Automounting encrypted filesystem (using random key), residing in regular file under CentOS 6.*

Question

Task: in CentOS 6.x system, set up and mount automatically encrypted filesystem, residing within a regular file, using one-time (random) key.

/etc/crypttab in CentOS 6.* doesn't allow using plain file as block device to mount and map automatically.

So, /etc/crypttab line like this

cfs   /var/file-with-encrypted-filesystem    some-password-source

gets ignored in CentOS.

The following sequence of commands can be used to do the task in CentOS:

losetup /dev/loop0 /var/tmpfile
dd if=/dev/urandom of=/dev/shm/tmppass bs=512 count=1
cryptsetup luksFormat /dev/loop0 --use-urandom --batch-mode --key-file /dev/shm/tmppass
cryptsetup luksOpen /dev/loop0 ctmp --batch-mode --key-file /dev/shm/tmppass
mkfs.ext2 /dev/mapper/ctmp
mount -t ext2 /dev/mapper/ctmp /mountpoint
shred -n 1 /dev/shm/tmppass
rm -f /dev/shm/tmppass

assuming file to hold filesystem is /var/tmpfile

Is there less cumbersome way to achieve the same in Debian-like way (specifying relevant entries in /etc/crypttab and /etec/fstab )?

Answer 1

The following /etc/crypttab entry is how you'd do it in Ubuntu:

# <target name>  <source device>                      <key file>    <options>
cfs              /var/file-with-encrypted-filesystem  /dev/urandom  tmp=ext4

Very similar to how crypted swap is handled - see the crypttab manpage example below:

# Encrypted swap device
cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap

Does the manpage on CentOS for crypttab provide any guidance on doing this? Don't have a CentOS machine around at the moment, but on a RHEL 6 machine the same options are supported.

---

OK fine, I was curious. This works and it's a little nicer. Put it somewhere like /etc/rc.local. Tested on RH 6:

LODEV=$(losetup -f)
losetup $LODEV /path/to/existing/cryptfile
cryptsetup create cfs $LODEV --key-file /dev/urandom
mkfs.ext2 /dev/mapper/cfs 
mount /dev/mapper/cfs /wherever