Skip to content

Latest commit

 

History

History
86 lines (71 loc) · 3.42 KB

README.md

File metadata and controls

86 lines (71 loc) · 3.42 KB

Cryptmount - user-mode management of Linux encrypted filesystems

cryptmount allows any user to access encrypted filing systems on demand under GNU/Linux systems running at least a 2.6-series kernel. It also assists the system administrator in creating and managing encrypted filesystems based on the kernel's dm-crypt device-mapper target.

After initial configuration by the superuser, an ordinary user can mount or unmount filesystems managed by cryptmount solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel and the libgcrypt library) can be used to protect both the filing system and the access key. The protected filing systems can reside in either ordinary files, or raw disk partitions.

Installation

To build cryptmount from source, please follow the instructions in the INSTALL.md file in the top directory of the source package.

cryptmount has been tested on a wide variety of GNU/Linux platforms including: ArchLinux, CentOS, Debian, Fedora, Gentoo, Mageia, Ubuntu etc.

For the most recent source-bundles of cryptmount, please see GitHub, where the latest developer versions can also be found.

An encrypted filing system must initially be created by the superuser. A basic setup can be created interactively by running the cryptmount-setup program, which is typically installed in /usr/local/sbin/, and will use the LUKS encryption format by default.

More elaborate situations can be handled by manual editing of the filesystem definition, typically in /etc/cryptmount/cmtab. For example, an entry of the form:

    crypt {
        dev=/home/crypt.fs dir=/mnt/crypt
        fstype=ext4 mountoptions=defaults
        keyformat=luks
    }

describes a LUKS-encrypted filesystem to be contained in an ordinary file, and which will be mounted beneath /mnt/crypt.

Such a filesystem could be initialized as follows:

    test -e /home/crypt.fs || dd if=/dev/zero of=/home/crypt.fs bs=1M count=128
    mkdir /mnt/crypt
    cryptmount --generate-key 32 crypt
    cryptmount --prepare crypt
    mke2fs -t ext4 /dev/disk/by-id/dm-name-crypt
    cryptmount --release crypt

Further details are available in the installed manual pages.

Thereafter, the following command, executed by an ordinary user, will make the filing system accessible below /mnt/crypt:

    cryptmount crypt

and the following will unmount it:

    cryptmount -u crypt

If using a separate keyfile, please take great care that you do not delete that file, as this will make access to your filesystem (essentially) impossible. You are strongly advised to keep a backup copy of the key-file.

Signing keys

The current GPG signature used for cryptmount releases has fingerprint 7A09 0051 9745 19A3 ED1B D4CB A6CF D54C 4405 160E. (The previous key, 78BC 1A99 61DC 2DAA 7BF8 99DB A6D8 2C65 B8CE F5E7, expired in May 2023.)