Xen users - Dec 2006 - use of encrypted filesystem

I was wondering if there is a way to use encrypted filesystem inside a domU
? I tried to look around and whatever guides i found required me to patch
the kernel.

I also found about cryptoloop, however when i try to use it inside domU, it
gives me an error

losetup -e cryptoloop /dev/loop0 /dev/sda2
Password:
ioctl: LOOP_SET_STATUS: Invalid argument

I also tried various combinations

losetup -e des /dev/loop0 /dev/sda2
losetup -e aes128 /dev/loop0 /dev/sda2
losetup -e aes-256 /dev/loop0 /dev/sda2

However all the above result in the same error.

How should i setup the encrypted fs ? Any help would be appreciated.

-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

>I was wondering if there is a way to use encrypted filesystem inside a domU
>? I tried to look around and whatever guides i found required me to patch
>the kernel.
You should be able to use cryptoloop or dm-crypt. The latter device-mapper 
based solution is the recommended alternative these days. These both give 
you an encrypted block device on which to run your filesystem.

eCryptfs isn''t available in the XenLinux we currently have. However,
it''s
being merged into future releases of the mainline kernel, so it''ll
filter
down to XenLinux at some stage. eCryptfs allows you to encrypt files on an 
individual basis, so is rather different to use than the above solutions - 
it may be more or less useful, depending on your objectives.

anyhow, we''ll talk about cryptoloop and dm-crypt for now, since these
are
the ones that are going to be most straightforward to use.
>I also found about cryptoloop, however when i try to use it inside domU, it
>gives me an error
>
>losetup -e cryptoloop /dev/loop0 /dev/sda2
>Password:
>ioctl: LOOP_SET_STATUS: Invalid argument
>
>I also tried various combinations
>
>losetup -e des /dev/loop0 /dev/sda2
>losetup -e aes128 /dev/loop0 /dev/sda2
>losetup -e aes-256 /dev/loop0 /dev/sda2
>
>However all the above result in the same error.
>
>How should i setup the encrypted fs ? Any help would be appreciated.
You don''t need to patch your XenLinux kernel if you want to use
Cryptoloop
or dm-crypt. However, you''ll need to recompile it.

Reconfigure your kernel to include support for cryptoloop (you can find 
this in make menuconfig under the menu: Device Drivers / Block devices / 
Loopback device support / Cryptoloop support) or dm-crypt (you can find 
this in make menuconfig under the menu: Device Drivers / Multi Device 
Support (RAID and LVM) / Device Mapper Support / Crypt target support).

You might as well enable both then you can play around with them. You may 
find that once you''ve compiled support in, the howtos you were
following
will Just Work(TM). You may need to install packages for your distro in 
order to use dm-crypt.

Note that cryptoloop does have known security vulnerabilities, which is why 
dm-crypt is now recommended.

If you have any problems, follow up to this e-mail.

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> From: "Anand Gupta" <xen.mails@gmail.com>
> Date: December 27, 2006 3:52:28 PM EST (CA)
> To: "Xen Users" <Xen-users@lists.xensource.com>
> Subject: [Xen-users] use of encrypted filesystem
>
>
> I was wondering if there is a way to use encrypted filesystem  
> inside a domU ? I tried to look around and whatever guides i found  
> required me to patch the kernel.
>
> I also found about cryptoloop, however when i try to use it inside  
> domU, it gives me an error
>
> losetup -e cryptoloop /dev/loop0 /dev/sda2
> Password:
> ioctl: LOOP_SET_STATUS: Invalid argument
>
> I also tried various combinations
>
> losetup -e des /dev/loop0 /dev/sda2
> losetup -e aes128 /dev/loop0 /dev/sda2
> losetup -e aes-256 /dev/loop0 /dev/sda2
The use of loop-aes requires the kernel module loop.o and the aes key  
to be fed
using standard input and uuencoded.  The loop-AES.README is at
http://loop-aes.sourceforge.net/loop-AES.README

An example from that document to fill an encrypted partition with  
random data is as follows:
     head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
         | losetup -p 0 -e AES128 /dev/loop3 /dev/hda666
     dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null
     losetup -d /dev/loop3

This example uses a random key with loop-aes, then a dd fill of zeros  
is converted
to random ciphertext.  Note the uuencoding of /dev/urandom output and  
it being
piped into losetup.

Hope this helps,
Mike.
>
> However all the above result in the same error.
>
> How should i setup the encrypted fs ? Any help would be appreciated.
>
> -- 
> regards,
>
> Anand Gupta
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dear Mark,

Thanks for the response and detailed explanation.

I checked in the kernel and i have the dm-crypt compiled as a module. I can
load the module using modprobe dm-crypt and it shows up in lsmod.

Now when i try to use losetup again, here is what i get

losetup -e dm-crypt /dev/loop0 /dev/sda2
Password:
ioctl: LOOP_SET_STATUS: Invalid argument

The error "Invalid argument"  is what is causing the problem and i
can''t
seem to find why its doing so.

Here is the list of modules loaded

lsmod

Module                  Size  Used by
dm_crypt               14480  0
des                    20992  0
aes                    31808  0
twofish                43136  0
ipv6                  260096  14
binfmt_misc            13708  1
dm_mod                 53328  1 dm_crypt
ide_generic             5504  0 [permanent]
aacraid                58880  0
ext3                  122256  1
jbd                    58664  1 ext3
raid1                  22400  0
ide_disk               17280  0
ata_piix               14852  0
libata                 61720  1 ata_piix
sd_mod                 19712  0
scsi_mod              140816  3 aacraid,libata,sd_mod

I am sure there would be some stupid mistake because of which this is not
working.

I will appreciate if you can help me sort this.

On 28 Dec 2006 02:17:13 +0000, M.A. Williamson <maw48@cam.ac.uk>
wrote:
>
>
> You should be able to use cryptoloop or dm-crypt. The latter device-mapper
> based solution is the recommended alternative these days. These both give
> you an encrypted block device on which to run your filesystem.
>
> eCryptfs isn''t available in the XenLinux we currently have.
However, it''s
> being merged into future releases of the mainline kernel, so it''ll
filter
> down to XenLinux at some stage. eCryptfs allows you to encrypt files on an
> individual basis, so is rather different to use than the above solutions -
> it may be more or less useful, depending on your objectives.
>
> anyhow, we''ll talk about cryptoloop and dm-crypt for now, since
these are
> the ones that are going to be most straightforward to use.
>
> >I also found about cryptoloop, however when i try to use it inside
domU,
> it
> >gives me an error
> >
> >losetup -e cryptoloop /dev/loop0 /dev/sda2
> >Password:
> >ioctl: LOOP_SET_STATUS: Invalid argument
> >
> >I also tried various combinations
> >
> >losetup -e des /dev/loop0 /dev/sda2
> >losetup -e aes128 /dev/loop0 /dev/sda2
> >losetup -e aes-256 /dev/loop0 /dev/sda2
> >
> >However all the above result in the same error.
> >
> >How should i setup the encrypted fs ? Any help would be appreciated.
>
> You don''t need to patch your XenLinux kernel if you want to use
Cryptoloop
> or dm-crypt. However, you''ll need to recompile it.
>
> Reconfigure your kernel to include support for cryptoloop (you can find
> this in make menuconfig under the menu: Device Drivers / Block devices /
> Loopback device support / Cryptoloop support) or dm-crypt (you can find
> this in make menuconfig under the menu: Device Drivers / Multi Device
> Support (RAID and LVM) / Device Mapper Support / Crypt target support).
>
> You might as well enable both then you can play around with them. You may
> find that once you''ve compiled support in, the howtos you were
following
> will Just Work(TM). You may need to install packages for your distro in
> order to use dm-crypt.
>
> Note that cryptoloop does have known security vulnerabilities, which is
> why
> dm-crypt is now recommended.
>
> If you have any problems, follow up to this e-mail.
>
> Cheers,
> Mark
>


-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dear Micheal,

Thanks for the response.

On 12/28/06, Michael Froh <michael.froh@rogers.com>
wrote:
>
> The use of loop-aes requires the kernel module loop.o and the aes key to
> be fed
> using standard input and uuencoded.  The loop-AES.README is at
> http://loop-aes.sourceforge.net/loop-AES.README
>
> An example from that document to fill an encrypted partition with random
> data is as follows:
>     head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
>         | losetup -p 0 -e AES128 /dev/loop3 /dev/hda666
>     dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null
>     losetup -d /dev/loop3
>
> This example uses a random key with loop-aes, then a dd fill of zeros is
> converted
> to random ciphertext.  Note the uuencoding of /dev/urandom output and it
> being
> piped into losetup.
>
I have checked the modules and i am able to load them using modprobe.


-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

>Thanks for the response and detailed explanation.
No problem!
>I checked in the kernel and i have the dm-crypt compiled as a module. I can
>load the module using modprobe dm-crypt and it shows up in lsmod.
Cool.
>Now when i try to use losetup again, here is what i get
>
>losetup -e dm-crypt /dev/loop0 /dev/sda2
>Password:
>ioctl: LOOP_SET_STATUS: Invalid argument
That''s ok - dm-crypt isn''t a drop in replacement for crypto
loop, so this
command isn''t needed. dm-crypt uses the device mapper framework.

This page seems to have some useful details on dm-crypt, although I''m
not
sure how current it is: http://www.saout.de/misc/dm-crypt/

Take a look at your distro packages, see if you can find something called 
"cryptsetup" and see if that does what you want. I''ve not
used dm-crypt, so
I don''t know if there is any better tool for the job. Please exercise 
caution until you know it does what you want!

If you still have problems, please let us know and we can try to figure 
something else out...

Cheers,
Mark
>The error "Invalid argument"  is what is causing the problem and i
can''t
>seem to find why its doing so.
>
>Here is the list of modules loaded
>
>lsmod
>
>Module                  Size  Used by
>dm_crypt               14480  0
>des                    20992  0
>aes                    31808  0
>twofish                43136  0
>ipv6                  260096  14
>binfmt_misc            13708  1
>dm_mod                 53328  1 dm_crypt
>ide_generic             5504  0 [permanent]
>aacraid                58880  0
>ext3                  122256  1
>jbd                    58664  1 ext3
>raid1                  22400  0
>ide_disk               17280  0
>ata_piix               14852  0
>libata                 61720  1 ata_piix
>sd_mod                 19712  0
>scsi_mod              140816  3 aacraid,libata,sd_mod
>
>I am sure there would be some stupid mistake because of which this is not
>working.
>
>I will appreciate if you can help me sort this.
>
>On 28 Dec 2006 02:17:13 +0000, M.A. Williamson <maw48@cam.ac.uk>
wrote:
>>
>>
>> You should be able to use cryptoloop or dm-crypt. The latter 
>> device-mapper based solution is the recommended alternative these days.
>> These both give you an encrypted block device on which to run your 
>> filesystem.
>>
>> eCryptfs isn''t available in the XenLinux we currently have.
However,
>> it''s being merged into future releases of the mainline kernel,
so it''ll
>> filter down to XenLinux at some stage. eCryptfs allows you to encrypt 
>> files on an individual basis, so is rather different to use than the 
>> above solutions - it may be more or less useful, depending on your 
>> objectives.
>>
>> anyhow, we''ll talk about cryptoloop and dm-crypt for now,
since these are
>> the ones that are going to be most straightforward to use.
>>
>> >I also found about cryptoloop, however when i try to use it inside
domU,
>> it
>> >gives me an error
>> >
>> >losetup -e cryptoloop /dev/loop0 /dev/sda2
>> >Password:
>> >ioctl: LOOP_SET_STATUS: Invalid argument
>> >
>> >I also tried various combinations
>> >
>> >losetup -e des /dev/loop0 /dev/sda2
>> >losetup -e aes128 /dev/loop0 /dev/sda2
>> >losetup -e aes-256 /dev/loop0 /dev/sda2
>> >
>> >However all the above result in the same error.
>> >
>> >How should i setup the encrypted fs ? Any help would be
appreciated.
>>
>> You don''t need to patch your XenLinux kernel if you want to
use
>> Cryptoloop or dm-crypt. However, you''ll need to recompile it.
>>
>> Reconfigure your kernel to include support for cryptoloop (you can find
>> this in make menuconfig under the menu: Device Drivers / Block devices
/
>> Loopback device support / Cryptoloop support) or dm-crypt (you can find
>> this in make menuconfig under the menu: Device Drivers / Multi Device
>> Support (RAID and LVM) / Device Mapper Support / Crypt target support).
>>
>> You might as well enable both then you can play around with them. You
may
>> find that once you''ve compiled support in, the howtos you were
following
>> will Just Work(TM). You may need to install packages for your distro in
>> order to use dm-crypt.
>>
>> Note that cryptoloop does have known security vulnerabilities, which is
>> why
>> dm-crypt is now recommended.
>>
>> If you have any problems, follow up to this e-mail.
>>
>> Cheers,
>> Mark
>>
>
>
>
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users