|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] use of encrypted filesystem
I was wondering if there is a way to use encrypted filesystem inside a domU
? I tried to look around and whatever guides i found required me to patch
the kernel.
You should be able to use cryptoloop or dm-crypt. The latter device-mapper
based solution is the recommended alternative these days. These both give
you an encrypted block device on which to run your filesystem.
eCryptfs isn't available in the XenLinux we currently have. However, it's
being merged into future releases of the mainline kernel, so it'll filter
down to XenLinux at some stage. eCryptfs allows you to encrypt files on an
individual basis, so is rather different to use than the above solutions -
it may be more or less useful, depending on your objectives.
anyhow, we'll talk about cryptoloop and dm-crypt for now, since these are
the ones that are going to be most straightforward to use.
I also found about cryptoloop, however when i try to use it inside domU, it
gives me an error
losetup -e cryptoloop /dev/loop0 /dev/sda2
Password:
ioctl: LOOP_SET_STATUS: Invalid argument
I also tried various combinations
losetup -e des /dev/loop0 /dev/sda2
losetup -e aes128 /dev/loop0 /dev/sda2
losetup -e aes-256 /dev/loop0 /dev/sda2
However all the above result in the same error.
How should i setup the encrypted fs ? Any help would be appreciated.
You don't need to patch your XenLinux kernel if you want to use Cryptoloop
or dm-crypt. However, you'll need to recompile it.
Reconfigure your kernel to include support for cryptoloop (you can find
this in make menuconfig under the menu: Device Drivers / Block devices /
Loopback device support / Cryptoloop support) or dm-crypt (you can find
this in make menuconfig under the menu: Device Drivers / Multi Device
Support (RAID and LVM) / Device Mapper Support / Crypt target support).
You might as well enable both then you can play around with them. You may
find that once you've compiled support in, the howtos you were following
will Just Work(TM). You may need to install packages for your distro in
order to use dm-crypt.
Note that cryptoloop does have known security vulnerabilities, which is why
dm-crypt is now recommended.
If you have any problems, follow up to this e-mail.
Cheers,
Mark
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|