cryptmount - a utility for accessing Linux encrypted filesystems
Overview
cryptmount is a utility for GNU/Linux operating systems
which allows an ordinary user to mount an encrypted filing system
without requiring superuser privileges. It can operate on
LUKS volumes
created by cryptsetup.
Technical background
The device-mapper technologies offered by the Linux kernel
provide many options for creating encrypted filesystems,
but require a number of steps before an encrypted filing system
can actually be mounted and made available in user-space.
These steps are typically not supported directly
by the 'mount' or 'pmount' commands,
nor does the syntax of /etc/fstab lend itself to describing
all the necessary filesystem parameters.
This is especially so if the filesystem is stored in an ordinary file,
which would require separate configuration of a loopback device
and a devmapper target before the filesystem could be accessed.
cryptmount was created to make it as easy for ordinary users
to access encrypted filesystems on-demand
using the modern devmapper mechansism as it was to use the older,
now deprecated, cryptoloop methods.
As well as acting as a front-end to LUKS (cryptsetup) encrypted containers,
it offers the following options:
- transparent support for filesystems stored on either
raw disk partitions or loopback files
- optional separate encryption of filesystem access keys,
allowing access passwords to be changed without re-encrypting
the entire filesystem
- storing multiple encrypted filesystems within a single disk partition,
using a designated subset of blocks for each
- rarely used filesystems do not need to be mounted at system startup
- un-mounting of each filesystem is locked so that this can
only be performed by the user that mounted it, or the superuser
- encrypted access-keys can be chosen to be compatible with OpenSSL;
managed via libgcrypt, or use built-in SHA1/Blowfish ciphers
- support for encrypted swap partitions (superuser only)
- support for setting up encrypted filesystems
or crypto-swap at system boot-up
Alternatives
There are a number of different ways of accessing encrypted filesystems
under Linux, each with their own strengths and weaknesses.
Some of the closest alternatives to cryptmount are as follows:
- dmsetup
(part of the libdevmapper package)
is a powerful tool for performing very low-level configuration
of device-mapper targets, but requires root privileges
and is not straightforward to use interactively
for setting up dm-crypt targets.
- cryptsetup
is a powerful tool for performing lower-level configuration
of the 'dm-crypt'
target through libdevmapper.
cryptsetup is supplied with scripts that can setup and mount
encrypted filesystems at system startup,
but this does not give ordinary users control over
their own encrypted filesystems.
- sudo + dmsetup/cryptsetup
- neither dmsetup nor cryptsetup is suitable for unrestricted use
by ordinary users.
'sudo' would only appear to help get round
the problem of needing root privileges
if one had a script that performed the necessary calls
to dmsetup/cryptset/losetup before mounting the filesystem.
Such a script would probably have to perform many of the tasks
that cryptmount already handles.
- PAM-mount
allows filing systems to be automatically mounted when a user logs in,
but this makes it more difficult to decouple
normal logins & passwords from occasional access
to encrypted data having a separate password.
Downloading
cryptmount is currently available
within a variety
of Linux distributions, including:
The development history is hosted on
GitHub,
and source packages can also be found on
Sourceforge.
The manual pages of cryptmount-6.2.0
for the executable
and its configuration file
are also available online.
Feedback
The author would welcome constructive feedback
on this webpage or on cryptmount itself.
These can be sent to
rwpenney«AT»users«DOT»sourceforge«DOT»net
.
Last updated 21 January 2023
© Copyright RW Penney, 2006-2023