1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
.\" -*- mode: nroff; coding: UTF-8 -*-
.TH ctmg 1 "April 2017" "User Commands"
.SH NAME
ctmg \- Simple wrapper around cryptsetup for encrypted containers.
.SH SYNOPSIS
.B ctmg
[ \fI\,new\/\fR | \fI\,del\/\fR | \fI\,open\/\fR | \fI\,close\/\fR |
\fI\,list\/\fR | \fI\,help\/\fR ] [\fI\,arguments...\/\fR]
.SH DESCRIPTION
.PP
ctmg is an encrypted container manager for GNU/Linux using cryptsetup and
various standard file system utilities. Containers have the extension
\[char46]ct and are mounted at a directory of the same name, but without the
extension. Superuser permissions are required to run this command.
.TP
.B n | new | create \fI\,filename size\/\fR
creates a new container file. Both parameters are mandatory.
.TP
.B d | del | delete \fI\,filename\/\fR
deletes a container file as well as the mounted directory.
.TP
.B o | open \fI\,filename\/\fR
opens a container file and mounts it temporarily in a new directory of the same
name.
.TP
.B c | close \fI\,filename\/\fR
deletes the temporary directory. Its contents are stored in the container file.
.TP
.B l | list
list all existing mounting directories.
.TP
.B h | help | -h | --help
displays a brief summary of how to use this script.
.SH PARAMETERS
.TP
\fIfilename\fR
sets the path and file name for the container.
.TP
\fIsize\fR
.br
sets the maximum size for the container, the size value must be indicated in the
form 'units_suffix'.
.SH EXAMPLES
.PP
Create a 100MiB encrypted container called 'foo':
.IP
$ ctmg new foo 100MiB
.PP
or:
.IP
$ ctmg create foo 100MiB
.PP
Open a container:
.IP
$ ctmg open foo
.PP
Close a container:
.IP
$ ctmg close foo
.PP
Delete a container:
.IP
$ ctmg del foo
.PP
or:
.IP
$ ctmg delete foo
.SH SECURITY CONSIDERATIONS
.PP
This script runs as root. As such, you shouldn't run this on paths you don't
trust or paths that could be controlled by malicious users.
.PP
Since ctmg uses cryptsetup and the LUKS infrastructure, it uses the Linux block
device encryption APIs. The state of the art in block device encryption, as of
writing, is XTS mode, which is what ctmg uses. But do note that this does not
guarantee, entirely, the integrity of data, just the secrecy. As such, if a
malicious user is able to modify the encrypted content, it is possible this
could result in differing decrypted content without you noticing. So, ctmg is
useful for keeping things secret, but not for guaranteeing the authenticity of
the data. If your laptop gets stolen, sleep safely knowing that your
ctmg-secured data is safe, but if an attacker is actively modifying the .ct file
while you're using it in one way or another, you've got trouble.
.PP
In order to conserve space, ctmg uses truncate to make sparse files. This means
that the file grows as it's used. An attacker can therefore see how much of the
container is utilized. If you care about this, it's easy enough to replace the
single call to truncate with a single call to dd if=/dev/urandom to make a
completely full file containing only random data.
.SH AUTHOR
Written by Iván Ruvalcaba.
.SH COPYRIGHT
Copyright \(co 2015, Jason A. Donenfeld <Jason@zx2c4.com>
.PP
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
|