Twitter / standaloneSA
Automatically Generated Amazon Ads
Labels
- security (14)
- networking (13)
- storage (12)
- vacation (9)
- administrivia (8)
- advice (7)
- guest blog (7)
- server room (6)
- virtualization (6)
- backup (5)
- learning (5)
- monitoring (4)
- nagios (4)
- whining (4)
- asking questions (3)
- blog (3)
- cat5 (3)
- fail (3)
- fiber (3)
- physical infrastructure (3)
- remote management (3)
- troubleshooting (3)
- windows (3)
- CLI (2)
- LVM (2)
- archive (2)
- colocation (2)
- debian (2)
- debugging (2)
- dns (2)
- esxi (2)
- giveaway (2)
- hardware (2)
- howto (2)
- laptop (2)
- lisa (2)
- policy (2)
- preblog (2)
- racks (2)
- redundancy (2)
- tech support (2)
- telecom (2)
- training (2)
- vmware (2)
- vpn (2)
- AoE (1)
- IPv6 (1)
- Level3 (1)
- Linux (1)
- NAS (1)
- QA (1)
- QC (1)
- T1 (1)
- active directory (1)
- article (1)
- automation (1)
- bandwidth (1)
- benchmark (1)
- bgp (1)
- blackberry (1)
- blogiversary (1)
- books (1)
- burnout (1)
- business (1)
- centos redhat ldap bugzilla (1)
- checklists (1)
- cisco (1)
- clusters (1)
- competition (1)
- conference (1)
- convention (1)
- cooling (1)
- database (1)
- documentation (1)
- education (1)
- encryption (1)
- ethernet (1)
- ethics (1)
- fibre channel (1)
- filesystems (1)
- fire (1)
- freebies (1)
- heroics (1)
- high availability (1)
- imaging (1)
- incident response (1)
- installation (1)
- international (1)
- iscsi (1)
- kvm (1)
- ldap (1)
- leasing (1)
- licenses (1)
- link (1)
- load balancing (1)
- marketing (1)
- mobile (1)
- money (1)
- openbsd (1)
- oracle (1)
- osx (1)
- passwords (1)
- patching (1)
- project management (1)
- rack unit (1)
- raid (1)
- recycling (1)
- remote desktop (1)
- resources (1)
- routing (1)
- rss (1)
- safari (1)
- sage (1)
- san (1)
- shortcuts (1)
- slashdot (1)
- small infrastructure (1)
- social networking (1)
- soho (1)
- ssl (1)
- stress (1)
- switches (1)
- systems administration (1)
- technology (1)
- terminal server (1)
- time management (1)
- top list (1)
- toplist (1)
- twitter (1)
- uptime (1)
- usenix (1)
- wireless (1)
- xen (1)