====== Linux Encryption ======

===== Secure erase =====
  scrub
  shred
  srm <-works on Mac
  wipe
===== ecryptfs (not supported on RH 7 ) =====
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/filesysnew-efs.html

Create and mount:
  yum install ecryptfs-utils-gui
  dd if=/dev/zero of=ecrypttest bs=1M count=100
  mkfs.ext3 ecrypttest 
  mount -o loop ecrypttest /mnt/crypt/
  mount -t ecryptfs /mnt/crypt/ /mnt/crypt/
  df -h

remove:
  umount /mnt/crypt/
  umount /mnt/crypt/ (do this two times)
  shred ecrypttest -u -z

clipper backup drive:
<file>
[root@clipper ~]# mount -t ecryptfs /backup /backup -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig=4295f161eb1fa6b7,ecryptfs_key_bytes=24,ecryptfs_cipher=aes,ecryptfs_sig=4295f161eb1fa6b7
Select key type to use for newly created files: 
 1) passphrase
 2) openssl
 3) tspi
Selection: 1
Passphrase: NEUcfdITAR
Enable plaintext passthrough (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4295f161eb1fa6b7
  ecryptfs_key_bytes=24
  ecryptfs_cipher=aes
  ecryptfs_sig=4295f161eb1fa6b7
Mounted eCryptfs
</file>

===== encfs =====
http://www.howtoforge.com/encrypt-your-data-with-encfs-debian-squeeze-ubuntu-11.10

http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04
===== LUKS =====

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions.html

http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

http://www.linuxuser.co.uk/reviews/the-best-file-encryption-software-in-open-source/

http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04

To create a 100M encrypted container:
  dd if=/dev/urandom of=crypttest bs=1M count=100
  man losetup
  losetup -a
  losetup /dev/loop0 crypttest 
  cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0 
  mkdir -p /mnt/crypt
To mount the device and format it:
  cryptsetup luksOpen /dev/loop0 crypttest_1
  ls -l /dev/mapper/
  mkfs.ext3 /dev/mapper/crypttest_1 
  mount /dev/mapper/crypttest_1 /mnt/crypt/
  df -h |grep cry
To show the key for the mounted device:
  dmsetup table --target crypt --showkey /dev/mapper/crypttest_1
To remove the device
  umount /mnt/crypt/
  cryptsetup status /dev/mapper/crypttest_1
  cryptsetup remove /dev/mapper/crypttest_1
To quickly remove the key:
  head -c 1052672 /dev/zero > /dev/loop0; sync
To remove the device file:
  losetup -d /dev/loop0
  rm crypttest

===== LUKS on SL 7 =====
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html
  # parted /dev/sdb ??
  # shred -v --iterations=1 /dev/sdb1 
  # cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
  # mkdir /backup
  # cryptsetup luksOpen /dev/sdb1 backup
  # ls -l /dev/mapper/
  # mkfs.xfs /dev/mapper/backup 
  # mount /dev/mapper/backup /backup/
  # df -h /backup/
  # vim /etc/crypttab 
  
  backup /dev/sdb1 /root/keyfile-backup luks
  
  # vim /etc/fstab 
  # restorecon -v -R /backup/
  # dd if=/dev/urandom of=keyfile-backup bs=1024 bs=1024 count=4
  # chmod 0400 keyfile-backup 
  # cryptsetup luksAddKey /dev/sdb1 /root/keyfile-backup 
  # vim /etc/fstab 

  /dev/mapper/backup /backup xfs defaults 0 2

  # mount
  # mount -a
  # reboot
  # ls /backup

Do not automount add noauto to /etc/fstab and /etc/cryptab:

/etc/fstab
  /dev/mapper/backup /backup xfs defaults,noauto 0 0
/etc/crypttab
  backup /dev/sdb1 /root/keyfile-backup luks,noauto

then to manually mount and unmount
  cryptsetup luksOpen /dev/sdb1 backup
  mount /backup
  cryptsetup status backup
  umount /backup
  cryptsetup close backup
===== GPG =====
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-Using_GPG.html

To create an encrypted compressed tar archive with GnuPG:
  $ tar czvpf – doc.pdf doc2.pdf doc3.pdf | gpg --symmetric --cipher-algo aes256 -o secure.tar.gz.gpg

To uncompress an archive file encrypted with GnuPG:
  $ gpg -d secure.tar.gz.gpg | tar xzvf -

===== encfs on ubuntu =====
http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04

===== clipper backup =====
<file>
#!/bin/bash
#echo local backup skipped
#exit
# This file should be located on the backup volume and therfore indicates to cron that the backup disk is mounted.
#
# Do Not Delete or move from /backup !
#
date
#
# Crontab command: @daily /backup/local.sh
#

namedate=$(date +\%Y-\%m-\%d-%H%M)

# Remove folders older than 10 days if the if conditions are met
# Development code
#if [ `date |cut -d ' ' -f 3` != 1 -a -e /backup/local ] 
#  then find /backup/local/ -maxdepth 1 -mindepth 1 -type d -mtime +10 -ls -exec echo rm -rf {} \;
#fi

# grab the newest backup set to link against
#prev_backup=$( ls -1dtr /backup/local/incremental_backup/* 2> /dev/null || echo no directories found...continuing.  1>&2 |tail -1 )
prev_backup=$( ls -1dtr /backup/local/incremental_backup/* |tail -1 )

# { echo "command failed, but that's okay. Continuing..."; echo exit 1; }
echo $prev_backup

# use directory if it exists, otherwise, just leave the variable blank so rsync does not get the option.
if [[ -d $prev_backup ]]
  then
    echo the prior backup exists.  Setting location variable.
    link_dest=--link-dest=$prev_backup
    echo $link_dest
  else
    echo the prior backup does not exist.  Unseting variable.
    unset link_dest
fi

echo $link_dest

if [ -e /backup/local ]
  then
    touch /backup/local/incremental_backup/_data_local.incomplete/ 2> /dev/null || echo no previous incomplete directory found...continuing.
    if [ $( id -u ) -ne 0 ]
      then
        # User Backup the local home directory
	echo sorry, must be root.
      else
        echo backup with root privleges
        # These require root
        # Backup /etc
        rsync -v --archive --one-file-system --hard-links \
          --human-readable --inplace --numeric-ids --delete \
          --delete-excluded --exclude-from=/backup/excludes.txt \
          $link_dest \
          /etc /backup/local/incremental_backup/_data_local.incomplete
        # Backup /l
        rsync -v --exclude=.Trash* --archive --one-file-system --hard-links \
          --human-readable --inplace --numeric-ids --delete \
          --delete-excluded --exclude-from=/backup/excludes.txt \
          $link_dest \
          /l /backup/local/incremental_backup/_data_local.incomplete
    fi
  else echo Backup drive not mounted for rsync.
fi

error_status=$?

if [ $error_status = "0" ]
  then
    if [ -e /backup/local ]
      then
        if [ -e /backup/local/incremental_backup/_data_local.incomplete ]
          then
            mv /backup/local/incremental_backup/_data_local.incomplete /backup/local/incremental_backup/data_$namedate
            echo moved completed _data_local.incomplete backup to /backup/local/incremental_backup/data_$namedate
            touch /backup/local/incremental_backup/data_$namedate
          else
            echo Intermediate Backup Directory does not exist.
        fi
      else
        echo Backup drive not mounted.
    fi
  else
    echo rsync had errors.
fi
date

</file>

<file>
#!/bin/bash
#remove old backup sets
date

num_to_keep=30
dir_location="/backup/local/incremental_backup/"
num=$(( $( ls -1 $dir_location | wc -l ) - $num_to_keep ))
if [ 0 -gt $num ]
  then
    num=0
fi
echo found $num old backup sets
if [ $num  -gt 3 ]
  then
    echo limiting delete to oldest 3
    num=3
fi
found=$( find $dir_location -mindepth 1 -maxdepth 1 -type d | sort| head -$num )
if [ -z "$found" ]; then
  foundcnt=0
else
  foundcnt=$( echo "$found" | wc -l )
fi
echo removing these oldest $foundcnt backup sets:
echo "$found"
if [ $foundcnt -gt 0 ]
  then
     rm -rf $( echo -n $found )
fi

date
</file>

Setup drive (assumed commands)

Create a partition on the external drive
fdisk:
  fdisk /dev/sdx
or parted:

Linux Create 3TB partition size

To create a partition start GNU parted as follows:
  # parted /dev/sdb

Output:
<file>
GNU Parted 2.3
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted)
Creates a new GPT disklabel i.e. partition table:

(parted) mklabel gpt
Sample outputs:

Warning: The existing disk label on /dev/sdb will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
(parted)
Next, set the default unit to TB, enter:

(parted) unit TB
To create a 3TB partition size, enter:

(parted) mkpart primary 0 0
OR

(parted) mkpart primary 0.00TB 3.00TB
To print the current partitions, enter:

(parted) print
Sample outputs:

Model: ATA ST33000651AS (scsi)
Disk /dev/sdb: 3.00TB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number  Start   End     Size    File system  Name     Flags
 1      0.00TB  3.00TB  3.00TB  ext4         primary
Quit and save the changes, enter:

(parted) quit
Sample outputs:

Information: You may need to update /etc/fstab.
</file>

obfuscate empty parts of the drive 
  shred -v --iterations=1 /dev/sdx1
  cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1

~/mountbackupluks
<file>
#!/bin/bash
# NEUcfdITAR

cryptsetup luksOpen /dev/sdb1 encryptexternal
mount /dev/mapper/encryptexternal /backup/
</file>
  mkfs.xfs /dev/mapper/encryptexternal

  umount /backup
  cryptsetup remove /dev/mapper/encryptexternal

fstab automount

Create password file
  dd if=/dev/urandom of=/root/ecryptexternalpassword bs=1024 count=4
  chmod 0400 /root/encryptexternalpassword 
  cryptsetup luksAddKey /dev/sdb1 /root/encryptexternalpassword

  blkid

Add to /etc/crypttab
  encryptexternal UUID="0e6a3959-3da4-4112-b669-9c2d282380a6" /root/encryptexternalpassword luks

add to /etc/fstab
  #LUKS encrypted external drive
  /dev/mapper/encryptexternal /backup xfs defaults 0 2