Encrypting SD Card
I am a member!
I encrypted an SD card using the following command: "cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/PARTITION" The encryption worked fine. So I proceeding to test by moving some data to it (although I can only do this as root for some reason). I then unmounted the drive and switched on the hardware lock to prevent any changes. The problem is that for some reason I can't unencrypt the drive is the hardware switch is on.
Any tips on how to encrypt the drive in such a way that I'm able to unencrypt with the hardware switch on? Anyone know why only root can write to the encrypted volume?
I am a member!
Only root can write to the encrypted volume, probably because only root
has write permissions to the drive/mountpoint.
ls -l /media/SDcardMountPoint
Personally I like to keep root the owner of the device and create
folders with appropriate permissions for users.
I don't know how to bypass the apparent hardware switch limitation.
--
I use: trisquel.info | fsf.org | eff.org | torproject.org | flattr.com
| duckduckgo.com | h-node.com | skepdic.com | riseup.net |
I am a member!
Okay, thanks for the explanation teodorescup. So I'll just change the permissions of the folders.
I searched around a bit and found the disk encryption wiki for Arch GNU/Linux. https://wiki.archlinux.org/index.php/Disk_encryption#Comparison_table indicates that dm-crypt + LUKS stores "cryptographic metadata" in the LUKS header. I assume the header is saved on the device so maybe this explains why I can't open it when the switch is on. What is cryptographic metadata? Is it absolutely necessary? If not, is there a way to turn it off?
I am a member!
I don't know what that switch actually does but I can tell you that you
should be able to mount a read only Luks volume.
You can also try formating the SD card with xfs and then create a luks
volume inside as such:
dd if=/dev/zero of=disk.img bs=1M count=2000 && losetup /dev/loop0 disk.img && cryptsetup -c aes-xts-essiv:sha256 -y -s 512 luksFormat /dev/loop0 && cryptsetup luksOpen /dev/loop0 crypt && cryptsetup status crypt && mkfs.xfs /dev/mapper/crypt && mount -t xfs /dev/mapper/crypt /mnt && chmod o=rwx /mnt
Note that count is the size in MiB.
To mount you'll do something like:
losetup /dev/loop0 disk.img && cryptsetup luksOpen /dev/loop0 crypt && mount -t xfs /dev/mapper/crypt /mnt
For unmount you'll use something like:
umount /mnt && cryptsetup luksClose crypt && losetup -d /dev/loop0
--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | flattr.com | skepdic.com |
I am a member!
The hardware switch that I'm talking about can be seen here: https://upload.wikimedia.org/wikipedia/commons/6/67/SD_Cards.svg When the little plastic piece is pulled down (kinda hard to see 'cause it is white, but it's next to the text that says "Lock"), it is locked. The user can't write to the device. What I want to be able to do is to have it locked most of the time (in case that my system were to have something the files on it can't be changed). I'd unlock it when I need to change the files on it.
Unless I misunderstood, the commands you gave me would make the device read-only all the time. Is there a way that I can mount the device read-only some of the time?
I am a member!
The commands I gave you are for creating a LUKS container inside a
normal partition so that the LUKS header wouldn't be on the edge of the
card. I would try this if I were in your place.
--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | flattr.com | skepdic.com |
I am a member!
Okay, I tried it but it doesn't work. I copied the disk.img file to the SD card and then followed all the steps. Unmounted, and set the lock. Once I follow the instructions to mount it the last command "mount -t xfs /dev/mapper/crypt /mnt" gives the error "mount: /dev/mapper/crypt: can't read superblock."