Creating user-mountable encrypted devices
There are already some ways to create securely encrypted devices within the linux kernel (described in LaptopSicherEinrichten [German]). But the mount command only supports the old loop device method which is considered obsolete and does not work with packet writing to DVD-RW and similar.
Here is a script which implement a dmcrypt filesystem type for mount which make these things possible.
I say fsck!
mount helpers are run in user context, not as root, which is good, but the options we need to make this work need root privileges so we rely on sudo. The good point of this is that we can define much finer access rules with that (mount by group membership, etc), the bad side is, that the script should be much more carefull than it currently is:
![/!\](/wiki/modern/img/alert.png "/!\")
The script just 'works' but is not yet secured against shell escapes and other possible attacks
Add the following to your /etc/sudoers file:
# users and %groups who might use dmcrypt mount helpers User_Alias DMCRYPT = %disk, %fuse, %floppy # definition, our both helpers can be called without supplying a password to become root DMCRYPT ALL=NOPASSWD: /sbin/mount.dmcrypt, /sbin/umount.dmcrypt
example /etc/fstab entry
important is that the mount device becomes a mapped blockdevice and you must supply a dm=blockdevice option to tell the real device to use.
#MAPPED_DEVICE MOUNTPOINT FS OPTIONS /dev/mapper/dvdrw /media/cryptdvdrw dmcrypt dm=/dev/pktcdvd/dvdrw,rw,user,noauto,noatime 0 0
Mount helper script
store this as /sbin/mount.dmcrypt and hardlink it as /sbin/umount.dmcrypt too. Take care that this file is owned by root:root and not writeable by users, it sudo's itself, no suid-bit needed.
inline:mount.dmcrypt
If you're using the [http://luks.endorphin.org/ LuKS]-Extension of cryptsetup, you have to use a slightly different helper script:
inline:mount.dmcrypt-luks
Please note that I changed the Path of cryptsetup to where it resides in my Installation