cmtab.5.in

来自「Cryptmount是对Linux系统下的文件系统以及用户设备、文档等进行加密的」· IN 代码 · 共 282 行

.\" cmtab (cryptmount) manual page
.\" $Revision: 117 $, $Date: 2006-07-30 10:20:45 +0100 (Sun, 30 Jul 2006) $
.\" Copyright (c) 2005,2006 RW Penney
.\"
.TH CMTAB 5 "2006-07-17" "@PACKAGE_VERSION@" "User commands"
.SH NAME
cmtab \- static information about filesystems managed by cryptmount


.\" --------------------------------
.SH DESCRIPTION

Information about the encrypted filing systems managed by
.B cryptmount
is contained in the file @etcdir@/cmtab.
Each filesystem is labelled by a target name which can be used as an argument to
.B cryptmount
and which appears in @etcdir@/cmtab in front of a list of parameters describing where that filesystem is stored, and how it is encrypted.

The format of the cmtab is flexible, with the description of each target being delimited by braces, parameters being specified by KEY=VALUE pairs, and white-space being freely usable.
Comments are prefixed by a '#' character, and can start at any point in a line, lasting to the end of the line.
The backslash character '\\' can be used to ignore any special significance of the following character, for example to include a space in a filename.

@etcdir@/cmtab contains entries of the following form:

.nf
    TARGET_NAME {
        dev=DEVICE
        flags=FLAG,FLAG,...
        startsector=STARTSECTOR
        numsectors=NUMSECTORS
        loop=LOOPDEV
        dir=MOUNT_POINT
        fstype=TYPE
        fsoptions=OPT,OPT,...
        cipher=CIPHER
        ivoffset=IVOFFSET
        keyformat=KEYFORMAT
        keyfile=KEYFILE
        keyhash=KEYHASH
        keycipher=KEYCIPHER
        keymaxlen=KEYMAXLEN
    }
.fi

wherein the fields 'flags', 'startsector', 'numsectors', 'loop', 'ivoffset' are optional.

The fields in this structure have the following meaning:

.TP
.BI TARGET_NAME
is the name that cryptmount uses to refer to a particular filing system.
.TP
.BI DEVICE
is the name of the raw device (e.g. /dev/hdb63) or ordinary file (e.g. /home/secretiveuser/private.fs) that contains the encrypted filing system.
.TP
.BI FLAG
is a configuration switch, such as
"user" (any user can mount),
"nouser" (only root can mount),
"fsck" (automatically check filesystem before mounting),
"nofsck" (don't check filesystem before mounting),
"mkswap" (format swap partition before use),
"nomkswap" (don't format swap partition).
This parameter is optional and defaults to "user,fsck,nomkswap".
.TP
.BI STARTSECTOR
is the number of sectors (blocks) into
.B DEVICE
at which the filing system is to start. This parameter is optional, and defaults to zero.
.TP
.BI NUMSECTORS
gives the total length of the filing system in sectors (blocks).
This parameter is optional, and defaults to \-1 which is shorthand for the total available length of
.B DEVICE.
.TP
.BI LOOPDEV
can be used to specify a particular loopback device (e.g. /dev/loop0) used when DEVICE is an ordinary file. This parameter is optional and defaults to "auto".
.TP
.BI MOUNT_POINT
is the directory onto which the encrypted filing system will be mounted.
.TP
.BI TYPE
is the filing system type (as used by
.B mount
(8)).
This must be set to "swap" if the device is to be used as an encrypted swap partition.
.TP
.BI OPT
is a filesystem mounting option, as used by
.B mount
(8). OPT can typically be "default", "noatime", "noexec", "nosuid", "ro", "sync" etc.
.TP
.BI CIPHER
is the encryption algorithm used on the
.B DEVICE.
The available algorithms are determined by the system kernel.
This parameter is optional and defaults to "@DFLT_CIPHER@".
.TP
.BI KEYFORMAT
specifies which encryption engine is used to manage the
.B KEYFILE.
The available engines are determined when
.B cryptmount
is built, but may include "openssl", "libgcrypt", or "raw".
This parameter is optional, and if absent the first available encryption engine is used.
.TP
.BI KEYFILE
is an ordinary file that contains the key used by the
.B CIPHER
algorithm to decrypt the filing system. This key is itself encrypted in a way specified by the
.B KEYHASH
and
.B KEYCIPHER
\.
.TP
.BI IVOFFSET
is the offset added to the sector-number used in constructing the cipher algorithm's initialization vector.
This parameter is optional, and defaults to 0.
.TP
.BI KEYHASH
is the hashing algorithm used to turn the user's password into the decryption key used by the
.B KEYCIPHER
algorithm.
The available hashing algorithms are determined by the installed version of the
.B ssl
(3) library.
This parameter is optional and the default depends on the value of
.B KEYFORMAT.
.TP
.BI KEYCIPHER
is the encryption algorithm used to secure the decryption key of the filing system itself.
The available key-encryption algorithms are determined by the installed version of the
.B ssl
(3) library.
This parameter is optional and the default depends on the value of
.B KEYFORMAT.
In addition, a value of "none" can be used for a
.B KEYFILE
that contains an unprotected filesystem decryption key.
In this case, it is recommended that the
.B KEYFILE
is stored with access permissions no less restrictive than 0600, or on a removable device such as a USB flash-disk.
.TP
.BI KEYMAXLEN
is the maximum number of bytes of the decryption key that will be read from
.B KEYFILE .
This parameter is optional, and defaults to 0, indicating that the full length of
.B KEYFILE
should be read.


.\" --------------------------------
.SH SECURITY

Because
.B cryptmount
needs to operate with setuid privileges, it is very important that
its configuration file is kept secure.
Ideally @etcdir@/cmtab should be managed only by the system administrator, and all key-files should be readable only by their owner.

.B
cryptmount
makes basic checks on the security of @etcdir@/cmtab each time it runs,
and will refuse to operate unless the following conditions are met:
.nf
  * cmtab must be owned by root
  * cmtab must be a regular file
  * cmtab must not be globally writable
  * the directory containing cmtab must be owned by root
  * the directory containing cmtab must not be globally writable
.fi
In addition, for each target within @etcdir@/cmtab, all paths must be absolute (i.e. starting with '/').


.\" --------------------------------
.SH EXAMPLE FILE

The following example of @etcdir@/cmtab consists of three targets, using a variety of encryption algorithms and storing their filesystems in different ways, and fourth target representing an encrypted swap partition:

.nf

    # @etcdir@/cmtab
    # example file \- please modify before use
    
    basic {
        dev=/home/secretiveuser/crypt.fs
        dir=/home/secretiveuser/crypt           # where to mount
        loop=auto                               # find free loop\-device
        fstype=ext3     fsoptions=default
        cipher=aes                              # filesystem encryption
        keyfile=/home/secretiveuser/crypt.key
        keyhash=md5                             # password hashing
        keycipher=bf\-cbc                        # access\-key encryption
    }

    partition {
        dev=/dev/hdb62                      # use whole disk partition
        dir=/mnt/crypt62
        fstype=ext3     fsoptions=nosuid,noexec
        cipher=serpent

        # information about file used to store decryption key:
        keyfile=@etcdir@/crypt_hdb62.key
        keyhash=md5 keycipher=bf\-cbc        # encryption of key file
    }
        
    subset {
        dev=/dev/hdb63
        startsector=512 numsectors=16384    # use subset of partition
        dir=/mnt/encrypted\\ subset\\ of\\ hdb
        fstype=reiserfs     fsoptions=defaults
        cipher=twofish                      # filesystem encryption

        # information about file used to store decryption key:
        keyfile=@etcdir@/crypt_hdb63.key
        keyhash=md5 keycipher=bf\-cbc        # encryption of key file
    }

    encswap {                               # encrypted swap partition
        dev=/dev/hdb63
        startsector=16896 numsectors=1024   # use subset of partition
        fstype=swap        flags=mkswap       cipher=twofish

        # read fresh 32-byte key from /dev/random whenever used:
        keyfile=/dev/random        keymaxlen=32     keycipher=none
    }

    # end of cmtab
.fi

The 'basic' target uses an ordinary file "/home/secretiveuser/crypt.fs"
to store the encrypted filesystem,
perhaps within a normal user's home directory.
A loopback device will be automatically allocated
(because of the "loop=auto") by
.B cryptmount
to turn this into a block-special device, before mounting.
The decryption key for the filesystem is also stored in this user's home directory, making it easier for them to change the password protecting the key.

The 'partition' target uses a whole disk partition to store the encrypted filing system, with the decryption key stored in the main
.B cryptmount
configuration directory.

The 'subset' target is similar to the 'partition' target except that it does not use a whole disk partition.
This would allow other groups of blocks within that partition to be used for other filesystems managed via
.B cryptmount
or
.B dmsetup.

The 'encswap' target uses a subset of blocks within a disk partition
to form an encrypted swap device.
A new encryption key is read from the system random-number generator
/dev/random every time the target is used.
___DELETE_CSWAP_1
Note that the current installation of
.B cryptmount
does not appear to have support for crypto-swap enabled.
____END_CSWAP_1


.\" --------------------------------
.SH FILES
.I @etcdir@/cmtab
- main configuration file


.SH "SEE ALSO"
.BR cryptmount (8),
.BR dmsetup (8),
.BR openssl (1)


.\" --------------------------------
.SH COPYRIGHT NOTICE
.B cryptmount
is Copyright 2005-2006 RW Penney
.br
and is supplied with NO WARRANTY. 
Licencing terms are as described in the file "COPYING" 
within the cryptmount source distribution.