[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] use of encrypted filesystem

To: Anand Gupta <xen.mails@xxxxxxxxx>
From: "M.A. Williamson" <maw48@xxxxxxxxx>
Date: 28 Dec 2006 02:17:13 +0000
Cc: Xen Users <Xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 27 Dec 2006 18:17:17 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

I was wondering if there is a way to use encrypted filesystem inside a domU
? I tried to look around and whatever guides i found required me to patch
the kernel.

You should be able to use cryptoloop or dm-crypt. The latter device-mapperbased solution is the recommended alternative these days. These both giveyou an encrypted block device on which to run your filesystem.

eCryptfs isn't available in the XenLinux we currently have. However, it'sbeing merged into future releases of the mainline kernel, so it'll filterdown to XenLinux at some stage. eCryptfs allows you to encrypt files on anindividual basis, so is rather different to use than the above solutions -it may be more or less useful, depending on your objectives.

anyhow, we'll talk about cryptoloop and dm-crypt for now, since these arethe ones that are going to be most straightforward to use.

I also found about cryptoloop, however when i try to use it inside domU, it
gives me an error

losetup -e cryptoloop /dev/loop0 /dev/sda2
Password:
ioctl: LOOP_SET_STATUS: Invalid argument

I also tried various combinations

losetup -e des /dev/loop0 /dev/sda2
losetup -e aes128 /dev/loop0 /dev/sda2
losetup -e aes-256 /dev/loop0 /dev/sda2

However all the above result in the same error.

How should i setup the encrypted fs ? Any help would be appreciated.

You don't need to patch your XenLinux kernel if you want to use Cryptoloopor dm-crypt. However, you'll need to recompile it.

Reconfigure your kernel to include support for cryptoloop (you can findthis in make menuconfig under the menu: Device Drivers / Block devices /Loopback device support / Cryptoloop support) or dm-crypt (you can findthis in make menuconfig under the menu: Device Drivers / Multi DeviceSupport (RAID and LVM) / Device Mapper Support / Crypt target support).

You might as well enable both then you can play around with them. You mayfind that once you've compiled support in, the howtos you were followingwill Just Work(TM). You may need to install packages for your distro inorder to use dm-crypt.

Note that cryptoloop does have known security vulnerabilities, which is whydm-crypt is now recommended.


If you have any problems, follow up to this e-mail.

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] use of encrypted filesystem
  - From: Anand Gupta

References:
- [Xen-users] use of encrypted filesystem
  - From: Anand Gupta

Prev by Date: [Xen-users] RE: [Xen-devel] Xen-3.0.3 migration problems
Next by Date: Re: [Xen-users] Windows 2003 DomU reboots sentire erver on create
Previous by thread: [Xen-users] use of encrypted filesystem
Next by thread: Re: [Xen-users] use of encrypted filesystem
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.