Tropenhitze

Kannst du das spüren?

Archive for the ‘encryption’ Category

Creating CRYPTO_LUKS partitions on openSuSE that can be accessed both from Windows and Linux

leave a comment »

This tutorial helps you create create an encrypted partition on your fixed or portable hard drive that can only be accessed by unlocking it with the password that you entered at the time of creation. You might not need a tutorial for this but if you want to access the encrypted CRYPTO_LUKS partition both from Windows and from Linux this tutorial can help you.

For the purposes of this tutorial, I assume the following

  1. You have a new 500GB (just for example) external hard drive, in which you’d like to have two partitions of 250 GB each, one normal and the other one encrypted with CRYPTO_LUKS. This is not an absolute requirement. You can apply this same tutorial on fixed drives, portable drives, thumb drives and so  on.
  2. You have some version of openSuSE installed on your machine. (You don’t need it to be openSuSE actually. You can use the KDE Partition Manager on any Linux platform or you can even do it from a bootable version of KDE Partition Manager available on sourceforge.net)

Steps:

  1. Open the YaST Control Center and open Partitioner
  2. In the Partitioner, you will see the list of hard drives found on your machine. If you have an external hard drive, connect it before opening partitioner
  3. Point to your external hard drive and if there are already partitions on it delete it. (Before deleting it backup any data that might be present on it as the data will permanently get erased)
  4. Now right click on the hard disk and select “add partition”. Let’s say you want this partition to be a normal NTFS partiton that can be accessed both from windows and from Linux
  5. Select primary partition and click on next
  6. Select custom size and enter 250 GB
  7. On the next screen, select “Do not format partition”  and under the check box “File System ID” select “0x07 NTFS” and click on finish. You may later need to log on to windows and format this partition  with windows without enabling compression (or you’ll not be able to access it from Linux).
  8. Now in the partition manager, right click on the external hard disk once again  and select “add partition” and select “primary partition” in the next screen and click “next”
  9. Now select “Maximum size” in the “new partition size” and click “next”.
  10. Choose the option “Format partition” and under the “File System” select “Ext4” and click on the check box Encrypt device and click “Next” and enter a password. (Do not forget this password)
  11. After you have entered a password you’ll be back in the partition manager and now click on  “Next” and you’ll get a summary of the changes. Confirm the changes if you agree by clicking Finish (Warning: This action cannot be undone)
  12. Wait for some time while the Partition Manager performs the requested tasks.
  13. Now if you are using openSuSE, you’ll be able to access both the partitions from Dolphin. But wait, in order to make it accessible both from Windows and Linux you need to follow the below steps
  14. To make it accessible from windows log on to Windows and connect the external hard drive
  15. Now on windows you’ll be shown only the non-encrypted partition. Format it once using NTFS but don’t enable compression (or you won’t be able to access it from Linux)
  16. Now in order to access the encrypted CRYPTO_LUKS partition on Windows you need an open source tool called FreeOTFE, which can be downloaded from here
  17. After you have installed FreeOTFE on Windows, open it and select Mount. There you’ll see all the disks on your system. Find out which is your external hard drive and there you’ll be able to see the encrypted partition.
  18. Click on it, enter the same password that you entered in Step 10 and mount it.
  19. You’ll get the notification that “your partition has been mounted as drive <some drive letter here>”. Acknowledge this message box and only then will you be shown the partition on windows explorer.
  20. Now open the windows explorer and double click on the encrypted partition you just mounted using FreeOTFE.
  21. You will be asked to format it. Format it using NTFS now for once without enabling compression.
  22. Hereafter you can mount the partition using FreeOTFE and access it from windows. Don’t forget to unmount it on FreeOTFE before you shut down or before you remove your disk. This  is very essential.
  23. Now log on to Linux and click on the encrypted partiton, enter the password and you’ll be able to access it from there. If you had copied some files to the encrypted partition while you were on windows, you’ll be able to access it from Linux.

I hope this long tutorial helps.

You can also use the steps mentioned here to create a single encrypted partition on thumb drives that can be accessed both from Linux and from Windows using FreeOTFE. Please drop your comments if my tutorial was very confusing or if you find it useful.

Thank you!

Advertisements

Disable auto mount of encrypted LUKS (CRYPTO_LUKS) partition on openSuSE 11.2 while booting

leave a comment »

If you have setup an encrypted partition on your openSuSE 11.2, while booting it would prompt you to enter the LUKS password before proceeding to the login screen. Even though it would continue booting if no input has been entered for more than 3 minutes, you may find it annoying , or you may want the encrypted partition to be mounted only on the fly whenever you wish. This workaround enables you to do so.

Open Terminal and type

cat /etc/crypttab

which should result in something like

cr_sdb4 /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4 none none

open the file with command line vi editor and change the none on the last column to noauto as shown below

sudo vi /etc/crypttab

and replace

cr_sdb4 /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4 none none

with

cr_sdb4  /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4 none noauto

and save the file and exit.

Make note of the name of the device ID. In this example it’s ata-ST316AS_5LS2T3NW-part4

Now if you reboot the system, you’ll notice that you are not prompted to enter the password of the encrypted partiton anymore. But wait. How do you mount it manually later as you needed? Read ahead!

To mount the encrypted partition manually, open Terminal and type

/etc/init.d/boot.crypto start /dev/disk/by-id/<Device ID here>

In this example, the device ID is ata-ST31AS_5LS2T3NW-part4. Therefore, the command would look like

/etc/init.d/boot.crypto start /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4

After you press enter, you will be prompted to enter the encrypted partition’s password. Now if you open Dolphin (File Manager), you can see the encrypted LUKS partition unlocked and appears on the left sidebar.

If you click on it you’ll be prompted to enter the root password in order to mount it, so that you can access it.

But wait! That’s not the end of the story.

Like you unlocked and mounted the encrypted partition, you must do the reverse before shutting down. First unmount the partition through Dolphin by right clicking on the volume and choosing unmount (or as explained below) and lock the encrypted partition again before shutting down. Read ahead.

First of all you have to determine in which location the partition gets mounted after you’ve unlocked it and mounted it using Dolphin. To find out the mount point, type,

mount

If you have already mounted the partition using Dolphin you can find something like the one shown below, in the last lines of the output of the above command.

/dev/dm-0 on /media/disk type ext4 (rw,nosuid,nodev)

In this example, /dev/dm-0 indicates the mount point.

Note:-

You have to unmount it either manually (using Dolphin or using umount as discusssed below) or let Linux do it automatically (discussed below) and lock the crypto partition ( discussed below ), before shutting down.

After you have idenfitied the mount point (shown above), to unmount and lock the crypto partition again use the following commands respectively in the same order.

umount /dev/<mount point here>
/etc/init.d/boot.crypto stop /dev/disk/by-id/<device id here>

In this example, the command would look like

umount /dev/dm-0
/etc/init.d/boot.crypto stop /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4

It’s unlikely that you would want to do it manually. To let linux take care of this at the time of shutting down, you have to add these commands to the file /etc/init.d/halt.local (discussed below)

To do that, open Terminal and type

sudo vi /etc/init.d/halt.local

and as shown below, add line numbers 15 & 16 found here to the end of the file halt.local (with the device ID and mount point corresponding to your drive)

#! /bin/sh
#
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.  All rights reserved.
#
# Author: Werner Fink <werner@suse.de>, 1998
#         Burchard Steinbild, 1998
#
# /etc/init.d/halt.local
#
# script with local commands to be executed from init on system shutdown
#
# Here you should add things, that should happen directly before shuting
# down.
#
umount /dev/dm-0 #note that dm-0 indicates the mount point which is determined as discussed previously
/etc/init.d/boot.crypto stop /dev/disk/by-id/ata-ST31AS_5LS2T3NW-part4 #replace this device ID with yours which is determined as discussed above

save and exit the vi editor. After you have done this you can safely shutdown openSuSE without having to worry about unmounting the LUKS partitions.

If you have multiple LUKS partitions, follow the same procedure. Now the files will have multiple entries instead of one. It makes no difference.

Please leave a comment if this tutorial was useful to you or if you have any suggestion on improving this article