cryptmount - a utility for accessing encrypted filesystems

cryptmount is a utility for GNU/Linux operating systems which allows an ordinary user to mount an encrypted filing system without requiring superuser privileges. It is aimed at recent Linux systems using the 2.6 kernel series.

There are currently two main approaches to using encrypted filesystems within the linux kernel:

the cryptoloop device driver;
the device-mapper system, using the dm-crypt target.

The (older) cryptoloop system has grown in parallel with the loopback device-driver of 2.4 kernel series, but has now been superseded by the device-mapper capabilities of the 2.6 kernel series. The newer devmapper system offers a cleaner organization of encryption and device-access, and superior performance has been noted. Alternative user-space tools which allow individual files to be encrypted are also widely available, but allow some information about file sizes & organization to be exposed.

With the older cryptoloop system, it was possible to describe all the details of an encrypted filesystem within /etc/fstab so that it could be configured completely by 'mount'. This meant that it was particularly easy to give any user permission to mount those encrypted filesystems simply by providing the 'user' option within /etc/fstab.

With the newer device-mapper infrastructure, there are more stages involved in mounting an encrypted filing system, and neither does 'mount' currently allow this nor does the syntax of /etc/fstab lend itself to describing all the necessary filesystem parameters. This is especially so if the filesystem is stored in an ordinary file, which would require separate configuration of a loopback device and a devmapper target before the filesystem could be accessed.

cryptmount was written to make it as easy for ordinary users to access encrypted filesystems on-demand using the newer devmapper mechansism as it was to use the older, now deprecated, cryptoloop methods. This offers the following advantages:

access to improved functionality in the kernel
transparent support for filesystems stored on either raw disk partitions or loopback files
separate encryption of filesystem access keys, allowing access passwords to be changed without re-encrypting the entire filesystem
storing multiple encrypted filesystems within a single disk partition, using a designated subset of blocks for each
rarely used filesystems do not need to be mounted at system startup
un-mounting of each filesystem is locked so that this can only be performed by the user that mounted it, or the superuser
encrypted filesystems compatible with cryptsetup
encrypted access-keys can be chosen to be compatible with openssl, or managed via libgcrypt, or (for 2.0 release-series) built-in SHA1/Blowfish ciphers
support for encrypted swap partitions (superuser only)
support for setting up encrypted filesystems or crypto-swap at system boot-up

There are a number of different ways of accessing encrypted filesystems under linux, each with their own strengths and weaknesses. Some of the closest alternatives to cryptmount are as follows:

dmsetup (part of the libdevmapper package) is a powerful tool for performing very low-level configuration of device-mapper targets, but requires root privileges and is not straightforward to use interactively for setting up dm-crypt targets.
cryptsetup (and the extended cryptsetup-luks) are valuable tools for performing lower-level configuration of the 'dm-crypt' target through libdevmapper. As yet, these are only directed at raw block devices, and would require separate configuration of loopback devices to handle filesystems stored in ordinary files. cryptsetup is supplied with scripts that can setup and mount encrypted filesystems at system startup, but this does not give ordinary users control over their own encrypted filesystems.
sudo + dmsetup/cryptsetup - neither dmsetup nor cryptsetup is suitable for unrestricted use by ordinary users. 'sudo' would only appear to help get round the problem of needing root privileges if one had a script that performed the necessary calls to dmsetup/cryptset/losetup before mounting the filesystem. Such a script would probably have to perform many of the tasks that cryptmount already handles.
PAM-mount allows filing systems to be automatically mounted when a user logs in, but this makes it more difficult to decouple normal logins & passwords from occasional access to encrypted data having a separate password.

cryptmount is hosted on Sourceforge, where you can download the latest release, and is also listed on FreshMeat. cryptmount is also currently available as a Debian package (within release 4.0, "Etch"), as an Ubuntu package (within the "Hardy" release), as a Slackware alien build and as a Gentoo Sunrise overlay.

The manual pages of cryptmount-3.0 for the executable and its configuration file are also available online.

The author would welcome constructive feedback on this webpage or on cryptmount itself. These can be sent to rwpenney«AT»users«DOT»sourceforge«DOT»net .