diff --git a/.gitignore b/.gitignore index bb769eb..670d56f 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,7 @@ cm-*.so config.h config.log config.status +debian/*-debtx debian/patches/docfiles-pathnames.patch delegates.h doxygen.conf diff --git a/INSTALL b/INSTALL.md similarity index 77% rename from INSTALL rename to INSTALL.md index 98c1c8e..fff513f 100644 --- a/INSTALL +++ b/INSTALL.md @@ -20,7 +20,7 @@ and these can be installed using normal package-management tools. In general, this is by far the easiest method of installing cryptmount. For example, on Debian or Ubuntu systems, one can simply run - # sudo apt-get install cryptmount + sudo apt-get install cryptmount Manual compilation @@ -31,10 +31,10 @@ you want to customize some of its features, then this may require additional packages to be available, and should be driven by the "configure" script. If the configure script is missing, for example if working with a clone of -cryptmount's GitHub repository (https://github.com/rwpenney/cryptmount), +cryptmount's [GitHub repository](https://github.com/rwpenney/cryptmount), then you may need to set up autoconf (version 2.61 or later), and run - # aclocal; autoconf; automake -a -c -i + aclocal; autoconf; automake -a -c -i Dependencies @@ -59,7 +59,7 @@ You will also need to ensure that your system has support for the loopback and device-mapper devices, which may require loading of kernel modules when you first use cryptmount, e.g. - # sudo modprobe -a loop dm-crypt + sudo modprobe -a loop dm-crypt This is automatically performed on system reboot by setup scripts supplied with cryptmount. @@ -73,47 +73,47 @@ key libraries and header files needed by cryptmount, and allow customization of the directory locations where cryptmount will be installed. Typically, one can simply run: - # ./configure + ./configure although additional command-line options can also be supplied, such as: - --prefix=/usr + --prefix=/usr # To install beneath /usr rather than /usr/local - --sysconfdir=/etc/cryptmount + --sysconfdir=/etc/cryptmount # To specify the directory where the "cmtab" will be stored - --disable-luks + --disable-luks # Turn-off support for LUKS encrypted containers - --with-systemd + --with-systemd # Use systemd boot-up configuration, rather than sysvinit A full list of options can be obtained by running - # ./configure --help + ./configure --help Compilation and installation ---------------------------- -If "configure" has run successfully (generating a "config.h" file), +If "configure" has run successfully (generating a `config.h` file), it should now be sufficient to run: - # make - # sudo make install + make + sudo make install -This should install both the cryptmount and cryptmount-setup executables, +This should install both the `cryptmount` and `cryptmount-setup` executables, together with manual pages and an empty filesystem configuration file. Running - # sudo cryptmount-setup + sudo cryptmount-setup will allow interactive creation of a basic encrypted filesystem (using LUKS, if available). More sophisticated scenarios can be handled -by manual editing of the "cmtab", following the guidance in the manual pages: +by manual editing of the `cmtab`, following the guidance in the manual pages: - # man cryptmount - # man 5 cmtab + man cryptmount + man 5 cmtab In outline, if not using the cryptmount-setup script, one can add an entry to /etc/cryptmount/cmtab that describes the encrypted filesystem @@ -127,12 +127,12 @@ that we want to create: Thereafter, one can prepare the key-file and filing system as follows: - # sudo cryptmount --generate-key 32 crypt - # test -e /home/crypt.fs || sudo dd if=/dev/zero of=/home/crypt.fs bs=1M count=128 - # sudo mkdir /mnt/crypt - # sudo cryptmount --prepare crypt - # sudo mke2fs -t ext4 /dev/mapper/crypt - # sudo cryptmount --release crypt + test -e /home/crypt.fs || sudo dd if=/dev/zero of=/home/crypt.fs bs=1M count=128 + sudo mkdir /mnt/crypt + sudo cryptmount --generate-key 32 crypt + sudo cryptmount --prepare crypt + sudo mke2fs -t ext4 /dev/mapper/crypt + sudo cryptmount --release crypt Configuring filesystems at system bootup @@ -141,15 +141,15 @@ Configuring filesystems at system bootup If you want to have encrypted filesystems setup at system boot-up, this can be achieved using either 'systemd' or the supplied 'initscript' program which is normally automatically installed as /etc/init.d/cryptmount . -Both of these mechanisms use the 'bootaction' parameter within -/etc/cryptmount/cmtab to adjust how each filesystem is +Both of these mechanisms use the `bootaction` parameter within +`/etc/cryptmount/cmtab` to adjust how each filesystem is handled on system bootup. -If using the 'initscript' program, you may need to create symbolic links -from /etc/rc?.d to /etc/init.d/cryptmount (in a way that depends +If using the `initscript` program, you may need to create symbolic links +from /etc/rc?.d to `/etc/init.d/cryptmount` (in a way that depends on the precise details of your distribution), with something like - # sudo update-rc.d cryptmount defaults 28 + sudo update-rc.d cryptmount defaults 28 being suitable under Debian systems. @@ -159,7 +159,7 @@ Common problems When configuring the system devices needed to support an encrypted filesystem, cryptmount will issue various requests through the device-mapper library. -Unfortunately, many of the error messages issued by that library +Unfortunately, some of the error messages issued by that library (as of version 1.02) are not easy to interpret. In situations where the device-mapper is compiled as a kernel module, @@ -172,26 +172,26 @@ an error of the form then this may indicate that the dm-mod kernel-module is not loaded. This can be (temporarily) solved by issuing the command: - # sudo modprobe -a dm-mod dm-crypt + sudo modprobe -a dm-mod dm-crypt In order to ensure that this happens automatically when you reboot, you can add a line containing -"dm-mod" to /etc/modules, or add a line of the form +`dm-mod` to `/etc/modules`, or add a line of the form modprobe -q -a dm-mod dm-crypt || true -to /etc/rc.local, or ensure that the cryptmount-startup scripts installed +to `/etc/rc.local`, or ensure that the cryptmount-startup scripts installed in /etc/init.d are run on system startup (e.g. by installing suitable -symbolic-links from /etc/rc*.d). +symbolic-links from /etc/rc\*.d). When setting up a new encrypted filing system, typically when issuing a -'cryptmount --prepare' command, you may receive an error message of the form +`cryptmount --prepare` command, you may receive an error message of the form device-mapper ioctl cmd 9 failed: Invalid argument which may mean that you have chosen a key-size that isn't supported by your chosen cipher algorithm. You can get some information about suitable key-sizes -by checking the output from 'more /proc/crypto', and looking at the +by checking the output from `more /proc/crypto`, and looking at the 'min keysize' and 'max keysize' fields.) diff --git a/Makefile.am b/Makefile.am index c1409d1..cbd5072 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,7 +24,7 @@ endif localedir=$(datadir)/locale AM_CPPFLAGS += -DLOCALEDIR=\"$(localedir)\" EXTRA_DIST = config.rpath mkinstalldirs cmtab.example \ - README.md README.sshfs RELNOTES cryptmount.spec \ + INSTALL.md README.md README.sshfs RELNOTES cryptmount.spec \ debian/changelog debian/control \ debian/copyright debian/docs \ debian/rules debian/cryptmount.lintian-overrides \ diff --git a/README.md b/README.md index ce0fd48..2f83774 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ or raw disk partitions. ## Installation To build cryptmount from source, please follow the instructions in -the file 'INSTALL' in the same directory as this file. +the file 'INSTALL.md' in the same directory as this file. cryptmount has been tested (using the ["mudslinger"](testing/mudslinger.in) script on a variety of GNU/Linux platforms including: @@ -48,9 +48,9 @@ and which will be mounted beneath `/mnt/crypt`. Such a filesystem could be initialized as follows: ``` - cryptmount --generate-key 32 crypt test -e /home/crypt.fs || dd if=/dev/zero of=/home/crypt.fs bs=1M count=128 mkdir /mnt/crypt + cryptmount --generate-key 32 crypt cryptmount --prepare crypt mke2fs -t ext4 /dev/mapper/crypt cryptmount --release crypt diff --git a/armour-luks.c b/armour-luks.c index 628d85e..e022ebe 100644 --- a/armour-luks.c +++ b/armour-luks.c @@ -214,7 +214,7 @@ static uid_t luks_patch_uid(const bound_tgtdefn_t* boundtgt) if (stat(filename, &sbuff) == 0 && S_ISREG(sbuff.st_mode)) { if (setuid(geteuid()) != 0) { - fprintf(stderr, _("Failed to acquire privileges for LUKS container")); + fprintf(stderr, _("Failed to acquire privileges for LUKS container\n")); } } diff --git a/debian/control b/debian/control index 307c52d..0912069 100644 --- a/debian/control +++ b/debian/control @@ -12,7 +12,7 @@ Package: cryptmount Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: e2fsprogs (>= 1.42.12), udev -Suggests: openssl, dmsetup +Suggests: dmsetup Description: Management of encrypted file systems cryptmount is a utility for creating encrypted filesystems & swap partitions and which allows an ordinary user to mount/unmount filesystems @@ -31,4 +31,3 @@ Description: Management of encrypted file systems * temporary filesystems can be setup via command-line, for use in shell-scripts; * transparent configuration of dm-crypt & loopback devices during mounting; - * access keys can optionally be made compatible with OpenSSL. diff --git a/debian/docs b/debian/docs index 9102d86..0aaaac6 100644 --- a/debian/docs +++ b/debian/docs @@ -1,3 +1,4 @@ +INSTALL.md README.md README.sshfs RELNOTES diff --git a/debian/mkDebPkg b/debian/mkDebPkg new file mode 100755 index 0000000..d9736f6 --- /dev/null +++ b/debian/mkDebPkg @@ -0,0 +1,96 @@ +#!/bin/sh +# Construct debianized package for cryptmount +# RW Penney, June 2010 + +PACKAGE=cryptmount +VERSION=`sed -n 's/^AC_INIT[^,]*, *\([^,)]*\).*/\1/p' ../configure.ac` +PSEUDO_VERSION="" +UPSDIR=.. + +# $VERSION refers to the true version number associated with a *.tar.gz file +# $PSEUDO_VERSION is the stable release number for which a .deb should be generated + +while [ $# -gt 0 ]; do + case "$1" in + -d|--upstream-dir) + UPSDIR="$2" + shift ;; + --pseudo-version) + PSEUDO_VERSION="$2" + shift ;; + -u|--upstream-version) + VERSION="$2" + shift ;; + -*) + echo "Unrecognized option \"$1\"" ;; + esac + shift +done + +if [ -z "${PSEUDO_VERSION}" ]; then + PSEUDO_VERSION="${VERSION}" +fi + +SRCPKG="${UPSDIR}/${PACKAGE}-${VERSION}.tar.gz" +if [ ! -r "${SRCPKG}" ]; then + echo "Upstream package ${SRCPKG} is not readable" + exit 1 +fi + +echo "Building Debian version ${PSEUDO_VERSION} from ${SRCPKG} ..." + + +DEBFILES="changelog control copyright \ + docs cryptmount.lintian-overrides \ + rules preinst postinst postrm watch \ + patches/ source/ upstream/" + +debtransform="s,/usr/local/etc/,/etc/,g; \ + s,/usr/local/bin/,/usr/bin/,g; \ + s,/usr/local/sbin/,/usr/sbin/,g" +TXFILES="INSTALL.md README.md README.sshfs cmtab.example" + +TMPDIR=/tmp/cm-deb-${VERSION} +CURDIR=`pwd` +PKGDIR="${TMPDIR}/${PACKAGE}-${PSEUDO_VERSION}" + + +export QUILT_PATCHES=debian/patches +export QUILT_PATCH_OPTS="--reject-format=unified" +export QUILT_DIFF_ARGS="-p ab --no-timestamps --no-index --color=auto" +export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" + + +test -d "${TMPDIR}" || mkdir "${TMPDIR}" +tar -C "${TMPDIR}" -zxf ${SRCPKG} +if [ "${PSEUDO_VERSION}" != "${VERSION}" ]; then + mv "${TMPDIR}/${PACKAGE}-${VERSION}" "${PKGDIR}" +fi + +test -d patches || mkdir patches +(cd "${PKGDIR}"; test -d debian || mkdir debian) +if [ -n "${DEBFILES}" ]; then + tar -cf - ${DEBFILES} | \ + tar -C "${PKGDIR}/debian" -xpf - +fi + +cd "${PKGDIR}" +quilt new docfiles-pathnames.patch +for fl in ${TXFILES}; do + quilt add "${fl}" + sed "${debtransform}" ${fl} > ${fl}-debtx && mv ${fl}-debtx ${fl} + echo "Correct installation pathnames in documentation" | quilt header -r +done +quilt refresh + + +cd "${TMPDIR}" +cp ${SRCPKG} ${TMPDIR}/${PACKAGE}_${PSEUDO_VERSION}.orig.tar.gz +test -e ${SRCPKG}.sig && cp ${SRCPKG}.sig ${TMPDIR}/${PACKAGE}_${PSEUDO_VERSION}.orig.tar.gz.sig +dpkg-source -b ${TMPDIR}/${PACKAGE}-${PSEUDO_VERSION} + +cd "${CURDIR}" +mv ${TMPDIR}/${PACKAGE}_* ./ +rm -rf ${TMPDIR} + +# vim: set ts=4 sw=4 et: diff --git a/debian/patches/install-example-cmtab.patch b/debian/patches/install-example-cmtab.patch index 097ecab..cf3cca3 100644 --- a/debian/patches/install-example-cmtab.patch +++ b/debian/patches/install-example-cmtab.patch @@ -8,7 +8,7 @@ Move installation path of example configuration file to beneath /usr/share/doc - ${INSTALL_PROGRAM_ENV} ${INSTALL_DATA} cmtab.example "${DESTDIR}${CM_SYSCONF_DIR}" ; \ fi if test ! -f "${DESTDIR}${CM_SYSCONF_DIR}/cmtab" ; then \ - echo -e "# ${CM_SYSCONF_DIR}/cmtab - encrypted filesystem information for cryptmount\n# try 'man 8 cryptmount' or 'man 5 cmtab' for more details\n" >> "${DESTDIR}${CM_SYSCONF_DIR}/cmtab"; \ + echo -e "# ${CM_SYSCONF_DIR}/cmtab - encrypted filesystem information for cryptmount\n# try 'man 8 cryptmount' or 'man 5 cmtab' for more details\n# or refer to ${CM_SYSCONF_DIR}/cmtab.example\n" >> "${DESTDIR}${CM_SYSCONF_DIR}/cmtab"; \ fi + ${mkdir_p} "${DESTDIR}/usr/share/doc/cryptmount/examples" + ${INSTALL_PROGRAM_ENV} ${INSTALL_DATA} cmtab.example "${DESTDIR}/usr/share/doc/cryptmount/examples/cmtab" diff --git a/man/cmtab.5.in b/man/cmtab.5.in index 80e0c13..fcf8e6c 100644 --- a/man/cmtab.5.in +++ b/man/cmtab.5.in @@ -38,7 +38,7 @@ of the following character, for example to include a space in a filename. @CM_SYSCONF_DIR@/cmtab contains entries of the following form: -.nf +.EX TARGET_NAME { dev=DEVICE # REQUIRED flags=FLAG,FLAG,... @@ -60,7 +60,7 @@ of the following character, for example to include a space in a filename. keymaxlen=KEYMAXLEN passwdretries=NUMATTEMPTS } -.fi +.EE Some fields, such as \(aqdev' and \(aqfstype' are mandatory, although many fields have sensible default values. @@ -73,13 +73,13 @@ can contain references to environmental variables of the form $(HOME). The following variables are recognized, all based on the characteristics of the user currently running .B cryptmount : -.nf +.NF * $(HOME) - the home directory, as obtained from /etc/passwd * $(UID) - the numerical identifier of the user * $(USERNAME) - the printable name of the user * $(GID) - the numerical identifier of the user's current group * $(GROUPNAME) - the printable name of the user's current group -.fi +.FI .\" -------------------------------- @@ -100,7 +100,7 @@ i.e. this pseudo-target does not operate incrementally. .\" ---- .TP .B dev=DEVICE\t(required) -sets the name of the raw device (e.g. /dev/hdb63) +sets the name of the raw device (e.g. /dev/sdb63) or ordinary file (e.g. /home/secretiveuser/private.fs) that contains the encrypted filesystem. Note that it may be useful to use a symbolic name based on @@ -111,7 +111,7 @@ are added to the system, etc. .TP .B flags=FLAG,FLAG,... sets configuration switches, such as -.nf +.NF * "user" (any user can mount), * "nouser" (only root can mount), * "fsck" (automatically check filesystem before mounting), @@ -120,7 +120,7 @@ sets configuration switches, such as * "nomkswap" (don't format swap partition) * "trim" (enable TRIM/discard support on solid-state disks), * "notrim" (disable SSD TRIM/discard support) -.fi +.FI This parameter is optional and defaults to "user,fsck,nomkswap,notrim". .\" ---- .TP @@ -348,13 +348,13 @@ Ideally @CM_SYSCONF_DIR@/cmtab should be managed only by the system administrato makes basic checks on the security of @CM_SYSCONF_DIR@/cmtab each time it runs, and will refuse to operate unless the following conditions are met: -.nf +.NF * cmtab must be owned by root * cmtab must be a regular file * cmtab must not be globally writable * the directory containing cmtab must be owned by root * the directory containing cmtab must not be globally writable -.fi +.FI In addition, for each target within @CM_SYSCONF_DIR@/cmtab, all paths must be absolute (i.e. starting with '/'). @@ -414,8 +414,7 @@ using a variety of encryption algorithms and storing their filesystems in different ways, including a target representing an encrypted swap partition: -.nf - +.EX # @CM_SYSCONF_DIR@/cmtab # example file \- please modify before use @@ -423,6 +422,13 @@ including a target representing an encrypted swap partition: passwdretries=3 # allow 3 password attempts by default } + luks { # partition created by cryptsetup-luks + dev=/dev/sdb63 + dir=/mnt/luks-partition-$(USERNAME) + keyformat=luks + fstype=ext3 + } + basic { dev=/home/secretiveuser/crypt.fs dir=/home/secretiveuser/crypt # where to mount @@ -435,26 +441,26 @@ including a target representing an encrypted swap partition: } partition { - dev=/dev/hdb62 # use whole disk partition + dev=/dev/sdb62 # use whole disk partition dir=/mnt/crypt62 fstype=ext3 mountoptions=nosuid,noexec cipher=serpent-cbc-plain # information about file used to store decryption key: - keyfile=@CM_SYSCONF_DIR@/crypt_hdb62.key + keyfile=@CM_SYSCONF_DIR@/crypt_sdb62.key keyformat=openssl # use OpenSSL key-encryption keyhash=md5 keycipher=bf\-cbc # encryption of key file } subset { - dev=/dev/hdb63 + dev=/dev/sdb63 startsector=512 numsectors=16384 # use subset of partition - dir=/mnt/encrypted\\ subset\\ of\\ hdb + dir=/mnt/encrypted\\ subset\\ of\\ sdb fstype=reiserfs mountoptions=defaults cipher=twofish-cbc-plain # filesystem encryption # information about file used to store decryption key: - keyfile=@CM_SYSCONF_DIR@/crypt_hdb63.key + keyfile=@CM_SYSCONF_DIR@/crypt_sdb63.key keyformat=libgcrypt keyhash=md5 keycipher=blowfish\-cbc # encryption of key file } @@ -469,16 +475,8 @@ including a target representing an encrypted swap partition: keyfile=/dev/random keymaxlen=16 keyformat=raw } - luks { # partition created by cryptsetup-luks - dev=/dev/hdb63 - dir=/mnt/luks-partition-$(USERNAME) - keyformat=luks - keyfile=/dev/hdb63 - fstype=ext3 - } - # end of cmtab -.fi +.EE The 'basic' target uses an ordinary file "/home/secretiveuser/crypt.fs" to store the encrypted filesystem, diff --git a/man/cryptmount.8.in b/man/cryptmount.8.in index 86a1f1b..a10e490 100644 --- a/man/cryptmount.8.in +++ b/man/cryptmount.8.in @@ -176,19 +176,19 @@ which can be used by the superuser to interactively configure a basic setup. Alternatively, a manual setup allows more control of configuration settings. Before doing so, one should ensure that kernel support for /dev/loop and /dev/mapper is available, e.g. via -.nf +.EX modprobe \-a loop dm\-crypt -.fi +.EE Now suppose that we wish to setup a new encrypted filesystem, that will have a target-name of "opaque". -If we have a free disk partition available, say /dev/hdb63, then we can use this directly to store the encrypted filesystem. +If we have a free disk partition available, say /dev/sdb63, then we can use this directly to store the encrypted filesystem. Alternatively, if we want to store the encrypted filesystem within an ordinary file, we need to create space using a recipe such as: -.nf +.EX dd if=/dev/zero of=/home/opaque.fs bs=1M count=512 -.fi +.EE -and then replace all occurrences of '/dev/hdb63' in the following +and then replace all occurrences of '/dev/sdb63' in the following with '/home/opaque.fs'. (/dev/urandom can be used in place of /dev/zero, debatably for extra security, but is rather slower.) @@ -197,14 +197,14 @@ First, we need to add an entry in @CM_SYSCONF_DIR@/cmtab, which describes the encryption that will be used to protect the filesystem itself and the access key, as follows: -.nf +.EX opaque { - dev=/dev/hdb63 dir=/home/crypt + dev=/dev/sdb63 dir=/home/crypt fstype=ext2 mountoptions=defaults cipher=twofish keyfile=@CM_SYSCONF_DIR@/opaque.key keyformat=builtin } -.fi +.EE Here, we will be using the "twofish" algorithm to encrypt the filesystem itself, @@ -215,9 +215,9 @@ In order to generate a secret decryption key (in @CM_SYSCONF_DIR@/opaque.key) that will be used to encrypt the filesystem itself, we can execute, as root: -.nf +.EX cryptmount \-\-generate\-key 32 opaque -.fi +.EE This will generate a 32-byte (256-bit) key, which is known to be supported by the Twofish cipher algorithm, @@ -226,9 +226,9 @@ after asking the system administrator for a password. If we now execute, as root: -.nf +.EX cryptmount \-\-prepare opaque -.fi +.EE we will then be asked for the password that we used when setting up @CM_SYSCONF_DIR@/opaque.key, which will enable @@ -245,9 +245,9 @@ by checking the output from "more /proc/crypto", and looking at the We can now use standard tools to create the actual filesystem on /dev/mapper/opaque: -.nf +.EX mke2fs /dev/mapper/opaque -.fi +.EE (It may be advisable, after the filesystem is first mounted, to check that the permissions of the top-level directory @@ -255,29 +255,29 @@ created by mke2fs are appropriate for your needs.) After executing -.nf +.EX cryptmount \-\-release opaque mkdir /home/crypt -.fi +.EE the encrypted filesystem is ready for use. Ordinary users can mount it by typing -.nf +.EX cryptmount \-m opaque -.fi +.EE or -.nf +.EX cryptmount opaque -.fi +.EE and unmount it using -.nf +.EX cryptmount \-u opaque -.fi +.EE .B cryptmount keeps a record of which user mounted each filesystem @@ -292,9 +292,9 @@ After a filesystem has been in use for a while, one may want to change the access password. For an example target called "opaque", this can be performed by executing: -.nf +.EX cryptmount \-\-change\-password opaque -.fi +.EE After successfully supplying the old password, one can then choose a new password which will be used to re-encrypt the access key for the @@ -313,34 +313,34 @@ application. In order to access an existing LUKS partition, an entry needs to be created within @CM_SYSCONF_DIR@/cmtab. -For example, if the hard-disk partition /dev/hdb62 +For example, if the hard-disk partition /dev/sdb62 is used to contain a LUKS encrypted ext3 filesystem, an entry of the form: -.nf +.EX LUKS { keyformat=luks - dev=/dev/hdb62 keyfile=/dev/hdb62 + dev=/dev/sdb62 keyfile=/dev/sdb62 dir=/home/luks-dir fstype=ext3 } -.fi +.EE would allow this to be mounted via .B cryptmount beneath /home/luks-dir by executing -.nf +.EX cryptmount LUKS -.fi +.EE .B cryptmount will also allow any user that knows one of the access-passwords to change their password via -.nf +.EX cryptmount \-\-change-password LUKS -.fi +.EE .B cryptmount also provides basic support for creating new LUKS encrypted filesystems, @@ -379,21 +379,21 @@ Suppose that we wish to check the filesystem associated with .B cryptmount target 'opaque', we first need to prepare the decryption devices: -.nf +.EX cryptmount \-\-prepare opaque -.fi +.EE this will create a device-mapper target accessible via '/dev/mapper/opaque', on which we can then run standard checking utilities: -.nf +.EX fsck \-t auto /dev/mapper/opaque -.fi +.EE After these tests have been completed, we can then release the devices: -.nf +.EX cryptmount \-\-release opaque -.fi +.EE and continue using the filesystem as before. ___END_FSCK_1 @@ -422,7 +422,7 @@ ___END_FSCK_1 .SH BUGS The author would be grateful for any .B constructive -suggestions and bug-reports, via +suggestions and bug-reports, via https://github.com/rwpenney/cryptmount/issues .\" -------------------------------- diff --git a/man/fr/cmtab.5.in b/man/fr/cmtab.5.in index 5dbf113..02378f8 100644 --- a/man/fr/cmtab.5.in +++ b/man/fr/cmtab.5.in @@ -42,7 +42,7 @@ comme par exemple si on veut incorporer un espace dans le nom d'un fichier. @CM_SYSCONF_DIR@/cmtab contient des inscriptions de la forme suivante: -.nf +.EX NOM_CIBLE { dev=PERIPHERIQUE flags=DRAPEAU,DRAPEAU,... @@ -63,7 +63,7 @@ comme par exemple si on veut incorporer un espace dans le nom d'un fichier. keymaxlen=MAX_CLEF passwdretries=NUMESSAYES } -.fi +.EE Ici, les param\[`e]tres \(aqflags', \(aqstartsector', \(aqnumsectors', \(aqloop', \(aqivoffset', \(aqkeyformat', \(aqkeymaxlen' @@ -86,7 +86,7 @@ qui range le syst\[`e]me de fichiers chiffr\['e]. .TP .BI DRAPEAU est un bouton de configuration, comme par exemple -.nf +.NF * "user" (n'importe quel utilisateur peut monter), * "nouser" (seulement le super-utilisateur peut monter), * "fsck" (v\['e]rifier automatiquement le syst\[`e]me de fichiers avant de monter), @@ -95,7 +95,7 @@ est un bouton de configuration, comme par exemple * "nomkswap" (ne formater pas la cible), * "trim" (activer SSD TRIM/discard), * "notrim" (d\['e]sactiver SSD TRIM/discard). -.fi +.FI Ce param\[`e]tre est optionnel, et le d\['e]faut est "user,fsck,nomkswap,notrim". .\" ---- @@ -280,13 +280,13 @@ devraient \[^e]tre seulement lisibles par leurs utilisateurs propres. cryptmount v\['e]rifie la s\['e]curit\['e] du @CM_SYSCONF_DIR@/cmtab chaque fois qu'il est execut\['e], et se terminera \[`a] moins que: -.nf +.NF * cmtab ne soit poss\['e]d\['e] par le super-utilisateur * cmtab ne soit un fichier r\['e]gulier * les permissions de cmtab ne contiennent pas d'\['e]criture universelle * le r\['e]pertoire, qui contient cmtab, ne soit poss\['e]d\['e] par le super-utilisateur * les permissions du r\['e]pertoire, qui contient cmtab, ne contiennent pas d'\['e]criture universelle. -.fi +.FI De plus, pour toutes les cibles dans @CM_SYSCONF_DIR@/cmtab, tous les fichiers doivent avoir des nom absolus (c'est\-\[`a]\-dire commencent avec '/'). @@ -340,8 +340,7 @@ qui utilisent un m\['e]lange d'algorithmes de chiffrage et qui rangent leurs syst\[`e]mes de fichiers de mani\[`e]res differentes. Il y en a aussi un cible qui represent une partition de pagination. -.nf - +.EX # @CM_SYSCONF_DIR@/cmtab # fichier exemplaire \- modifiez avant d'utiliser SVP @@ -349,6 +348,14 @@ Il y en a aussi un cible qui represent une partition de pagination. passwdretries=3 # permet 3 essayes de mot de passe par d\['e]faut } + luks { # partition cre\['e] avec cryptsetup-luks + dev=/dev/hdb63 + dir=/mnt/partition-luks + keyformat=luks + keyfile=/dev/hdb63 + fstype=ext3 + } + basic { dev=/home/secretiveuser/crypt.fs dir=/home/secretiveuser/crypt # o\[`u] on va monter @@ -394,16 +401,8 @@ Il y en a aussi un cible qui represent une partition de pagination. keyfile=/dev/random keymaxlen=16 keyformat=raw } - luks { # partition cre\['e] avec cryptsetup-luks - dev=/dev/hdb63 - dir=/mnt/partition-luks - keyformat=luks - keyfile=/dev/hdb63 - fstype=ext3 - } - # fin de cmtab -.fi +.EE La cible \(aqbasic' utilise le fichier ordinaire "/home/secretiveuser/crypt.fs" pour ranger le syst\[`e]me de fichiers chiffr\['e]. diff --git a/man/fr/cryptmount.8.in b/man/fr/cryptmount.8.in index 23c4be1..8bcc798 100644 --- a/man/fr/cryptmount.8.in +++ b/man/fr/cryptmount.8.in @@ -158,9 +158,9 @@ Sinon, on peut conserver le syst\[`e]me de fichiers chiffr\['e] dans un fichier ordinaire, si on reserve de l'espace-disque avec par exemple la commande suivante: -.nf +.EX dd if=/dev/zero of=/home/opaque.fs bs=1M count=512 -.fi +.EE et ensuite, on doit remplacer toutes les instances de \[Fo]/dev/hdb63\[Fc] dans ce qui suit par \[Fo]/home/opaque.fs\[Fc]. @@ -169,14 +169,14 @@ D'abord, on doit cr\['e]er un inscription dans @CM_SYSCONF_DIR@/cmtab, qui d\['e]crit le chiffrage qui sera utilis\['e] pour prot\[`e]ger le syst\[`e]me de fichiers, ainsi: -.nf +.EX opaque { dev=/dev/hdb63 dir=/home/crypt fstype=ext2 mountoptions=defaults cipher=twofish keyfile=@CM_SYSCONF_DIR@/opaque.key keyformat=builtin } -.fi +.EE Ici, on utilisera l'algorithme "twofish" pour chiffrer le syst\[`e]me de fichiers lui-m\[^e]me, @@ -187,18 +187,18 @@ va conserver le securit\['e] de la clef de d\['e]chiffrage dans Pour g\['e]n\['e]rer une clef de d\['e]chiffrage secr\[`e]te (dans @CM_SYSCONF_DIR@/opaque.key), on peut ex\['e]cuter, en tant que super-utilisateur: -.nf +.EX cryptmount \-\-generate\-key 32 opaque -.fi +.EE Cette commande produit une clef de 32 octets (256 bits), et on sait que le chiffre Twofish accepte les clefs de 256 bits. Si on ex\['e]cute la commande suivante, en tant que super-utilisateur: -.nf +.EX cryptmount \-\-prepare opaque -.fi +.EE on doit produire le mot de passe qu'on a donn\['e] lors de l'\['e]criture du @CM_SYSCONF_DIR@/opaque.key. @@ -209,36 +209,36 @@ de pr\['e]parer une cible device-mapper (/dev/mapper/opaque). Maintenant, les outils standards sont disponibles pour mettre un syst\[`e]me de fichiers sur /dev/mapper/opaque: -.nf +.EX mke2fs /dev/mapper/opaque -.fi +.EE Apr\[`e]s avoir ex\['e]cut\['e] -.nf +.EX cryptmount \-\-release opaque mkdir /home/crypt -.fi +.EE le syst\[`e]me de fichiers chiffr\['e] est pr\[^e]t. Les utilisateurs ordinaires pouvent monter le syst\[`e]me de fichiers en tapant -.nf +.EX cryptmount \-m opaque -.fi +.EE ou -.nf +.EX cryptmount opaque -.fi +.EE et pouvent d\['e]monter avec -.nf +.EX cryptmount \-u opaque -.fi +.EE .B cryptmount maintenit un rapport sur lequel utilisateur a mont\['e] chaque cible @@ -254,9 +254,9 @@ Apr\[`e]s avoir utilis\['e] un syst\[`e]me de fichiers pendant un certain temps, on peut vouloir changer le mot de passe. Par exemple, si on a une cible appel\['e]e "opaque", on peut ex\['e]cuter: -.nf +.EX cryptmount \-\-change\-password opaque -.fi +.EE On doit donner l'ancien mot de passe, et ensuite choisir un nouveau mot de passe @@ -279,20 +279,20 @@ Par example, si le partition /dev/hdb62 sur le disque dur contient un syst\[`e]me de fichiers du type `ext3', chiffr\['e]e avec LUKS, on peut ecrire: -.nf +.EX LUKS { keyformat=luks dev=/dev/hdb62 keyfile=/dev/hdb62 dir=/home/luks-dir fstype=ext3 } -.fi +.EE Apr\[`e]s avoir faire \[,c]a, c'est possible de monter cette syst\[`e]me de fichiers sous /home/luks-dir avec -.nf +.EX cryptmount LUKS -.fi +.EE .\" -------------------------------- @@ -315,13 +315,13 @@ sous /home/luks-dir avec .SH BOGUES L'auteur accueille les suggestions .B constructives -\[`a] +\[`a] https://github.com/rwpenney/cryptmount/issues .\" -------------------------------- .SH COPYRIGHT NOTICE .B cryptmount -est Copyright 2005-2018 RW Penney +est Copyright 2005-2022 RW Penney .br et il n'y a point de garantie. Les termes de sa licence sont d\['e]crits dans le fichier "COPYING" diff --git a/po/cryptmount.pot b/po/cryptmount.pot index c1abdb1..c109e3a 100644 --- a/po/cryptmount.pot +++ b/po/cryptmount.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: rwpenney@users.sourceforge.net\n" -"POT-Creation-Date: 2022-09-03 09:39+0100\n" +"POT-Creation-Date: 2022-09-17 09:43+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -94,7 +94,7 @@ msgstr "" #: armour-luks.c:217 #, c-format -msgid "Failed to acquire privileges for LUKS container" +msgid "Failed to acquire privileges for LUKS container\n" msgstr "" #: armour-luks.c:310 armour-luks.c:394 diff --git a/po/de.po b/po/de.po index 72be883..81cddf8 100644 --- a/po/de.po +++ b/po/de.po @@ -96,8 +96,8 @@ msgstr "" #: armour-luks.c:217 #, c-format -msgid "Failed to acquire privileges for LUKS container" -msgstr "Erlangen von Privilegien für LUKS-Container schlug fehl." +msgid "Failed to acquire privileges for LUKS container\n" +msgstr "Erlangen von Privilegien für LUKS-Container schlug fehl.\n" #: armour-luks.c:310 armour-luks.c:394 #, c-format diff --git a/po/fr.po b/po/fr.po index 20fe097..467f272 100644 --- a/po/fr.po +++ b/po/fr.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: cryptmount 4.0-1\n" "Report-Msgid-Bugs-To: rwpenney@users.sourceforge.net\n" -"POT-Creation-Date: 2022-09-03 09:39+0100\n" +"POT-Creation-Date: 2022-09-17 09:43+0100\n" "PO-Revision-Date: 2006-04-21 07:51+0100\n" "Last-Translator: RW Penney \n" "Language-Team: French \n" @@ -62,9 +62,9 @@ msgid "Couldn't find libgcrypt cipher \"%s\"\n" msgstr "Chiffre \"%s\" n'est pas reconnu dans libgcrypt\n" #: armour-gcry.c:184 -#, fuzzy, c-format +#, c-format msgid "Couldn't find libgcrypt cipher mode \"%s\" - using fallback\n" -msgstr "Chiffre \"%s\" n'est pas reconnu dans libgcrypt\n" +msgstr "Mode de chiffrage \"%s\" n'est pas reconnu dans libgcrypt\n" #: armour-gcry.c:190 #, c-format @@ -92,14 +92,14 @@ msgid "Checksum mismatch in keyfile (openssl-compat, ofs=%u,idx=%u)\n" msgstr "Mauvais fichier-clef (openssl-compat, ofs=%u,idx=%u)\n" #: armour-luks.c:217 -#, fuzzy, c-format -msgid "Failed to acquire privileges for LUKS container" -msgstr "Création du périphérique-loop pour le fichier-clef LUKS a echouée\n" +#, c-format +msgid "Failed to acquire privileges for LUKS container\n" +msgstr "Échec de l'acquisition des privilèges pour le fichier-clef LUKS\n" #: armour-luks.c:310 armour-luks.c:394 -#, fuzzy, c-format +#, c-format msgid "Failed to initialize device for LUKS keyfile\n" -msgstr "Création du périphérique-loop pour le fichier-clef LUKS a echouée\n" +msgstr "Échec de l'initialisation des appareils pour le fichier-clef LUKS\n" #: armour-luks.c:320 #, c-format @@ -127,7 +127,6 @@ msgid "Setting password on LUKS keyslot-%u\n" msgstr "" #: cryptmount.c:126 -#, fuzzy msgid "" "usage: cryptmount [OPTION [target ...]]\n" "\n" @@ -157,10 +156,12 @@ msgstr "" "\n" " les options disponible sont les suivants:\n" "\n" +" -h | --help\n" " -a | --all\n" " -c | --change-password \n" " -k | --key-managers\n" " -l | --list\n" +" -S | --status\n" " -m | --mount \n" " -u | --unmount \n" " --generate-key \n" @@ -248,9 +249,9 @@ msgid "Only user-%lu can unmount \"%s\"\n" msgstr "Seulement utilisateur-%lu peut démonter \"%s\"\n" #: cryptmount.c:662 -#, fuzzy, c-format +#, c-format msgid "Target \"%s\" is already configured\n" -msgstr "La cible \"%s\" est déjà montée\n" +msgstr "La cible \"%s\" est déjà configurée\n" #: cryptmount.c:685 cryptmount.c:741 #, c-format