This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 23 October 2018
      If you get the chance, come to #Kitchener to hear Sailesh Rao, one of the original proponents of #ClimateVegan speak: http://kwpeace.ca/event/faith-and-climate-transformation-a-presentation-with-dr-sailesh-rao/?instance_id=6408 /cc @me @avolkov
    • New note by bobjonkman 18 October 2018
      I have no idea what I'm looking at or listening to. #LudditesAreWe
    • bobjonkman repeated a notice by bobjonkmangreen 15 October 2018
      RT @bobjonkmangreen I'm going out to our MPP's office this afternoon to protest the cut of the $15/hr legislation, and all the other rollbacks such as paid sick days, equal pay rules and laws to make it easier to join a union. https://bobjonkman.ca/event/waterloo-action-to-defend-15-min-wage-decent-work-laws/?instance_id=402 #ONpoli #Ontario
    • New note by bobjonkman 15 October 2018
      That's pretty much what's happening in #Ontario right now... #ONpoli
    • bobjonkman repeated a notice by inkslinger 15 October 2018
      RT @inkslinger The UCP is just blatantly admitting they don't care about public opinion and that they'll deliberately try to move legislation at a pace that's too quick for people to organize and oppose. Disgusting.https://edmontonjournal.com/news/local-news/quick-laws-and-freezing-wages-jason-kenney-outlines-plans-for-power#alberta #canada #politics #cdnpoli
    • Favorite 14 October 2018
      bobjonkman favorited something by modernindustrial: @ink_slinger I'm not sure liberalism has necessarily failed, but our governmental structures have.Proportional representation would go a long way to fixing it, but I still haven't figured out how to stop the corrosive effects of concentrated capital over long timespans.
    • Favorite 14 October 2018
      bobjonkman favorited something by modernindustrial: @ink_slinger I lean toward basic income, high marginal tax rates on large incomes, and strict white collar crime enforcement. Capitalism is really good at finding clever ways to do things in ways central planning isnt - the question for me is how to maintain sufficient containment so that the power […]
    • bobjonkman repeated a notice by gwmngilfen 13 October 2018
      RT @gwmngilfen OK, I can kinda put a bit of weight on it now. Probably will be fine by morning...While I was sitting around with little yo do, I decided to make a small thing. Definitely not rigorous, but maybe interesting? You tell me :)https://gwmngilfen.shinyapps.io/ScotlandClimate/#rstats #climate #weather #shiny
    • Favorite 13 October 2018
      bobjonkman favorited something by gwmngilfen: OK, I can kinda put a bit of weight on it now. Probably will be fine by morning...While I was sitting around with little yo do, I decided to make a small thing. Definitely not rigorous, but maybe interesting? You tell me :)https://gwmngilfen.shinyapps.io/ScotlandClimate/#rstats #climate #weather #shiny
    • New note by bobjonkman 13 October 2018
      And, of course, you'll need @pixley's explanation of how it all works: https://knzk.me/users/Pixley/statuses/100883510935121910

How To Create an Encrypted Drive in a File Container

Posted by Bob Jonkman on 9th October 2017

Inspired by The Linux Experiment, I want to create an encrypted drive in a file container using only the command line.

Creating an encrypted file container

Create the container file. We’ll call it containerfile.img:


laptop:~/temp$ fallocate -l 250MB containerfile.img

laptop:~/temp$ ls -l
total 244148
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 22:45 containerfile.img

laptop:~/temp$

Create the encrypted LUKS volume. Note that creating volumes and file systems requires elevated privileges, so we use the sudo command:


laptop:~/temp$ sudo cryptsetup luksFormat containerfile.img 
[sudo] password for bjonkman: 

WARNING!
========
This will overwrite data on containerfile.img irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Command successful.

laptop:~/temp$

Of course, the passphrase doesn’t show on the screen, not even as asterisks. That would give a shouldersurfer an idea of how long the passphrase is. It is a long passphrase, right?

Open the encrypted LUKS volume, which we’ll call cryptvolume:


laptop:~/temp$ sudo cryptsetup luksOpen containerfile.img cryptvolume
Enter passphrase for containerfile.img: 

laptop:~/temp$

Let’s see if the encrypted LUKS volume exists:


laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop4                                           7:4    0 238.4M  0 loop  
└─cryptvolume                                 252:11   0 236.4M  0 crypt 

laptop:~/temp$

Yay!

Now we create a filesystem inside the encrypted LUKS volume. We’ll give it the label cryptdrive:


laptop:~/temp$ sudo mkfs -L cryptdrive -t ext4 /dev/mapper/cryptvolume 
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 253952 1k blocks and 63488 inodes
Filesystem UUID: 040765be-eddb-4ea6-b8d8-594b81233465
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done 

laptop:~/temp$

Create a mount point, which we’ll call mountpoint, then mount the encrypted drive:


laptop:~/temp$ mkdir mountpoint

laptop:~/temp$ sudo mount /dev/mapper/cryptvolume mountpoint

laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop4                                           7:4    0 238.4M  0 loop  
└─cryptvolume                                 252:11   0 236.4M  0 crypt /home/bjonkman/temp/mountpoint

laptop:~/temp$ ls -l
total 244149
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 23:19 containerfile.img
drwxr-xr-x 3 root     root          1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Note that the encrypted file system still belongs to root:root because we used the sudo command.

Change file ownership to bjonkman:bjonkman so I can read/write to it without elevated permissions:


laptop:~/temp$ sudo chown bjonkman: mountpoint/

laptop:~/temp$ ls -l
total 244149
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 23:19 containerfile.img
drwxr-xr-x 3 bjonkman bjonkman      1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Since an encrypted container file is probably secret, it shouldn’t be visible to groups or others, so remove those file permissions:


laptop:~/temp$ chmod go-rwx containerfile.img 

laptop:~/temp$ ls -l
total 244149
-rw------- 1 bjonkman bjonkman 250000000 Oct  8 23:34 containerfile.img
drwxr-xr-x 3 bjonkman bjonkman      1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Do some work in the encrypted drive:


laptop:~/temp$ echo "Hello World" > mountpoint/hello.txt

laptop:~/temp$ ls -l mountpoint/
total 13
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  8 23:53 hello.txt
drwx------ 2 root     root     12288 Oct  8 23:14 lost+found

laptop:~/temp$

And finally, unmount the encrypted filesystem and close the encrypted volume:


laptop:~/temp$ sudo umount mountpoint/

laptop:~/temp$ sudo cryptsetup luksClose cryptvolume 

laptop:~/temp$

Using an encrypted file container

Next time you want to do some work:


laptop:~/temp$ sudo cryptsetup luksOpen containerfile.img cryptvolume
Enter passphrase for containerfile.img: 

laptop:~/temp$ sudo mount /dev/mapper/cryptvolume mountpoint

laptop:~/temp$ echo "Hello again" > mountpoint/again.txt

laptop:~/temp$ ls -l mountpoint/
total 14
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  9 00:12 again.txt
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  8 23:53 hello.txt
drwx------ 2 root     root     12288 Oct  8 23:14 lost+found

laptop:~/temp$ sudo umount mountpoint/

laptop:~/temp$ sudo cryptsetup luksClose cryptvolume 

laptop:~/temp$

Using an encrypted file container from the GUI

Once the encrypted file container has been created you can open it from the graphical file manager just by double-clicking:
File manager window

Enter the passphrase to unlock the volume:
A file manager window and a password prompt window

A file manager window for the encrypted volume opens:
Two file manager windows

Note that the mountpoint is /media/bjonkman/cryptdrive/, chosen by the Gnome Disk Mounter application that runs when you doubleclick the container:


laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop5                                           7:5    0 238.4M  1 loop  
└─luks-54f8e41b-73bf-4adf-aa29-a147733c5202   252:11   0 236.4M  1 crypt /media/bjonkman/cryptdrive

laptop:~/temp$

Also, note that the encrypted drive is mounted read-only:


laptop:~/temp$ mount | grep cryptdrive
/dev/mapper/luks-54f8e41b-73bf-4adf-aa29-a147733c5202 on /media/bjonkman/cryptdrive type ext4 (ro,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)

laptop:~/temp$

Gnome Disk Mounter can be launched from the command line with a --writeable or -w parameter:
Command line window and Enter Passphrase window

Happily, this all works without elevated privileges; no sudo required. I don’t know how to open an encrypted file container using only command line tools without using sudo, nor how to launch Gnome Disk Manager in writeable mode just by doubleclicking — if you know, leave a comment or send me e-mail!

TL;DR:


fallocate -l 250MB containerfile.img

sudo cryptsetup luksFormat containerfile.img

sudo cryptsetup luksOpen containerfile.img cryptvolume

sudo mkfs -L cryptdrive -t ext4 /dev/mapper/cryptvolume

mkdir mountpoint

sudo mount /dev/mapper/cryptvolume mountpoint

sudo chown bjonkman: mountpoint/

chmod go-rwx containerfile.img

(do some work)

sudo umount mountpoint/

sudo cryptsetup luksClose cryptvolume

-----

sudo cryptsetup luksOpen containerfile.img cryptvolume
sudo mount /dev/mapper/cryptvolume mountpoint
(do some work)
sudo umount mountpoint/
sudo cryptsetup luksClose cryptvolume

Tags: , , ,
Posted in Crypto, GNU/Linux | 1 Comment »

Preparing for the Keysigning Cryptoparty, 2 Dec 2013

Posted by Bob Jonkman on 24th November 2013

Key Pair

Cryptoparty like it’s 31 December 1983!

At the next KWLUG meeting on Monday, 2 December 2013 I’ll be demonstrating how to do e-mail encryption with Thunderbird and Enigmail. If you’ve never used e-mail encryption before then bring a laptop, and we’ll create keys and learn how to use them. We’ll save the lesson with pointy sticks for another day.

For those people who already have GnuPG/PGP keys I’m also hosting a Formal Keysigning. Participants will introduce themselves, read their GnuPG key fingerprint, then anyone else is invited to vouch for that person:

Bob: “I’m Bob Jonkman, and my GnuPG fingerprint is 04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA”

Andrew: “I’ve known Bob since the early days, and that’s really him”

This is a great way to expand your Web Of Trust to include people whose keys you might not otherwise sign (because you don’t know them very well, or they only have ID issued by an authority you don’t like). With all these introductions and vouchings the chance of someone misrepresenting their identity is vanishingly small, so you can trust that the key fingerprint they read is really associated with that person.

To make this process go smoothly I’d like to have a printout of all the participants’ keyIDs, UserIDs, and key fingerprints, which I’ll distribute at the keysigning. That way you can just check off each name/keyID/fingerprint as people read them, and then sign their keys later at your leisure. But to get that printout I’ll need the public key of anyone who would like to participate in the keysigning.

If you’re using Thunderbird and Enigmail then open the Key Management window, right-click on your key and select “Send Public Keys by E-mail”, and send it to me ( bjonkman@sobac.com )

If you’re a command-line weenie then use

gpg --export 0xYOURKEYID > 0xYOURKEYID-public-key-for-YOURNAME.pgp

and send that file 0xYOURKEYID-public-key-for-YOURNAME.pgp to me (substitute your actual keyID and actual name as needed).

Of course, I’d prefer signed, encrypted e-mail, but public keys are public (so encryption isn’t necessary), and public keys should already be self-signed anyway.

Unfortunately, if you’re creating your keys for the first time at the meeting you won’t be able to send me anything now. You can still participate in the vouching process, and we’ll have an informal keysigning after the formal keysigning, where all you need to do is read your fingerprint straight from your computer and those people who already know you can sign your key.

I’m still working on the procedures for the formal keysigning; you can see the work in progress (and contribute!) on the Formal Keysigning page on the Wiki.

Thanx, and hope to see you on Monday, 2 December 2013!

–Bob, who is the Keymaster. Who will be the Gatekeeper?

The Cryptoparty keypair logo from the Cryptoparty Artwork repository on GitHub is available in the CC0Public Domain.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in Crypto, email, KWLUG, PGP/GPG, privacy | Comments Off on Preparing for the Keysigning Cryptoparty, 2 Dec 2013

 
Better Tag Cloud