Multi-Platform Encrypted Disk Image Formats?

LockedDisk asks: I'm looking at an application that will use USB flash devices to distribute information that, while not "top-secret", is sensitive enough that I'd prefer not to distribute it in plaintext. It'll be accessed from multiple platforms by the users who get them. What I'm hoping to find is a tool to build encrypted disk images that can be mounted on Windows, MacOS X, and hopefully Linux as well. What I'd do in distributing these is put the encrypted image on the device, with mounters already on the thumb drive. Users would be able to simply use the right mounter for their platform. For instance, I know PGPdisk would support the multi-platform part, but the mounter doesn't look like it's very well-suited to what I'm looking for. Mac .DMG files can be encrypted, but I know of no way to mount them on any other platform. Any ideas, folks?"

why an encrypted filesystem?

[displague]

why not just use a standard filesystem (msdos/vfat) and leave an encrypted zip or gpg encrypted tar file in the root directory? How is this any less secure? As an added bonus it is very simple to implement and will be supported under any platform (that is dos friendly).

Re:why an encrypted filesystem?

[phyxeld]

why not just use a standard filesystem (msdos/vfat) and leave an encrypted zip or gpg encrypted tar file in the root directory? How is this any less secure?

Because modifying and re-encrypting your data that way isn't automatic. I can't speak for the person who submitted the question, but I can tell you why I use encrypted disks in Mac OS X: My home directory is filled with symlinks. .ssh, .gnupg, .fetchmailrc, etc... All of these things are links to a given directory. Like so:

.ssh -> .encrypted/.ssh
.gnupg -> .encrypted/.gnupg
.encrypted -> /Volumes/EncryptedDisk

Since all the symlinks are pointing to another symlink which itself points to the actual mount point of the encrypted volume, I can easily swap in a different volume there, to use the encrypted dmg on my usb thumb drive, or on a remote webdav volume, or whatever. And I have a lot more than just ssh and gnupg stored on there, stuff like bookmarks and cookies for various browsers, my actual apple Keychain files, mail, etc... All of this can my symlinked to an encrypted volume. It's much more convienent than encrypting your whole home directory (as has been discussed on slashdot previously) because you don't need another account to mount and unmount the image. And without the dmg mounted, you still have access to the unencrypted parts of your user account (ie I don't keep my mailing list directories on there, but I do keep my inbox and personal mail there).

Using .tgz.gpg files, something I've also played with, simply cannot provide this kind of functionality.

At first, I was regularly copying the entire .dmg file onto my slow-as-all-fuck thumbdrive, but then I got wise and made a second image there of the same size and use a script to mount both images, rsync, and unmount (so I run my script, insert the usb thumb drive, wait, and remove it. Rsync makes the backup quite fast, compared with copying the entire dmg every time). Beause of all this, creating an account on a new mac and getting my personal settings is as simple as plugging in the thumbdrive and running a (different) script to create the symlinks. On machines that aren't mine, the ~/.encrypted symlink just points to the mount point of the dmg on the usb key drive though, instead of a local copy.

FWIW, I'm planning on writing a howto describing how I use crypto in OS X, covering topics from ssh (keys, tunnels, socks proxy, scp) to gpg to Apple's AES dmg files (and my backup script). Hopefully I'll find the time soon, and post it on my website. If anyone has any input on this subject, I'm available on aim and would be interested in hearing pre-feedback. I'd really like to hear an answer to the Multi-Platform part of the submitters question, as currently my aes dmg encrypted data is only available in mac os x.

CDROM iso

[Visaris]

Why not use CDROM ios images? It's standard, supported on every platform, and the software should be free. For windows, try Deamon Tools (read only). If you need read and write access, you may have to find some special software to make the .iso files to work, but I know It's possible.

BestCrypt

[BalkanBoy]

has the ability to create encrypted images with any given cipher and mount them. They've made a version for both, Windows and Linux (not sure if they have a Mac though). It creates a .jbc file that you can copy and manipulate to your heart's content. Here's their site.

One way

[zobo]

I've wished for something similar in the past. One solution that occurred to me would be to create an encrypted loopback filesystem under Linux (details here). For those not familiar with this scheme, it essentially encapsulates a filesystem in a regular file and [en|de]crypts it at the kernel level.

One potential way to access this from Windows would be using Namespace Extensions. I believe this is the way that "special folders" such as Control Panel and Scheduled Tasks are integrated into the Explorer. It would seem to be straightforward for someone knowledgable in the area to create a Namespace Extension that could mount an encrypted loopback filesystem created in Linux.

Samba VFS

[lkaos]

If you're adventurous, you could use Samba as the front end (since it compiles and runs on Windows, Mac, and Linux) and write a custom VFS module to read whatever kind of image you want. The easiest thing to do would be to take something like ramfs from Linux and port it to userspace/samba. That would provide a portable way to share front-ends (keeping in mind three copies of Samba isn't exactly tiny)....

And for platforms that don't support CIFS natively (are there any of this now a days?) you can use jCIFS :)

Issues

[Zaffle]

The biggest issue with this idea is cross-platform. So far a few suggestions have been raised, and I like the idea of a samba frontend, though it seems a little extreme.

BestCrypt is the only cross-platfrom encrypted drive/volume software I know of, its only free for Linux though. :(

Scramdisk/ e4m are options. Though Scramdisk doesn't run on w2k or XP, nor Linux. E4M doesn't run on linux either. The source for Scramdisk and E4M is available, but I've forgotten what the license is. I *think* its GPL, but don't count on it.

DriveCrypt is made by the same people as ScramDisk, but DC is closed source. Though they are promising a Linux release (as well as the current XP/2K/etc clients).

You may also like to try The Linux crypto mailing list to search for answers there.

Developing On-The-Fly encrypted drives for linux isn't all that hard, afterall, its been done before a few times. Doing so for Windows 95 though to XP is a lot harder.

As for the Mac side, I have no idea. I think the most portable option would be the Samba idea mentioned before. It shows the most promise, you are esentially piggybacking off a known and support product.