Install and Use a Cryptographic File System

Working with encryption can be onerous if it requires the constant encryption and decryption of files in an archive that you use on a regular basis. In these circumstances, you may want to consider the use of disk encryption. One of the easiest ways to do it is with the CFS package. This is a program originally written by Matt Blaze that has since promulgated into many variations and flavors. There is TCFS, which is an Italian variety, as well as others. Unfortunately, however, the Linux Crypto API documentation has been taken offline in protest over software patents in Europe by the people responsible for hosting it. Due to the endless nature of the protest, the Crypto API and many of the efforts to create Linux-specific cryptographic functionality have since grown moribund. For the following examples, the archive at http:// sourceforge .net/projects/cfsnfs/ was used. Google will provide other possible archives of interest if you search with keywords of cryptographic filesystem linux.

To install the package found on the site, run the following command:

 rpm -vv -i cfs-1.4.1-5.i386.rpm 

This will install a complete package for CFS. It is recommended that you take this approach, as it simplifies the creation of the various script files. Afterward, however, you will have to fix broken symbolic links if you are running SUSE. The package is installed in /etc/init.d and /etc/rc.d, and installs directories called rc0.d through rc5.d, with scripts in them that are named appropriately, but linked to ../init.d/cfsd, which will not work under SUSE. The broken links in SUSE are easy to spot, and this is not a problem for Red Hat. Do the following to correct them if you are running SUSE; skip these steps if you are using Red Hat:

1. Change to the first rc directory where there is an error:

    cd /etc/init.d/rc0.d 

2. Remove the old file:

    rm K15cfsd 

3. Then use the following command to relink to the script to files to shut the program down cleanly:

    ln -s ../cfsd K15cfsd 

4. Repeat the above steps for /etc/init.d/rc1.d and /etc/init.d/rc2.d.

5. In /etc/init.d/rc3.d and /etc/init.d/rc5.d, use the following command to create the links to start the program:

    "rm S65cfsd ; ln -s ../cfsd S65cfsd" 

6. Edit the /etc/init.d/cfsd script to make your mount points appropriate to your needs if you are changing from the default.

You can now restart the system and CFS will run normally. If you wish, you may change the mount points by modifying the /etc/exports file, and modifying the /etc/init.d/cfsd script to reflect the locations you prefer.

Since it is all too likely that you will have to build and install CFS for yourself, the steps to do so will be laid out for you here. There may be some differences among the flavors of CFS out there, but many of the essential elements will be the same. There are more steps in this method, but if you want to tweak things, this will get you started. If you have installed the RPM binary package, you can skip this section.

The following command will install the necessary sources in the /usr/src/packages/SOURCES directory:

 rpm -install cfs-1.4.1-5.src.rpm 

From there it is a matter of unpacking the files and building the source trees. This version of CFS needs the RSAref2 package, which is included as a part of the RPM. Since it needs to be installed first, the following steps should be taken:

1. Set your umask to 022, and cd to the /usr/src/packages/SOURCES/ directory.

2. Unpack the gzipped tar file like this:

    gzip -dc rsaref2.tar.gztar -xvf - 

3. cd into the resulting rsaref2 directory.

4. cd further into the install directory, then the unix directory.

5. Type make to build the software with default options. This will result in two programs and one library file. The programs are dhdemo and rdemo, demonstration programs for Diffie-Hellman extensions to the RSA reference package, and for the RSA cryptographic functions. The library file is named rsaref.a, and contains functions needed to compile CFS.

6. Copy dhdemo and rdemo into /usr/local/bin.

7. Copy rsaref.a into /usr/local/lib, then run ranlib on it to reset the libraries contents manually, by executing the following command:

    ranlib /usr/local/lib/rsaref.a 

8. Copy the header files from the rsaref2/sources directory into /usr/local/include. You may want to specify the -i switch to avoid possibly overwriting similar header files if they exist. The command with full pathnames would look like this:

    # cp -i /usr/src/packages/SOURCES/rsaref2/sources/*.h /usr/local/include 

9. These locations will later be used in the CFS makefile to tell it where to look for the files.

That s all there is to that step. There is no install option in the makefile, so installation needs to be done by hand. In the next steps, building and installing CFS will be done:

1. Unpack the CFS software from the gzipped tar file with the following command:

    gzip -dc cfs-1.4.1.tar.gztar -xvf - 

2. cd into the cfs-1.4.1 directory, and open the makefile in an editor of your choice.

3. On line 78, change the COPT=-O2 -DPROTOTYPES=1 line to say COPT=-O2 -DPROTOTYPES=0 .

4. On line 87, change the RSALIB= variable to say /usr/local/lib/rsaref.a instead of the default of /usr/mab/rsaref/install/rsaref.a, which will not exist on your system.

5. On line 88, change the RSAINCLUDES= line to read /usr/local/include instead of the original /usr/mab/rsaref/source.

6. Uncomment lines 128 to 131, and remove the -traditional flag from line 128 so that your text looks something like this:

    CFLAGS=$(COPT) -U__OPTIMIZE__ -Dd_fileno=d_ino -I$(RINCLUDES) LIBS= COMPAT= RPCOPTS= -k -b 

7. Put a comment at the beginning of line 232 to make it look like this:

    #CC=you_forgot_to_edit_the_makefile 

8. Save the file and exit.

Following that, you will be ready to build CFS. This is straightforward; in the source directory, typing make alone will give you the potential targets:

 make cfs, esm, install_cfs or install_esm 

The first step is to make CFS, so to do so just type make cfs . Next type make esm to make the esm program. Once these builds have completed without errors, you can install the software by typing make install_cfs and make install_esm . You will then have to install the man pages by hand. You will do this from the CFS source directory as follows :

 cp *.1 /usr/local/man/man1 cp *.8 /usr/local/man/man8 

That is the last step to installing the software. Next you need to configure it for use. CFS has some uncommon requirements because it operates over the loopback network interface, and functions much like a normal NFS mount would.

To configure it for use, take the following steps:

1. Pick a bootstrap mount point. This will not get used for anything, but is necessary for everything to run. It s easiest to make a directory called /null to do this. Create the directory and remove unnecessary permissions as follows:

    mkdir /null;chmod 0 /null 

2. Add a line to your /etc/exports file that contains the words /null localhost on a single line.

3. Make a directory where you want your encrypted file system to be mounted. For example, mkdir /crypt will put it in the root directory on /.

4. Create an rc startup script that should be run by the system after the mount command is run. This should be put in /etc/init.d/rc2.d under SUSE, and /etc/rc2.d under Red Hat. The contents of the script should be something like this:

    if [ -x /usr/local/etc/cfsd ]; then     /usr/local/etc/cfsd && \         /etc/mount -o port=3049,intr localhost:/null /crypt fi 

   This contains the mount points that we specified earlier. If you want them located in different places, the file systems containing them must be mounted before cfsd starts in order for it to function correctly.

5. At this point you may either reboot or start CFS manually. To do so you will have to export the null mount that you created before, by executing exportfs -a . You may also have to start /usr/sbin/rpc. mountd . Once you have done that, you can run the following command to fire up the CFS daemon:

    /usr/local/etc/cfsd & 

6. Run the following command to set up the mount over the loopback:

    mount -o port=3049,intr localhost:/null /crypt 

7. If everything has happened correctly, you should be able to run an ls of the /crypt directory, and see the mount using df . It should look something like this:

    #df -a Filesystem           1K-blocks      Used Available Use% Mounted on /dev/sda7              8385636   2020300   6365336  25% / proc                         0         0         0   -  /proc devpts                       0         0         0   -  /dev/pts /dev/sda5                15522      5734      8987  39% /boot shmfs                   144144         0    144144   0% /dev/shm usbdevfs                     0         0         0   -  /proc/bus/usb localhost:/null              0         0         0   -  /crypt 

Notice that the mount over the loopback device is visible as localhost:/null for a source export, and the subsequent mount is on /crypt.

To test and use CFS, the first command you will run will be cmkdir exampledir to create an encrypted directory. The command is straightforward, and will create a directory in the place of your choosing that is an empty CFS file system. In this example,

 werewolf:/home/budcobackup/testcfs # cmkdir cfstest Key: Again: 

you can see that cmkdir prompts twice for a password. Thereafter, this is the password you want to use to attach the encrypted directory for use.

This created a directory called cfstest relative to the location in which it was run. In this case it is a directory inside our home directory. Listing the contents of this directory yields output that looks like this:

 werewolf:/home/budcobackup/testcfs/cfstest # ls -al total 16 drwxr-xr-x    2 root     root          144 2004-05-24 18:21 . drwxr-xr-x    4 root     root           96 2004-05-24 18:21 .. -rw-r--r--    1 root     root            8 2004-05-24 18:21 ... -rw-r--r--    1 root     root            1 2004-05-24 18:21 ..c -rw-r--r--    1 root     root           32 2004-05-24 18:21 ..k -rw-r--r--    1 root     root            7 2004-05-24 18:21 ..s 

Next you want to run the cattach program to mount your encrypted directory and be able to use it like you would a normal file system. Use the following syntax,

 cattach  your-cmkdir-name  

where the argument is the directory name you used when you ran the cmkdir command. In the following example, you can see that cattach prompted for your password and then exited:

 werewolf:/home/budcobackup/testcfs # cattach cfstest Key: 

Now, however, looking in /crypt we can see a new directory,

 # ls -l /crypt total 1 drwxrwxrwx    4 root     root         8192 2004-05-24 18:23 . drwxr-xr-x   24 root     root          552 2004-05-24 17:27 .. drwx------    2 root     root          144 2004-05-24 18:21 cfstest 

which shows that there is a new directory cfstest available for use. If you copy files into that /crypt/cfstest directory, you will be able to work with them as though they were in a normal directory. However, if the encrypted directory is not mounted or attached, you will not be able to see them. To unmount the CFS file system, use the cdetach command. The argument to it is the name of the encrypted directory that you want to detach from the /crypt mount point. In the following example, you can see that the cfstest directory is no longer visible:

 werewolf:/ # cdetach cfstest werewolf:/ # ls -l /crypt total 1 drwxrwxrwx    4 root     root         8192 2004-05-24 18:39 . drwxr-xr-x   24 root     root          552 2004-05-24 17:27 .. 

The files are there, just encrypted and stored under the directory that was made when you ran the cmkdir command earlier.

With a little creativity, it is very easy to customize locations that are suitable for use with CFS. Care must be taken with mounting file systems, as the cleartext space inside the directories that you have attached are visible to anyone who has permissions to look at your files, and are otherwise unprotected as long as you have the crypto file system attached.