Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Multi-Platform Encrypted Disk Image Formats? 29

Posted by Cliff from the secure-and-portable-data-transportation dept.
LockedDisk asks: I'm looking at an application that will use USB flash devices to distribute information that, while not "top-secret", is sensitive enough that I'd prefer not to distribute it in plaintext. It'll be accessed from multiple platforms by the users who get them. What I'm hoping to find is a tool to build encrypted disk images that can be mounted on Windows, MacOS X, and hopefully Linux as well. What I'd do in distributing these is put the encrypted image on the device, with mounters already on the thumb drive. Users would be able to simply use the right mounter for their platform. For instance, I know PGPdisk would support the multi-platform part, but the mounter doesn't look like it's very well-suited to what I'm looking for. Mac .DMG files can be encrypted, but I know of no way to mount them on any other platform. Any ideas, folks?"
This discussion has been archived. No new comments can be posted.

Multi-Platform Encrypted Disk Image Formats? More

Multi-Platform Encrypted Disk Image Formats?

Comments Filter:

  • why an encrypted filesystem? (Score:4, Insightful)

    by displague ( 4438 ) <slashdot@@@displague...com> on Thursday March 06, 2003 @06:07PM (#5452958) Homepage Journal
    why not just use a standard filesystem (msdos/vfat) and leave an encrypted zip or gpg encrypted tar file in the root directory? How is this any less secure? As an added bonus it is very simple to implement and will be supported under any platform (that is dos friendly).
    • Why is there only two comments, and one is exactly what I was going to say.

      Think in layers.
    • why does everyone feel the need to over-engineer? vfat is understood ubiquitously and so are many encrypted file formats. awesome first post.

    • Re:why an encrypted filesystem? (Score:5, Informative)

      by phyxeld ( 558628 ) <phyx@lo s t i n t h e n o i se.net> on Thursday March 06, 2003 @07:11PM (#5453662) Journal
      why not just use a standard filesystem (msdos/vfat) and leave an encrypted zip or gpg encrypted tar file in the root directory? How is this any less secure?

      Because modifying and re-encrypting your data that way isn't automatic. I can't speak for the person who submitted the question, but I can tell you why I use encrypted disks in Mac OS X: My home directory is filled with symlinks. .ssh, .gnupg, .fetchmailrc, etc... All of these things are links to a given directory. Like so:
      .ssh -> .encrypted/.ssh
      .gnupg -> .encrypted/.gnupg
      .encrypted -> /Volumes/EncryptedDisk
      Since all the symlinks are pointing to another symlink which itself points to the actual mount point of the encrypted volume, I can easily swap in a different volume there, to use the encrypted dmg on my usb thumb drive, or on a remote webdav volume, or whatever. And I have a lot more than just ssh and gnupg stored on there, stuff like bookmarks and cookies for various browsers, my actual apple Keychain files, mail, etc... All of this can my symlinked to an encrypted volume. It's much more convienent than encrypting your whole home directory (as has been discussed on slashdot previously) because you don't need another account to mount and unmount the image. And without the dmg mounted, you still have access to the unencrypted parts of your user account (ie I don't keep my mailing list directories on there, but I do keep my inbox and personal mail there).

      Using .tgz.gpg files, something I've also played with, simply cannot provide this kind of functionality.

      At first, I was regularly copying the entire .dmg file onto my slow-as-all-fuck thumbdrive, but then I got wise and made a second image there of the same size and use a script to mount both images, rsync, and unmount (so I run my script, insert the usb thumb drive, wait, and remove it. Rsync makes the backup quite fast, compared with copying the entire dmg every time). Beause of all this, creating an account on a new mac and getting my personal settings is as simple as plugging in the thumbdrive and running a (different) script to create the symlinks. On machines that aren't mine, the ~/.encrypted symlink just points to the mount point of the dmg on the usb key drive though, instead of a local copy.

      FWIW, I'm planning on writing a howto describing how I use crypto in OS X, covering topics from ssh (keys, tunnels, socks proxy, scp) to gpg to Apple's AES dmg files (and my backup script). Hopefully I'll find the time soon, and post it on my website. If anyone has any input on this subject, I'm available on aim and would be interested in hearing pre-feedback. I'd really like to hear an answer to the Multi-Platform part of the submitters question, as currently my aes dmg encrypted data is only available in mac os x.
      1. Because PKZIP encryption is extremely weak and can be broken easily
      2. Because GPG isn't a standard on OS X or Windows
    • Built in Zip encryption is very very flawed. GPG/PGP encrypted zip files are fine, OTOH. Just so people know, Zip encryption is much much weaker than DES or 40-bit RC4.
  • Well, if you're felling ambitious, you could allways try porting the hdiutil command line utility from the Darwin source to whatever platforms you need. Then you could use UIFS images (mac .dmg files) on multiple platforms. Actually someone probably ought to do that anyway, from what I understand it's a pretty nifty flexible device image format. If you're not looking to do quite so much work, it would be pretty trivial to just use a plain old .iso image encrypted by GPG, and include a script to decrypt the image then mount it for each platform.

  • CDROM iso (Score:2, Interesting)

    by Visaris ( 553352 )
    Why not use CDROM ios images? It's standard, supported on every platform, and the software should be free. For windows, try Deamon Tools (read only). If you need read and write access, you may have to find some special software to make the .iso files to work, but I know It's possible.

  • BestCrypt (Score:3, Informative)

    by BalkanBoy ( 201243 ) on Thursday March 06, 2003 @07:04PM (#5453601)
    has the ability to create encrypted images with any given cipher and mount them. They've made a version for both, Windows and Linux (not sure if they have a Mac though). It creates a .jbc file that you can copy and manipulate to your heart's content. Here's their site [jetico.com].

  • One way (Score:4, Interesting)

    by zobo ( 60591 ) on Thursday March 06, 2003 @07:13PM (#5453683)

    I've wished for something similar in the past. One solution that occurred to me would be to create an encrypted loopback filesystem under Linux (details here [linux.org]). For those not familiar with this scheme, it essentially encapsulates a filesystem in a regular file and [en|de]crypts it at the kernel level.

    One potential way to access this from Windows would be using Namespace Extensions [microsoft.com]. I believe this is the way that "special folders" such as Control Panel and Scheduled Tasks are integrated into the Explorer. It would seem to be straightforward for someone knowledgable in the area to create a Namespace Extension that could mount an encrypted loopback filesystem created in Linux.

    • The Linux encrypted loopback device (loop-AES) is great. You can use a regular file or a raw block device/partition to store the data.

      I really wish there was a cross-platform standard for volume encryption. My understanding is that with AES-256, loop-AES takes my passphrase and generates two 256-bit keys with SHA-512. The block number is encrypted using the first key to generate the initialization vector for the block, then the initialization vector and the secon key are used with AES in CBC mode to enc

  • Samba VFS (Score:3, Interesting)

    by lkaos ( 187507 ) <anthony@codemonk ... s minus math_god> on Thursday March 06, 2003 @07:24PM (#5453766) Homepage Journal
    If you're adventurous, you could use Samba as the front end (since it compiles and runs on Windows, Mac, and Linux) and write a custom VFS module to read whatever kind of image you want. The easiest thing to do would be to take something like ramfs from Linux and port it to userspace/samba. That would provide a portable way to share front-ends (keeping in mind three copies of Samba isn't exactly tiny)....

    And for platforms that don't support CIFS natively (are there any of this now a days?) you can use jCIFS :)
    • From what I can gather, this is how OpenAFS provides seamless filesystem access on platforms (Windows) that no-one wants to write drivers for. The scheme is basically:

      FAT formatted USB drive->encrypted file->SMB/CIFS server->SMB/CIFS client on OS
  • You might take a look at BestCrypt from Jetico. I used to use it when I was using both Windows and Linux. It supports a number of ciphers including Rijndel (AES), IDEA, Blowfish, Blowfish-448, Blowfish-128, DES, 3DES, CAST andTwofish. There is also an availible development kit if you are interested. I don't recall the details of the license but all the products are availible for free download and evaluation.
  • I'm sure you could hack up some BSD/Linux utility to transparently mount encrypted filesystems and include a minimal Cygwin installation for the Windows folks. IIRC, Cygwin accesses the Windows filesystem(s) directly, so mounting an encrypted file loopback and accessing it's contents directly from Windows should be possible. Getting Cygwin onto a USB pen drive might be a chore, though. Sounds like a fun project.
  • Your best bet is to encrypt individual files on a VFAT file system with an encryption program that exists on all platforms. That way, you can at least get at the files when you need to.

    The second part is to get transparent encryption/decryption. That's a matter of convenience. There is no single good solution for all platforms. Some programs (editors like vi and emacs) can automate this for you. You can write scripts or batch files to do this for you as needed.

    On Linux, you can get transparent encrypt/decryption for almost all programs using LD_PRELOAD. Look at the "Plastic File System" (some assembly required). Similar DLL hacks are possible on Windows, though harder and less reliable.

  • I think this might be a good application for a simple Java application. Just put your encrypted data file(s) and Java binaries in a ".jar" file. Use something command line oriented or using pre-Swing (AWT?) APIs that'd work on a 1.1.x JVM and you'll have everything you need (aside from a JVM) with you. Maybe whip up a simple Applet so all you need is a Java capable Browser.

  • Issues (Score:3, Informative)

    by Zaffle ( 13798 ) on Friday March 07, 2003 @12:29AM (#5455941) Homepage Journal

    The biggest issue with this idea is cross-platform. So far a few suggestions have been raised, and I like the idea of a samba frontend, though it seems a little extreme.

    BestCrypt [jetico.com] is the only cross-platfrom encrypted drive/volume software I know of, its only free for Linux though. :(

    Scramdisk [clara.net]/ e4m [samsimpson.com] are options. Though Scramdisk doesn't run on w2k or XP, nor Linux. E4M doesn't run on linux either. The source for Scramdisk and E4M is available, but I've forgotten what the license is. I *think* its GPL, but don't count on it.

    DriveCrypt [samsimpson.com] is made by the same people as ScramDisk, but DC is closed source. Though they are promising a Linux release (as well as the current XP/2K/etc clients).

    You may also like to try The Linux crypto mailing list [linux.org] to search for answers there.

    Developing On-The-Fly encrypted drives for linux isn't all that hard, afterall, its been done before a few times. Doing so for Windows 95 though to XP is a lot harder.

    As for the Mac side, I have no idea. I think the most portable option would be the Samba idea mentioned before. It shows the most promise, you are esentially piggybacking off a known and support product.

  • I'm afraid that there might not be much of these around that works perfectly and transparently. One of the reasons is probably that Windows doesnt have a standard and well working loopback device mount function that is modular (can add own read/write-modules) like for instance OS X and Linux has. Finding or making some of these existing work on OS X and Linux is probably feasible (not sure if they exist) but Windows is a problem. It's not like Microsoft lets people know how to code filesystems to Windows - otherwise im sure we'd see atleast ext2fs support in Windows.

    But for a temporary solution i present BCrypt [sourceforge.net] - powerful multiplatform file encryption tool. Its also small and light but uses a 448bit Blowfish-encryption. You can carry the different version of the binary on your pendrive and encrypt/decrypt on virtually any platform. Of course it just encrypts files so you need to add zip or something for multiple files - yes its a bitch if there is alot of them but its the best suggestion i have.
  • I don't see why the "mounter" in PGPdisk doesn't seem like what you're looking for. It sounds like exactly what you're looking for. Please explain what PGPdisk lacks that you need.
  • If so, you could use WebDNA and give it any extension you want so no one would know WebDNA was serving up the info.
    You can also use the [protect admin] tag to require username and password.
    It is cross platform and the Developer Edition is FREE.
    You can download it at Click Here [smithmicro.com]
    Here is the sample encrypt tag
    [Encrypt seed=abcdefg]Some Text that is private[/Encrypt]
    [Decrypt seed=abcdefg][Encrypt seed=abcdefg]Some Text that is private[/Encrypt][/Decrypt]
    In the example above, the first line of displayed text will be unintelligible, as seen below.
    The second line decrypts the text and displays it as it was before:
    ;)(*&#$KLJFLKjkhegdlksdfg09814
    Some Text that is private
    Good Luck!!

Slashdot Top Deals

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Close