Please, can someone help me!?! I’ve wasted days of digging through jargon of encrypted root and home partitions - I have crypt files with formatted filesystems in them with the right privileges, but I need my users (not root) to be able to mount and unmount them. (and not asking for passwords at boot-time) Can someone help me find the (users) command line syntax?

Please help!!!

fstab
/dev/mapper/cr_00Patti.001 /home/patti/MyShares/flames ext3 acl,user_xattr,noauto 0 0
/dev/mapper/cr_00Paul.001 /home/paul/MyShares/flames ext3 acl,user_xattr,noauto 0 0
crypttab
cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001 none none
cr_00Paul.001 /SCRATCH-RAID10/Dirs/00Paul.001 none none

It might be one of these examples when using an encrypted file -

cryptsetup create mycryptfile /path/to/myfile.crypt - where “mycryptfile” is just a name you give that becomes the devicename, and the last part is your filename and path.

-or-

cryptsetup luksopen path/to/myfile.crypt mycryptfile - same as above but in reverse.

…maybe try the 2nd one first just in case “create” tries to overwrite the file!! I’m sure it simply creates the device name in /dev/mapper/, but I’m not 100% sure and cryptsetup --help is not much help!

Then mount it:

mount /dev/mycryptfile /wherever/youwantit/mounted

I used to use encrypted files a few years ago but I seem to have lost my instructions on how to do it exactly. I hope that helps.

oh yes, and once you’ve got the files mounting properly, make a script with all that lot in for each user and put it in their ~/home/bin/ folder, then simply create an icon and shortcut in their menu or on their desktop that runs the script.

I did one to mount it, and another to unmount it. But if you’re better with bash scripting, then you could programme it to toggle. A much nicer solution.

These commands only seem to work for root - how can my users mount and unmount their cryptfiles?

patti@TYAN2-Linux:~> cryptsetup luksopen /SCRATCH-RAID10/Dirs/00Patti.001

Program ‘cryptsetup’ is present in package ‘cryptsetup’, which is installed on your system.

Absolute path to ‘cryptsetup’ is ‘/sbin/cryptsetup’, so it might be intended to be run only by user with superuser privileges (eg. root).

bash: cryptsetup: command not found
patti@TYAN2-Linux:~>

This is TOTALLY confusing, and it doesn’t need to be. I’ve got my crypt files setup - I just need to be able to mount and unmount them as non-root.

HELP!!!

OK, I tried it as root. I noticed during boot that it asks for the passwords for my two users’ crypt volumes. If I don’t give them, then there are no entries made in /dev/mapper and I don’t know if that is as-it-should-be.

TYAN2-Linux:/home/patti # cryptsetup luksOpen /SCRATCH-RAID10/Dirs/00Patti.001 /home/patti/MyShares/flames
Command failed: Can’t get device information.

TYAN2-Linux:/home/patti #
TYAN2-Linux:/home/patti # cryptsetup luksOpen loop0 /SCRATCH-RAID10/Dirs/00Patti.001
Command failed: Can not access device
TYAN2-Linux:/home/patti # cryptsetup luksOpen loop1 /SCRATCH-RAID10/Dirs/00Patti.001
Command failed: Can not access device
TYAN2-Linux:/home/patti # cryptsetup create /SCRATCH-RAID10/Dirs/00Patti.001 loop1
Command failed: dm_task_set_name: Device /SCRATCH-RAID10/Dirs/00Patti.001 not found
TYAN2-Linux:/home/patti # cryptsetup create loop2 /SCRATCH-RAID10/Dirs/00Patti.001
Command failed: BLKROGET failed on device: Inappropriate ioctl for device
TYAN2-Linux:/home/patti # cryptsetup create /dev/mapper/cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001
Command failed: dm_task_set_name: Device /dev/mapper/cr_00Patti.001 not found
TYAN2-Linux:/home/patti # cryptsetup create cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001
Command failed: BLKROGET failed on device: Inappropriate ioctl for device
TYAN2-Linux:/home/patti #
TYAN2-Linux:/home/patti #

The crypt file and directory-to-which-to-mount are in bold above.

OK, after spending MANY hours getting instructions from a Linux veteran friend of mine, I managed to get an example working.

The only problem is that in my example I use sudo.

The thing is that sadly openSUSE doesn’t use the sudo command to it’s fullest potential, ie it asks for the root password instead of the user’s password (who is allowed to run apps as the root user).

This can be changed by modifying /etc/sudoers, but be warned that is quite a dangerous thing to do, and you really should ask for advice from someone who is much wiser than I am before you attempt it!

So anyway, using the sudo command, this is how I created, formatted, mounted, and unmounted an encrypted file -

------------------------------------------------------------------------
How to create an encrypted file and get it mounted into a folder - 

1. Create the file - dd if=/dev/zero of=/home/growbag/test.crypt count=3000 bs=1024 (3gig-ish)
2. losetup - sudo losetup /dev/loop0 /home/growbag/test.crypt
3. cryptsetup create - sudo cryptsetup create growbagstest /dev/loop0 (enter passphrase)
4. cryptsetup luksformat - sudo cryptsetup luksFormat /dev/mapper/growbagstest
5. Format - sudo mkreiserfs --format=3.6 --label=growbagstest /dev/mapper/growbagstest
6. Mount - sudo mount -t auto /dev/mapper/growbagstest /home/growbag/zzz/

To unmount it again - 

1. unmount - sudo umount /dev/mapper/growbagstest
2. cryptsetup remove - sudo cryptsetup remove growbagstest
3. losetup - sudo losetup -d /dev/loop0
4. Done :)
------------------------------------------------------------------------

Of course you don’t need to create or format the file, so just ignore those extra steps. I decided to post them here just in case I lost the instructions I just spent nearly 4 hours creating!

Now, if you can’t get sudo working properly, an alternative is to tell it to allow certain users to run certain commands without asking for a password!

It’s something like adding the relevent lines into /etc/sudoers (through visudo obviously!).

You would need a line something like the following for each user -

patti   ALL = (ALL) /sbin/cryptsetup, /bin/mount, /bin/umount
user2   ALL = (ALL) /sbin/cryptsetup, /bin/mount, /bin/umount
etc.....

I am not 100% sure of those lines, and playing with visudo or /etc/sudoers is VERY dangerous, so please research it further before attempting it.

Plus doing the above will also allow those users to potentially do nasty things to the system and create a rather large security hole.

If you have got that working, that should allow the selected users to create the mapping devices, and mount their encrypted files.

BUT it could also allow those users to mount and unmount ANY device on the entire system and possibly read/write to it or do other horrid things!!!

I would then put the following into /etc/boot.local so that the encrypted files get assigned to loop devices on boot without it asking for a password -

losetup /dev/loop0 /SCRATCH-RAID10/Dirs/00Patti.001
and so on for each user....

The next step is to make 2 shell scripts, one to mount the encrypted file, and another to unmount it. Put them in ~/bin/ and then they can simply be linked to a menu or desktop icon so the user simply has to click to mount their file, and click another to unmount it again when finished -

# ~/bin/mount-encrypted.sh
# It should ask for both the user's (sudo) password
# and also the encrypted file's password
#
sudo cryptsetup create patti /dev/loop0
sudo mount /dev/mapper/patti /home/patti/MyShares/flames/

# ~/bin/unmount-encrypted.sh
# unmounts an encrypted file
#
sudo umount /dev/mapper/patti
sudo cryptsetup remove patti

Give those a try and see how it goes.

Wow - thank you! I’m baking brownies this weekend - what’s your snailmail and I’ll send you some.

My efforts so far:
patti@TYAN2-Linux:~> dd if=/dev/zero of=/home/patti/test.crypt count=3000 bs=1024
3000+0 records in
3000+0 records out
3072000 bytes (3.1 MB) copied, 0.0315739 s, 97.3 MB/s
patti@TYAN2-Linux:~> sudo losetup /dev/loop0 /home/patti/test.crypt
root’s password:
sudo: losetup: command not found
patti@TYAN2-Linux:~>

I never learned vi, so I tried editing /etc/sudoers as root with Kate - I uncommented a “sample” line it contained and added cryptsetup, etc.:

Samples

%users ALL=/sbin/mount, /sbin/losetup, /sbin/cryptsetup, /cdrom, /sbin/umount, /cdrom

Then rebooted and…
patti@TYAN2-Linux:~> losetup /dev/loop0 /SCRATCH-RAID10/Dirs/00Patti.001
Program ‘losetup’ is present in package ‘util-linux’, which is installed on your system.
Absolute path to ‘losetup’ is ‘/sbin/losetup’, so it might be intended to be run only by user with superuser privileges (eg. root).
bash: losetup: command not found
patti@TYAN2-Linux:~>

…So the changes to sudoers didn’t “take” Strange!

Then I went into YaST and said patti could run losetup as root and tried it again:

patti@TYAN2-Linux:~> losetup /dev/loop0 /home/patti/test.crypt
Program ‘losetup’ is present in package ‘util-linux’, which is installed on your system.
Absolute path to ‘losetup’ is ‘/sbin/losetup’, so it might be intended to be run only by user with superuser privileges (eg. root).
bash: losetup: command not found
patti@TYAN2-Linux:~> su losetup /dev/loop0 /home/patti/test.crypt
su: user losetup does not exist
patti@TYAN2-Linux:~>

Aggggh!!!

More Fun - NOT!!! :’(

patti@TYAN2-Linux:~> dd if=/dev/zero of=/home/patti/test.crypt count=100000 bs=1024
100000+0 records in
100000+0 records out
102400000 bytes (102 MB) copied, 0.598009 s, 171 MB/s
patti@TYAN2-Linux:~> su losetup /dev/loop0 /home/patti/test.crypt
su: user losetup does not exist
patti@TYAN2-Linux:~> sudo cryptsetup create testfile /dev/loop0
root’s password:
sudo: cryptsetup: command not found
patti@TYAN2-Linux:~>
patti@TYAN2-Linux:~> su
Password:
TYAN2-Linux:/home/patti # dd if=/dev/zero of=/home/patti/test.crypt count=100000 bs=1024
100000+0 records in
100000+0 records out
102400000 bytes (102 MB) copied, 0.579562 s, 177 MB/s
TYAN2-Linux:/home/patti # losetup /dev/loop0 /home/patti/test.crypt
TYAN2-Linux:/home/patti # sudo cryptsetup create testfile /dev/loop0
Enter passphrase:
TYAN2-Linux:/home/patti #

Try the whole path as sudo /sbin/cryptsetup iirc sudo uses the users path which won’t include /sbin

OK, I’ll give that a try - here’s what works so far, but only as su:

patti@TYAN2-Linux:~> su
Password:
TYAN2-Linux:/home/patti # dd if=/dev/zero of=/SCRATCH-RAID10/Dirs/00Paul.001 count=10000000 bs=1024
10000000+0 records in
10000000+0 records out
10240000000 bytes (10 GB) copied, 63.8181 s, 160 MB/s
TYAN2-Linux:/home/patti # losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Paul.001
TYAN2-Linux:/home/patti # cryptsetup create paulcrypt /dev/loop1
Enter passphrase:
TYAN2-Linux:/home/patti # cryptsetup luksFormat /dev/mapper/paulcrypt

WARNING!

This will overwrite data on /dev/mapper/paulcrypt irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
TYAN2-Linux:/home/patti # mkfs -t ext3 /dev/mapper/paulcrypt
mke2fs 1.41.1 (01-Sep-2008)
Filesystem label=

<snip!>

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
TYAN2-Linux:/home/patti # mount -t auto /dev/mapper/paulcrypt /home/paul/MyShares/flames
TYAN2-Linux:/home/patti # umount /dev/mapper/paulcrypt
TYAN2-Linux:/home/patti # cryptsetup remove paulcrypt
TYAN2-Linux:/home/patti # losetup -d /dev/loop1
TYAN2-Linux:/home/patti #

I have a question - the Luks passphrase I understand in the luksFormat command - but what is the other passphrase being asked for and why there? (in bold above)

Almost there…

Patti@TYAN2-Linux:~> su
Password:
TYAN2-Linux:/home/patti # losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Paul.001
TYAN2-Linux:/home/patti # cryptsetup create paulcrypt /dev/loop1
>
Enter passphrase:
TYAN2-Linux:/home/patti # mount -t auto /dev/mapper/paulcrypt /home/paul/MyShares/flames
TYAN2-Linux:/home/patti # umount /dev/mapper/paulcrypt
TYAN2-Linux:/home/patti # cryptsetup remove paulcrypt
TYAN2-Linux:/home/patti # losetup -d /dev/loop1
TYAN2-Linux:/home/patti # losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Paul.001
TYAN2-Linux:/home/patti # cryptsetup create paulcrypt /dev/loop1
Enter passphrase:
TYAN2-Linux:/home/patti # mount -t auto /dev/mapper/paulcrypt /home/paul/MyShares/flames
TYAN2-Linux:/home/patti # umount /dev/mapper/paulcrypt
TYAN2-Linux:/home/patti # cryptsetup remove paulcrypt
TYAN2-Linux:/home/patti # losetup -d /dev/loop1
TYAN2-Linux:/home/patti # exit
exit
patti@TYAN2-Linux:~> sudo /sbin/losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Paul.001
root’s password:
patti@TYAN2-Linux:~> sudo /sbin/cryptsetup create paulcrypt /dev/loop1
Enter passphrase:
patti@TYAN2-Linux:~> sudo mount -t auto /dev/mapper/paulcrypt /home/patti/MyShares/flames
patti@TYAN2-Linux:~>

OK! Wow, that was tough - so many concepts going on. Here’s what worked for me: (outputs deleted)

TYAN2-Linux:/home/patti # dd if=/dev/zero of=/SCRATCH-RAID10/Dirs/00Patti.001 count=10000000 bs=1024
TYAN2-Linux:/home/patti # losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Patti.001
TYAN2-Linux:/home/patti # cryptsetup create patticrypt /dev/loop1
TYAN2-Linux:/home/patti # cryptsetup luksFormat /dev/mapper/patticrypt
TYAN2-Linux:/home/patti # mount -t auto /dev/mapper/patticrypt /home/paul/MyShares/flames
TYAN2-Linux:/home/patti # umount /dev/mapper/patticrypt
TYAN2-Linux:/home/patti # cryptsetup remove patticrypt
TYAN2-Linux:/home/patti # losetup -d /dev/loop1
TYAN2-Linux:/home/patti #

To mount I have a script file containing:

sudo /sbin/losetup /dev/loop0 /SCRATCH-RAID10/Dirs/00Patti.001
sudo /sbin/cryptsetup create patticrypt /dev/loop0
sudo mount -t auto /dev/mapper/patticrypt /home/patti/MyShares/flames

And to unmount:

sudo umount /dev/mapper/patticrypt
sudo /sbin/cryptsetup remove patticrypt
sudo /sbin/losetup -d /dev/loop0

So, hopefully, I can get this set up for other users. I didn’t seem to have any joy with the sudoers file, but maybe I’ll try that again. These commands should probably go into one of the OpenSuSE Howtos since they’re of general use and much less complex than trying to encrypt root/swap/home partitions.

**It seems strange to me that there is sort of a “user hole” here in that you have to give dangerous access to users in order to make this work - users have to have the root password! Anyone have a way to get around that?
**
I guess we need a “localmount”, etc., set of commands so users can do things with their own devices?

;)Pattilol!

To force the users to use their password open /etc/sudoers you’ll have a line

Defaults targetpw
Comment it out now it’ll ask for the users password, I guarantee nothing and have done no further testing you may need to look further into the security implications. Whilst I don’t think there is any on a default I suspect it maybe possible to punch holes inadvertently.

I would look into the parameters part of the command in the sudo gui module I suspect this may actually force even tighter controls on the command that can be used.

Edit
One side effect is sudo will no longer behave as you expect.

From my brief testing it would seem you need to further tweak the sudoers file as if I’ve got this correct they will be able to append sudo to any command. I suspect one of the defaults in the sudoers file needs changing or removing.

Glad to hear you got it working - sort of :).

Yes, it’s a real mind twister, I used to use this method a few years ago when I used Ubuntu Linux, as they didn’t have the option to create an encrypted partition on install.

On a side note, Ubuntu now has a really nice implementation of “file” encryption, whereby the individual files in a given folder (ie the user’s home folder) are encrypted, not the whole folder as a big chunk. It also uses the user password for the decryption so it’s invisible to the end user!

The thing with /etc/sudoers is that you need to edit it by running the command sudo visudo, or by being root first with simply visudo.

Visudo is a protection layer against the user making mistakes which can lock you totally and irrevocably out of your machine, that’s why editing the /etc/sudoers file doesn’t do anything.

You can change the editor that visudo uses by doing an export command with the preferred editor, sorry I don’t know that command :(. I’m a fan of vi so I never bothered to learn anything else. You will find the solution if you search ubuntuforums.org for visudo though.

But if there is a way of doing the modifications through yast, then I would do it that way instead.

Please keep us informed of your progress, I’m sure it could help other users in the future.

Regards and good luck, Growbag ;).

Thanks again for all your help. It’s too bad OpenSuSE cannot pick up file-level encryption - though I think directory-level encryption would be more useful. I haven’t yet fully implemented this because I don’t think I want to give my users my root password, and even if I could get the sudoers file going correctly, I’m not sure I want to give them that access either.

I was thinking of maybe making the mount/unmount script files in the root directory, and set properties so others could be executed, but since they’re in root, they can’t read them. Maybe I could put my root password in those files?

I did tell you how to make it so you don’t have to give out the root password but sudo will be either limited or inclusive.

comment out
Defaults targetpw
and also
ALL ALL=(ALL) ALL

Now after that you need to give the $user the commands they can use. i.e
user ALL=/bin/mount
(Though I used yast to add this command, and choose commenting the others as undoing would be easier if needed)

Now user can only use /bin/mount if you don’t do the second one then they can sudo anything.