partoneoftwo/luksus
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
__ __ __ __ __ _____ __ __ _____ / / / / / / / //_/ / ___/ / / / / / ___/ / / / / / / / ,< \__ \ / / / / \__ \ / /___ / /_/ / / /| | ___/ / / /_/ / ___/ / /_____/ \____/ /_/ |_| /____/ \____/ /____/ # SYNOPSIS LUKSUS is a text-based menu driven program, for Linux and BSD which runs in a terminal window or console. LUKSUS lets you encrypt your files, hardrives, usb sticks and virtual container using your operating system's internal encryption mechanism and acts as the frontend to the internal encryption mechanism. It can use the following encryption facilities: LUKS, Truecrypt, GELI and GNUPGP. It works on Linux, DragonflyBSD and FreeBSD. LUKSUS also supports GNU Privacy Guard and OpenSSL to encrypt single files. # BACKGROUND The purpose of this script is to provide to myself, an easy way to encrypt storage media in Linux, FreeBSD and DragonflyBSD, such as hardrives, usb sticks, sd cards or external hardrives. It uses the LUKS and cryptsetup crypto subsystem internal to the Linux Kernel. It can also use Truecrypt encryption with the tcplay command, and FreeBSD's geli encryption. LUKSUS is a wrapper script for cryptsetup/tcplay/geli, shred and mkfs. Instead of having to read up on the documentation for these tools, I wrote this wrapper script to handle the proverbial heavy lifting. Being opinionated and pragmatic this program assumes the following dependencies: dialog, gnutools / coretools , and a supported encryption engine installed. On Linux this is either found in the cryptsetup package for LUKS support and tcplay for Truecrypt support. LUKSUS also supports GNU Privacy Guard (OpenPGP) and OpenSSL. Dependencies - packages you need in order for LUKSUS to run: On Linux - The following packages are required: bash dialog cryptsetup - If you want to use LUKS tcplay - If you want to encrypt using truecrypt, note: tcplay and not TrueCrypt.com's package coreutils (depending on your distro) gnutools (depending on your distro) On *BSD: bash coreutils (we need gtail and ghead, we rely on the same parameters as the Linux tools) dialog DragonFlyBSD does not ship with bash, dialog and GNU coreutils by default, so you have to install it from the repositories. DragonFlyBSD: pkg_radd bash dialog coreutils tcplay FreeBSD : pkg_add -r bash dialog coreutils NetBSD : pkg_add -v bash dialog coreutils an empty hardrive or storage media knowledge about which device the hardrive or storage (blkid or dmesg will provide this) # USAGE ./LUKSUS (No command line options needed, anymore) # FREQUENTLY ASKED QUESTIONS: Q: Why should I use this script? A: I wrote this script because I wanted to have a way to easily and casually create encrypted volumes. Because doing all these tasks manually is time consuming and can be a little tricky. I wanted to have a simple way of creating encrypted volumes instead of having to consult documentation each and every time I wanted to do it. Also, writing this has been a great learning experience. Q: What's in the secret sauce of LUKSUS? This is the gist of the encryption process is these commands (different for every engine of course): LUKS cryptsetup --batch-mode --verbose --key-size=512 --cipher=aes-xts-plain64 luksFormat $device $keyfile Truecrypt (tcplay) tcplay --create --device=$device --cipher=AES-256-XTS Geli (FreeBSD) geli init -s 4096 $device Q: What are some alternatives to LUKSUS? (LUKSUS seeks to be different than other tools) The QT-based zulucrypt is a graphical option for when you want to use X It's a fine tool and a good competitor :) http://code.google.com/p/zulucrypt/ Tomb is interesting, and uses LUKSUS http://www.dyne.org/software/tomb/ Q: Why is the AES-256 cipher used to encrypt files in LUKSUS? A: LUKSUS uses AES-256 because it presents itself as the safest cipher available. It has been thoroughly vetted and impossible to crack unless Quantum Computers become a reality. Take a look at this for more information: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html Q: I really want to learn more about crypto in Linux. Where should I start? A: Tom Ryder wrote a series of excellent blog posts covering Linux crypto software and usage of these. I highly recommend reading them through: http://blog.sanctum.geek.nz/series/linux-crypto/ Thanks a lot Tom Ryder, for these very thorough and awesome posts. Q: Should I trust TrueCrypt? A: I have stopped using Truecrypt altogether, the license is obscure, and the open source code doesn't compile. Thus the binaries distributed by TrueCrypt are possibly compiled by different codebase. A two part code audit og TrueCrypt has been propsed, and as of this writing, part one is complete. They found no irregularities. Here is the website of the Truecrypt Audit project: http://istruecryptauditedyet.com/ Q: What is the license of LUKSUS? A: LUKSUS is free libre open source software, released under the GPLv2 license. Please let me know if the GPLv2 makes it hard for you to use it, and I will consider adding an extra license or changing it. Perhaps changing to MIT license. Q: Why should I encrypt? A: It is beyond the scope of this README to go indepth. Please google/duckduckgo for more info. Read some of Bruce Schneier's excellent articles and essays. Encrypting your date gives you the power to decide who gets access to your data. Q: Where have you learned from? What have is LUKSUS based on? A: Generally LUKSUS is based on the guides provided in the LUKS FAQ, Truecrypt/Tcplay FAQ, and FreeBSD documentation: Cryptsetup / LUKS FAQ: https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions Truecrypt documentation: http://www.truecrypt.org/docs/ FreeBSD disk encryption documentation: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html BSDTutorial: http://bsdtutorial.org/freebsd/encrypt-filesystem NetBSD disk encryption documentation: http://www.netbsd.org/docs/guide/en/chap-cgd.html OpenBSD crypto documentation: http://www.openbsd.org/crypto.html Stackexchange: http://unix.stackexchange.com/questions/9527/how-should-one-set-up-full-disk-encryption-on-openbsd OpenBSD 16 systems tips: http://www.16s.us/OpenBSD/vnconfig.txt (dead link :( ) NetBSD disk encryption guide: http://julipedia.meroh.net/2012/02/encrypted-disk-images-in-netbsd.html NetBSD disk encryption guide: http://gilbert.fernandes.pagesperso-orange.fr/fullcgd.txt NetBSD disk encryption description: http://www.imrryr.org/~elric/cgd/cgd.pdf NetBSD cgd author interview: http://www.onlamp.com/pub/a/bsd/2005/12/21/netbsd_cgd.html Colin Barschel, Sleepyhead.de: http://sleepyhead.de/howto/?href=crypt Bash and sh guides: Michael Potter, Advanced Shell Scripting, http://uniforum.chi.il.us/slides/bash1.pdf Steve Parker, Bourne Shell Programming Tutorial, http://steve-parker.org/sh/sh.shtml Cooper, Advanced Bash Guide, http://www.tldp.org/LDP/abs/html/ Greg's Wiki, BashFAQ, http://mywiki.wooledge.org/BashFAQ Robert Muth, Better BASH in 15 minutes, http://robertmuth.blogspot.dk/2012/08/better-bash-scripting-in-15-minutes.html All various Bash submissions on Hackernews: https://hn.algolia.com/?q=bash#!/story/forever/0/bash Google's shell script manual of style Q: How is the script designed? A: The script reuses code wherever possible and is heavily built around reusable variables and functions. The main() function is the entire LUKSUS file. The script works like this: all existing data will be brutally removed beyond reconstruction (forensically) then it writes random data to the drive then creates a keyfile then encrypts the drive using the keyfile stored in /keys a LUKS header backup will also be placed in /keys please remember to take care of your /keys if you loose your /keys, the keyfile to your encrypted drive, then the data will be impossible to retrieve. (rewrite of this part scheduled) Q: Is there a Disclaimer? A: Yes: As with all security measures: Use with caution. There is no such thing as 100% guaranteed security. Also: I, the author, take no responsibility if a black hole appears, and implodes your house, your town and the entire planet earth as an effect of using this script. Understand that the author takes no responsibility, and cannot be held liable if you, the user, use the script to destroy the files/contents of your storage media. As a consequence it is the sole responsibility of the user to use this software correctly. The author cannot be held liable for any damages, as of this disclaimer. Furthermore you are responsible for the content you encrypt. END DISCLAIMER Q: I lost the key or the password, is there a way to restore the key if I forgot it? A: No. Really. No. Q: LUKSUS is only a bash script, or a set of bash scripts. Is it robust? A: Recent versions of LUKSUS features several failsafe mechanisms to protect the user against its own mistakes, as well as faulty operating conditions like broken binaries and faulty command procedures (race errors). ERRTRAP has been set to 1 for instance. Q: ON KEYFILES - ARE THEY BETTER THAN PASSWORDS? A short: Depends. Keyfiles creates a flexible situation.fs A long: Good question, some crypto wizards gave me this answer: - (Passphrase-protected) Keyfiles are two-factor (something you have, something you know) and passphrases are one-factor (something you know). It should be obvious that (passphrase-protected) keyfiles are at least as secure as passphrases because you need a passphrase to use them. Considering you also need access to the appropriate filesystem, they'd be more secure, if just by a little bit. If you're talking about plaintext keyfiles, they're one-factor secure (something you have). It's not so obvious whether a plaintext is more or less secure than a passphrase. It would depend on the context, I guess. - Keyfiles are possession factors (something you have). Possession factors are threatened by theft and duplication. Since a keyfile is just a file, it's relatively easy to duplicate it, so it's not a very strong factor. In theory, a possession factor can be destroyed -- but not if it's been duplicated or stolen! Passphrases are knowledge factors (something you know). Knowledge factors are threatened by guessing and discovery. A strong passphrase that's not stored anywhere but your head is still weak against compulsive discovery (the cyrpto wrench attack, legal compulsion, etc.). - Source: Reddit discussion http://www.reddit.com/r/crypto/comments/1gnezg/keyfile_or_passphrase/ So let's take the case of David Miranda, for him it was very useful not to have the keys: http://www.theatlantic.com/international/archive/2013/08/the-real-terrifying-reason-why-british-authorities-detained-david-miranda/278952/ Also the web is closing in even on longer passwords nowadays: http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/ Q: On what platforms and distributions has LUKSUS been tested? A: LUKSUS works on Linux, FreeBSD and DragonFlyBSD. Tested on the distros: Debian, Ubuntu, ArchLinux, DragonFlyBSD and FreeBSD. Very possibly all derivatives of FreeBSD also. Q: What license is LUKSUS released under? A: Luksus is released under GNU GPLv2 License located here: http://www.gnu.org/licenses/gpl-2.0.html Q: I have found a bug or have another issue, how can I report it? A: Any issues can be reported to the Github issue tracker for this project, located here: https://github.com/partoneoftwo/luksus/issues I really want to hear from you, feedback, the ways you use it, suggestions, tips and so on. Q: What is the LUKSUS homepage? A: LUKSUS is maintained in a Github repository. The latest version can always be downloaded from the GITHUB page, see the TAGS to download latest release http://github.com/thomasfrivold/luksus or just go to the shiny fancy page: http://thomasfrivold.github.io/luksus ################## ##### Notes ###### ################## DRAGONFLYBSD NOTES: There are a few things to note about running this on DragonflyBSD... # NO EXT4, UFS IS USED EXT4 support is currently not available in a workable state in DFlyBSD; The mkfs.ext4 tool shipped in e2fsprogs does not like the Dfly loopback device, and I have not yet managed to get it to work. Therefore the user will get a UFS filesystem instead. TRUECRYPT NOTES: Truecrypt defaults to using passphrase for volume security. A keyfile can be added by using the commandline argument: usekey This will add a key to the keychain in the volume, but TrueCrypt will also ask for a password. TrueCrypt volume creation on loopback devices takes a lot of time, regardless of size. Just hang in there, it will complete eventually. Applies to both on Linux and DragonflyBSD Truecrypt / tcplay is slow when it is creating encrypted filecontainers on Linux. Once the volume has been created speeds are nominal. This has at least been the case in my testing on Virtualbox instances of various Linux distributions. Comments on feedback: * There are factions who have voiced that they think this project unnecessary. I tell these people they can either fork my project, submit code via github or choose to walk away. In fact this reminds me of when I built an outdoor balcony for family house. Every carpenter in the neighbourhood came by our house, that sunny weekend, and chimed in on building techniques, pitfalls and whatnot. Without exception they all condemmed my project saying it would fail and that with my building technique the balcony would only last for one season. 10 years on, the balcony is still there, the ice and tundra hasn't twisted the wood foundation, and it helped raise the value of the appartment by 10%. I see the same kind of sentiments from uber-coders about my project here, and really I don't care since they are not giving constructive feedback such as real suggestions with code suggestions. * Whiptail seems to have unstable commandline options, and it seems to break randomly. I am considering eliminating whiptail support after all the pain involved in seeing where it isn't transparently compatible with dialog. ######################################################## ################### TODO ############################### ######################################################## [wishlist / target for next version] v2.0 Use steganography on keys - eg. allowing a key to inserted into an image second idea is to put a key into the metadata of a media-file such as the ID3V2 section of an mp3 file, FLAC og meta-data of a JPEG or PNG Different background colours v1.7.0 Add: +NetBSD Support +OpenBSD Support OpenSSL directory support GNUPG PGP key support Code improvements: Complete OpenSSL Complete implementing the NetBSD specific logic missing Write a fool proof dependency check routine Complete implementing OpenBSD bioctl code Clear out the temp files properly, every time Let CANCEL actually work everywhere Consider running CHECKS after menu is done Implement robustness advice from bash-guides Improve menus from examples here: - http://bash.cyberciti.biz/guide/A_menu_box Attempt to follow the Google shell script manual of style: Consider which variables need to be set to readonly Set variables local Make all variable names lowercase Make all function names lowercase Improve conditional statements, get rid of redundant echo "" lines * Some engines do not support keyfiles, and yet I let the user specify keyfile usage with these engines. This needs to be fixed, just so that the user experience is smoother. Could be part of the autodetector. Project government, community feedback: Write a proper Markdown webpage on the GitHub readme file Engines todo: Create an autodetector on OS and present available engines based on OS Add OpenBSD , bioctl support Add ecryptfs container support (maybe, if feasible) wishlist / for future releases: Consider changing wizard out with form based menu as seen here http://bash.cyberciti.biz/guide/The_form_dialog_for_input # User interaction things Improve LUKSUS output in Dialog window: remove keyfile information if the user is not using a keyfile. # bad idea, this will probably not happen Consider using GNOME GDIALOG OR ZENITY OR YAD. This would make the script graphical. Consider how to ask the user about this. ** Must be tested thoroughly. ** [still considering, zenity and yad wasn't that good. Maybe this will lead to bloat] Add a discussion to this readme file - Key vault: [this shouldn't become a feature, but rather part of the documentation: Keyfile management] Add strongbox/keyvault option+Debate whether to call it strongbox or keyvault (this might not be necessary since the user can simply use LUKSUS to create a stronbox, this should rather become a part of the README file. And it should become a suggestion) ######################################################## ################### CHANGELOG ######################## ######################################################## v1.6 +Added OpenSSL support LUKSUS can now encrypt files using OpenSSL v1.5 + Added GNUPGP support with a filemanager to pick files. 07.05.2014 v1.4 07.05.2014 01:52 GMT+1 +Finally got around to removing silly regressions on FreeBSD. These bugs slowed down development of the rest of LUKSUS by half a year or maybe more. Well. Solved now! +Fully tested on FreeBSD. All features ok. All bugs fragged. v1.3.3 +Introduced nice dependency checks. v1.3.2 Code improvements v1.3.1 21:30 27.10.2013 Whiptail options are unstable and troublesome. Support removed until later notice, relying on dialog. v1.3 00:45 25.10.2013 +The menu system is now complete. +Code improvements V1.2.9 14:50 23.10.2013 Great strides has been taken to improve the code. Added a debug mode, can be enabled in the VARIABLES section. Devs only. v1.2.8 19:25 17.10.2013 +Very nice looking menu created Got some ideas from here: a complete menusystem I borrowed some ideas from: http://www.bashguru.com/2011/01/menu-driven-shell-script-using-dialog.html v1.2.7 +Preliminary menu system works It is not pretty enough yet, but the idea is that from now on, the user will not have to use commandline options. Dialog og whiptail is required. +Added whiptail support, which will not require dialog on Debian based systems. Thanks Stackexchange! http://unix.stackexchange.com/questions/64627/whiptail-or-dialog +Command line arguments are now optional, a dialog/whiptail will ask the user for options. v1.2.5 Preliminary menu system is almost a reality v1.2.3 +Attempts were made to add crude NetBSD support v1.2.2 Create a label to newly created filesystem, based on $name (Linux only) Better usability of the information file of each volume. Improvements to output v1.2.1 Fixed a tiny mistake. v1.2 Fixes some regressions v1.1 Adds FreeBSD support v1.0 LUKSUS is stable and mature enough to be called 1.0 Tested on Linux and DragonFlyBSD v1.0RC9 03.08.2013 The testing phase of LUKSUS has really forced a lot of improvements all over. The code is now completely modular, and adding further encryption engines and operating systems should be a walk in the park. Now executes flawlessly in all operating modes on Linux and DragonFlyBSD v1.0RC8 02.08.2013 + added nodialog option and FreeBSD support + Dialog use is not enforced anymore. If package is not installed, + then the script will skip fancy dialog use. Dialog is not shipped + with all distros by default. Less headache for the user. v1.0RC7 30.07.2013 +Cleanup v1.0RC5 29.07.2013 12:30 +LUKSUS now defaults to passphrase. Using a keyfile is optional. User feedback suggested that many users preferred to use passphrase instead of keys. Therefore the default has been set to passphrase, with using keyfiles being optional. +The dawn of modularization of the encryption engine code. I am hoping to be able to add support for FreeBSDs GBDE and GELI, NetBSD's CGD and OpenBSDs BIOCTL. This would bump the number of supported platforms to 5. v1.0RC4 22.07.2013 15:09 +Removed some extra integrity checks. They were redundant and broke Truecrypt support Feature freeze, and all that is required now is more testing. Fixed some regressions. Testing is a good idea. v1.0RC3 22.07.2013 12:00 +Better dialog - yesno now works I like where this is going v1.0RC2 18.07.2013 19:00 +Improved logging and reporting further +Cleaner OS Detection v0.99 Truecrypt command line option added Usage cleanup Readme testing v0.95 06.03.2013 15:13 +Truecrypt support v0.8.91 05.03.2013 20:00 Small bugfixes v0.8.9 05.03.2013 13:28 +DragonFlyBSD support is now fully supported. Cryptsetup / dm-luks spends a lot of time with its operation, 10-15 minutes, but apart from that, LUKSUS runs on DragonFlyBSD. Functions need more attention and cleanup, but everything is working quite well now. v0.8.5 26.02.2013 12:00 Cleanup before public release on Freecode.com! Hello World v0.8.4 26.02.2013 10:00 Added a routine to check the screensize, and display a logo according to which screensize the user has. Cleaned up a little bit here and there v0.8.3 25.02.2013 20:00 Tweaks v0.8.2 25.02.2013 15:00 Added a welcome sequence Added a logo! (yay) v0.8.1 25.02.2013 14:30 Added missing apostrophe v0.8 24.02.2013 10:15 + Improved code quality, implemented simple modularization. v0.7 02.01.2013 13:20 + Added support for loopback devices creating an encrypted container is now possible with LUKSUS + Began work on implementing functions throughout + Added some conditional checks with regex v0.6 02.01.2013 01:35 + improved documentation (README file) + Added some nice sanity checks + Further cleaned up the code + Added a definite CTRL+C to cancel now + Added dependency checks v0.5 25.04.2012 12:30 + initial public release live on github here: https://github.com/thomasfrivold/luksus (yay) + massive cleanup + added a conditional check to verify that user is root + added a conditional check in the middle of the procedure to verify that a LUKS container has been created on the device good for integrity + added a routine to hackup the luks header with a conditional check as suggested by the luks FAQ here: http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery + fixed mounting procedure changed name of the script from cryptcreate to luksus the luksus name is more a pun than a functional name luksus means luxury in Norwegian and coincidentally it includes the main technology used to encrypt hardrives in Linux since the 2.6 kernels - Linux Unified Key Setup on a celebratory note, the script can now be considered stable. Even though it lacks some niceties such as a fully fledged ncurses dialog menu system which is aimed at version v1.0 - Thomas Frivold v0.4 + cleaned up script + added required runtime arguments v0.3 + added command line input v0.2 + cosmetic fixes + did some nice thinking about dialog v0.1 16.04.2012 GMT+1 1320 + initial release ############################################### Developer documentation (notes to self mainly) ############################################### Q: How do I add another encryption engine? A: After having made the script more or less modular, this is the steps necessary to add another engine to LUKSUS: ADD OS UNAME TO OSTEST() Add loopbackdevice to LOOPBACKTEST() Write HOUSEKEEPING() function for the new OS if necessary Create engine() enginekeyfile() and engineopen() functions put these new engine* functions into the main LUKSUS file TEST TEST TEST! It is easy to break things, so it is very important to test a lot. Q: What are the release preparations for LUKSUS? A: Release preparation stuff to do: *** Complete the extensive LUKSUS test procedure *** Critical test: Must pass all testing, not a single mistake in regards to user experience: * Create volume on a physical drive (Virtualbox is fine) using keyfile with every supported encryption engine. * Create volume on a physical drive (Virtualbox is fine) using passphrase with every supported encryption engine. Create volume on a virtual file container (if supported by os) using keyfile with every supported encryption engine. Create volume on a virtual file container (if supported by os) using passphrase with every supported encryption engine. Do this for all supported systems, and make a note in Changelog about testing after each OS has passed test. +Extensive testing on supported platforms ++Tested and verified on all in testing spreadsheet: Linux> Debian, Ubuntu, Mint, Gentoo, Arch, Fedora, FreeBSD> FreeBSD, PCBSD DragonFlyBSD> DragonflyBSD. NetBSD OpenBSD: OpenBSD, BitRig Add a pager which will let the user read the README from within the program On the following systems - Test in virtualbox: 6 different Linux distributions: Debian, CentOS, Arch, Ubuntu, Fedora, Gentoo. FreeBSD distros: FreeBSD, PCBSD DragonFlyBSD NetBSD Frag any typos and silly formulations. Frag any error messages. Release it into the wild: Bump version number in LUKSUS.variables Update README Changelog and TODO Push a new tag to Github Update jekyll homepage at thomasfrivold.github.io/luksus Post to Freshmeat Consider posting elsewhere, if release is awesome enough. ### LEGACY README INFORMATION FOR THOSE NOSTALGIC PEOPLE OUT THERE ### Legacy documentation for those who really wish to use command line options (not necessary anymore): The usage of LUKSUS can take two different forms, mainly whether you are using LUKSUS on a physical device or a virtual file. These two requires somewhat different commandline arguments. Volumename simply means nickname for the encrypted drive/media. Optional parameters are: truecrypt - which enables truecrypt instead of using LUKS (Linux and DragonFlyBSD only) usekey - which uses a keyfile instead of a passphrase, which will be placed in /keys (LUKS only, works on truecrypt as well, but it will ask for a passphrase anyhow so this will add a keyfile to the volume) EXAMPLES: ENCRYPT PHYSICAL MEDIA: Using password ./LUKSUS /dev/sdb1 rambo1 ENCRYPT PHYSICAL MEDIA: Using keyfile ./LUKSUS /dev/sdb1 rambo1 usekey CREATING AN ENCRYPTED FILECONTAINER (LUKS on Linux and DragonFlyBSD) ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M ./LUKSUS /dev/vn0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M ./LUKSUS /dev/md0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M To enable the use of TrueCrypt instead of LUKS append the option: truecrypt ./LUKSUS /dev/sdc1 library truecrypt ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M truecrypt This last example is a corner case. This would create an encrypted filecontainer using truecrypt with a passphrase as well as with a keyfile. That keyfile would then work as a backdoor or an extra way into the archive, in case the password gets lost. ./LUKSUS /dev/loop0 ENCRYPTEDVOLUME /encryptedvolume.encrypted 300M truecrypt usekey As of version 1.0, LUKSUS defaults to passphrase for securing the volume. Using a keyfile is optional and can be activated by using the commandline option: usekey as mentioned earlier. optional commandline arguments are: usekey nodialog usekey - will enable the use of a keyfile instead of a passphrase nodialog - will disable dialog prompts. Some people wants this. ENCRYPTED FILECONTAINER It is possible to create an encrypted file container The usage then changes a little as the script then needs to know which loopbackdevice you wish to use, where the encrypted filecontainer should be located, and how large it should be. Please note that the size must have M for megabytes or G for gigabyte appended to the size. The following will use loop0, and place the encrypted container in /usr and will have 1000MiB as space. ./LUKSUS /dev/loop0 mysecretlibrary /usr/thelibrary.encrypted 1000M For creating an encrypted filecontainer on DragonFlyBSD ./LUKSUS /dev/vn0 mysecretlibrary /usr/thelibrary.encrypted 1000M ################################################### #### PRELIMINARY WORK ON VARIOUS FEATURES ######### #### SIMPLY KEPT HERE... TO KEEP THINGS SIMPLE #### ################################################### *** PRELIMINARY WORK ON GPG SUPPORT **** gpg -o myfile.gpg --cipher-algo AES256 --symmetric myfile will require a filemanager *** PRELIMINARY WORK ON THE NETBSD IMPLEMENTATION BELOW *** *** KEPT HERE TO KEEP EVERYTHING IN ONE PLACE *** Improve this script to make it working (NetBSD cgdconfig) # The below lines almost make cgdconfig work... still have to work it out #!/usr/pkg/bin/bash -x #### The netbsd CGD drive encryption method is really arcane. # create cgd partition disklabel -i sd1 # scrub partition with random data cgdconfig -s cgd0 /dev/sd1a aes-cbc 128 < /dev/urandom # scrub partition with zero ... however it will be converted into random # data using aes-cbc with a random key and cbc mode for XORing with previous # sectors. dd if=/dev/zero of=/dev/rcgd0a bs=32k # destroying the random key cgdconfig -u cgd0 # build the cgd config file # skip the -V if you want data to be destroyed at first attempt of access with wrong key. For the truly paranoid. cgdconfig -g -V disklabel -o /etc/cgd/sd1a aes-cbc 256 # specify the password cgdconfig -V re-enter cgd0 /dev/sd1a # create a disklabel (I don't really understand why we do this at this particular point in the process) disklabel -I -i /dev/cgd0 # create filesystem newfs /dev/rcgd0a # configure cgdconfig - is this necessary??? echo "cgd0 /dev/sd1a" >> /etc/cgd/cgd.conf --- some pragmatic snippets of code, that probably will be implemented for dialog handling: #!/bin/bash device=$(dialog --inputbox "Enter the device to create volume on. E.g. /dev/sdd1 or /dev/loop0" 10 30 3>&1 1>&2 2>&3) name=$(dialog --inputbox "Enter the volume name (nickname of the volume). E.g. Mystuff. Note no special characters or spaces" 10 30 3>&1 1>&2 2>&3) luksfile=$(dialog --inputbox "Full path of encrypted volume" 10 30 3>&1 1>&2 2>&3) luksfilesize=$(dialog --inputbox "What is the desired size of the container. E.g. 100M or 25G" 10 30 3>&1 1>&2 2>&3) echo $device echo $name echo $luksfile echo $luksfilesize some code for improvement of the menu system #!/usr/bin/env bash t(){ type "$1"&>/dev/null;} function Menu.Show { local DIA DIA_ESC; while :; do t whiptail && DIA=whiptail && break t dialog && DIA=dialog && DIA_ESC=-- && break exec date +s"No dialog program found" done; declare -A o="$1"; shift $DIA --backtitle "${o[backtitle]}" --title "${o[title]}" \ --menu "${o[text]}" 0 0 0 $DIA_ESC "$@"; } Menu.Show '([backtitle]="Backtitle" [title]="Title" [question]="Please choose encryption ENGINE:")' \ \ "LUKS" "LINUX NATIVE" \ "TRUECRYPT" "TRUECRYPT (TCPLAY)" \ "GELI" "FREEBSD NATIVE" \ "CGD" "NETBSD NATIVE" source: http://unix.stackexchange.com/questions/64627/whiptail-or-dialog whiptail implementation foobar=$(whiptail --inputbox "Enter some text" 10 30 3>&1 1>&2 2>&3) http://stackoverflow.com/questions/1970180/whiptail-how-to-redirect-output-to-environment-variable whiptail tutorial whiptail --menu "Choose encryption engine" 10 40 4 \ LUKS "" off \ TRUECRYPT "Popular Ubuntu" on \ GELI "Hackish Fedora" off \ CGD "Stable Centos" off \ PGP "Rising Star Mint" off 2>ENCRYPTION source: http://www.techrepublic.com/blog/linux-and-open-source/how-to-use-whiptail-to-write-interactive-shell-scripts/