More encryption in Ubuntu

For those who found my post about encryption of USB devices interesting yesterday… you might wanna keep an eye on this one which I stumbled upon it today. A feature request for the next Ubuntu release, Feisty Fawn:

Transparent encryption og homedir

Update: The link was moved. I have now updated the URL. Thanks Steffen.

Encrypted USB drive in Ubuntu

Today I went to the Linuxforum BOF day where I attended a session about encrypting your personal files. This made me remember a post read some time ago (check out the screen cast). I guessed that this functionality would be in Ubuntu Edgy by now so I just went ahead and tried to make my USB pen drive encrypted.

This is how I did it:

  1. First install the needed software

    sudo apt-get install cryptsetup
    
  2. Make sure your USB disk isn’t mounted. Then partition the USB pendrive the way you want it, if it isn’t already partitioned (I made one big partition on mine /dev/sda1). Note: Don’t mount the disk afterwards!
  3. If you havn’t rebooted your computer since you installed the cryptsetup package, you might have to load the device mapper crypt module manually:

    sudo modprobe dm-crypt
    
  4. Now make the partition encrypted:

    $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda1
    
    WARNING!
    ========
    This will overwrite data on /dev/sda1 irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:
    Command successful.
    

    If you get the error:

    Failed to setup dm-crypt key mapping.
    Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda1 contains at least 133 sectors.
    

    Make sure that the disk isn’t mounted. And make sure you are using the right device. You can use dmesg to check which device the disk have been assigned. You might also wanna check that the the module dm-crypt is loaded (lsmod | grep dm).

  5. Now attach the encrypted partition.:

    $ sudo cryptsetup luksOpen /dev/sda1 sda1
    Enter LUKS passphrase:
    key slot 0 unlocked
    Command successful.
    
  6. Now create a filesystem on the new encryptet device:

    sudo mkfs.ext3 /dev/mapper/sda1
    
  7. Remove the tempoary device mapped to the encrypted partition:

    sudo cryptsetup luksClose sda1
    
  8. Now remove the your usbdisk from the USB plug, and reinsert it and Ubuntu should find it and ask for the passphrase.

Update: I tried to insert my USB pen into a Ubuntu Dapper (which this guide also would work on I guess). I just thought it was cool that is atcually told me which package it needed to for it to work:

Playing around with software raid

And you don’t even need any physical disks for it….

I don’t use Linux software raid tool mdadm that often so I quickly forget how it works. This is something I used on several occasions, when trying to refresh my mind. The cool thing is that you don’t need physical disks or a lot of space for it to work. The following might vary a bit depending on you system (mine is Ubuntu Edgy Eft on IBM x40).

First create a few “disks”… by creating some empty files and making them into block devices:

dd if=/dev/zero of=disk1 bs=1M count=1 seek=30
dd if=/dev/zero of=disk2 bs=1M count=1 seek=30
dd if=/dev/zero of=disk3 bs=1M count=1 seek=30
losetup /dev/loop0 disk1
losetup /dev/loop1 disk2
losetup /dev/loop2 disk3

This creates 3 files (disk1, disk2 and disk3) with the size of 1MB in the current directory and makes them into block devices (just like normal disks is).

Now create your raid, example:

mdadm --create /dev/md0 --level=5 --raid-devices=2 --spare-devices=1 /dev/loop0 /dev/loop1 /dev/loop2

If you get the error:

mdadm: error opening /dev/md0: No such file or directory

Add the parameter --auto=md to the raid create command.

Now you can see you raid status with:

cat /proc/mdstat

Now play around with it all you want

Cleanup

When you are done you stop the raid and remove it with the following:

mdadm --stop /dev/md0
mdadm --remove /dev/md0

Perhapes you want to remove the md0 device again with (only if you needed the --auto=md parameter:

rm /dev/md0

Cleanup the “disks”:

losetup -d /dev/loop2
losetup -d /dev/loop1
losetup -d /dev/loop0
rm disk3
rm disk2
rm disk1

Now you computer wont have a trace of you your software raid disks… besides you shell history :)

Using ath0 as bridge in VMware... or almost

Well I couldn’t make my Atheros (ath0) work as a bridged network with VMware… but I made a workaround which I want to share with you guys. Anyways I’ll have it documented if I cant remember what I did later on. I have installed VMware on my Ubuntu laptop and a edgy-alternative (server) as a guest OS within VMware. The way I did this was making my laptop into a router between the “VMware host only” net and my wireless net.

You need to have configured a host only network for your VMware machines, mine is called vmnet1 and is using the network:

192.168.154.0/24

My laptop has the following ip’s:

wireless:    ath0     192.168.20.197 (provided by DHCP)
wired:       eth0     * (not used in this example)
VMware net:  vmnet1   192.168.154.1 (static)
gateway:     default  192.168.20.1

My Ubuntu edgy server has the following ip’s:

wired:       eth0     192.168.154.2 (static)

On my laptop I have made a script that does the following:

INTERNAL=vmnet1
EXTERNAL=ath0

# Enable router functionality
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enabling SNAT (MASQUERADE) functionality on $EXTERNAL
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE

All my rules are set to accept as default, if yours are not you might want to add something like this:

iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT

On my VMware guest I have configured eth0 to have the static ipadress 192.168.154.2 and to use 192.168.154.1 as default gateway. The way you set this up depends on you guest OS, but you can also do this manually with:

INTERNAL=eth0

ip a add dev $INTERNAL 192.168.154.2/24
ip link set $INTERNAL up
route add default gw 192.168.154.1

Now test by pinging you host’s gateway (my laptop):

ping 192.168.20.1

Note: You propably want to set you guest OS to be able to use a DNS server.

Random disconnects wit CoovaAP

Through the last week I have played around with CoovaAP on my Linksys WRT54GL… I was just too curious to try it out after my colleague Tomas told me about it :D CoovaAP is a slightly customized version of OpenWRT to make it easy to setup a wireless HotSpot like the one you can connect to on cafés, hotels and such.

CoovaAP comes with pretty much everything out of the box except the FreeRADIUS server. There are some free RADIUS servers around the net which seems to be Coovas intention that people should use. It seems like a really nice pice of software, but for me it was a NO GO.

After installing Coova on my access point I would get randomly kicked off World of Warcraft, even though I was using a wired connection on that machine. Teamspeak and other things seems to be unaffected. I haven’t been digging into what caused this problem, I don’t really have the experience or the time to do anything about it.