General question before I start. I want to use an encrypted usb stick. I have options of using proprietary sticks such as Kingston device or Nitrokey or I can use encryption software such as zulucrypt. Does anybody have advice, recommendations or cautions before I start and how do I enter keys with only remote. Will key entry option open automatically when I plug in?
Of course I shall be experimenting but any hints would be appreciated.
Thanks.
@retroresolution may be the user with the most experience using encrypted disks, but I can’t advise on if he feels well enough to issue you a timely response.
Ok thanks. While waiting I think I shall try the Nitrokey route first as I have a spare and it has all the software built in. My first question therefore is where in the Vero 4 should I save the public key and do I need GnuPG installed in Vero? I believe I only need the public key as all the clever stuff is done on the NitroKey so I hope I can just copy the key file across but to where in Vero system?
Those questions should probably be asked on the Nitrokey forums as they will have much more experience with it than anyone here.
I can’t answer the specifics of the NitroKey but gnupg should already be installed by default on OSMC.
It is.
I’d love to help, but currently, I’ve unexpectedly and disturbingly been admitted to a Hospice, hence I’m without my PCs, Raspberry Pis, Vero4k, encrypted drives, or notes.
If I get home before the next chemotherapy starts and can at least grab my notes I’ll do my best to help.
RR
I’m a bit late to this thread, since I needed physical access to a device before I could see if the following worked on OSMC – which it does, at least on my Pi3. (Yes, I know this is a Vero4K thread!)
The default in Linux systems is generally dm-crypt, which is built into the kernel, together with LUKS. There’s a useful package, cryptsetup, that makes it all pretty easy to use, and which I use in the example below. You should find a lot of articles on the Internet about suitable ciphers, etc, so I’ve kept the example simple and used the defaults. The steps are simple: Format, Open and Close your device:
osmc@osmc:~$ sudo cryptsetup --verify-passphrase --verbose luksFormat /dev/sda
WARNING!
========
This will overwrite data on /dev/sda irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
osmc@osmc:~$ sudo cryptsetup --verbose luksOpen /dev/sda pendrive1
Enter passphrase for /dev/sda:
Key slot 0 unlocked.
Command successful.
osmc@osmc:~$ ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Jun 10 11:46 control
lrwxrwxrwx 1 root root 7 Jun 10 11:46 pendrive1 -> ../dm-0
osmc@osmc:~$ sudo mkfs.ext4 /dev/mapper/pendrive1
mke2fs 1.43.4 (31-Jan-2017)
Creating filesystem with 7577088 4k blocks and 1896832 inodes
Filesystem UUID: 9df98869-aa7e-453e-93c0-96a79a4e2a14
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
osmc@osmc:~$ sudo mkdir /mnt/luks
osmc@osmc:~$ sudo mount /dev/mapper/pendrive1 /mnt/luks
osmc@osmc:~$ ls -la /mnt/luks
total 24
drwxr-xr-x 3 root root 4096 Jun 10 11:46 .
drwxr-xr-x 3 root root 4096 Jun 10 11:48 ..
drwx------ 2 root root 16384 Jun 10 11:46 lost+found
osmc@osmc:~$ sudo cp /boot/vmlinuz-4.14.78-4-osmc /mnt/luks
osmc@osmc:~$ ls -la /mnt/luks
total 8172
drwxr-xr-x 3 root root 4096 Jun 10 11:49 .
drwxr-xr-x 3 root root 4096 Jun 10 11:48 ..
drwx------ 2 root root 16384 Jun 10 11:46 lost+found
-rwxr-xr-x 1 root root 8341128 Jun 10 11:49 vmlinuz-4.14.78-4-osmc
osmc@osmc:~$ sudo umount /mnt/luks
osmc@osmc:~$ sudo cryptsetup --verbose luksClose pendrive1
Command successful.
osmc@osmc:~$ ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Jun 10 11:46 control
<reboot>
smc@osmc:~$ ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Jun 10 11:52 control
osmc@osmc:~$ sudo cryptsetup luksOpen /dev/sda pendrive
Enter passphrase for /dev/sda:
osmc@osmc:~$ sudo mount /dev/mapper/pendrive /mnt/luks
osmc@osmc:~$ ls -l /mnt/luks
total 8164
drwx------ 2 root root 16384 Jun 10 11:46 lost+found
-rwxr-xr-x 1 root root 8341128 Jun 10 11:49 vmlinuz-4.14.78-4-osmc
Success. It is remountable across a reboot.
So the three main cryptsetup steps are:
luksFormat (only once),
luksOpen and
luksClose,
together with the usual mount/umount steps.
Hi and thanks for the reply and kind offer of help. I am not sure you will have time or inclination to get involved with my dumb questions at the moment. I am having to re-read all the stuff I used to use when I was on OS/2. Memory not so good these days. The issue is not urgent. I shall however post info on my progress when made. Meanwhile I hope it all goes well with treatment.
Hi and many thanks for the suggestion. Will let you know how I get on but will try NitroKey first as I am now well down this road. Just hope it is the right road.
Thanks again,
Budge
All well with NitroKey Storage usb stick up to the point when I plug into the vero 4K. At this point I can navigate to the usb drive but how do I get the pop up for entering the PIN number?
If I plug into a laptop I get the pop up and can proceed (both laptop and Vero 4K have the required key installed).
Am I missing something?
Seems the functionality for prompting for PIN may not be there. Unless you know differently it seems I need this ability to be written into OSMC and that is beyond me. The folk at Nitrokey had the following advice when I asked them;
Regarding our team - we are occupied for now, sorry!
I can give tips though to whoever would like to make it. As far as I see Kodi add-ons are written in Python. Our communication backend - libnitrokey - is in C++, and we use Python for testing, so that would be already solved, and it would be just a matter of adding proper Kodi GUI.
In case though it would not be possible to build the C++ part using Kodi’s distribution system on the targer machine, it is possible to write pure Python library only for unlocking/locking the Encrypted Volume, which would solve this.
Blockquote
That’s beyond our scope here. The only addon we supply that was written by the team is MyOSMC. All other addons are from other projects or from Kodi. You may ask on the Kodi forums to see if any developer there is interested in trying.
If you don’t need to have your drive usable in Windows, I was playing around the other day with @dillthedog’s idea to use LUKS to encrypt a drive. I have it so I can take an external drive and plug it into any of my linux systems and have it automount. No user interaction is required after the initial setup.
You’re probably missing X11 windowing. It is possible to install X11 on OSMC, though it does seem to be a bit overkill for such a limited requirement.
Of course, if you can disable the need for a PIN then all this becomes unnecessary, though in doing so you will be reducing the level of security.
In the short term I suppose to disable the PIN would be the best option but being ignorant can you explain a bit about what starts this PIN entry process.
If you are asking why you get a pop-up window on your laptop but not on OSMC, it is because OSMC doesn’t run a windowing system – but the NitroKey software requires one to be there. As to the specifics of how the NitroKey software works, I’m afraid I have no idea.
Hi and thanks for this which makes sense to me. Clearly I don’t want to install X11 system on my Vero 4K but I wonder how this PIN entry should be handled if I was not using X system. Will have to change to runlevel 3 on laptop and find out!
Thanks for the advice.
Regards
Budge
Just to confirm this all worked exactly as it should. Of course all this done in terminal. Still not clear how it will work with OSMC when all I have is remote controller for the device and no command line access.
In fact I have a related probem with the Nitrokey device when used in server running runlevel 3.
Will keep experimenting but meanwhile very many thanks for your clear and helpful advice on encrypting a usb stick withou fuss. Excellent.
That would be another question for the NitroKey team. If you can get that working, then maybe you could come up with a Kodi addon to prompt you in the Kodi GUI.
Could you be a bit more specific? Does it work the same way on OSMC via the command line?
As above.