Openchill.org

Kicktoo-0.2.7 – livecd & new stable funtoo profiles

by erick on Feb.16, 2010, under Exherbo, Funtoo, Gentoo, Kicktoo

kicktoo-0.2.7-x86.iso 84Mb sha1sum: 9cdb12c7f3ec6dbb01cb3467b47975fa7b8d7353
kicktoo-0.2.7.tar.bz2 18Kb (source) sha1sum: 908ab6008410149c2c620b919a8e0972af11e5ab

What’s new:
- a fast and light livecd featuring tools for all profiles,
- improved sanity checks,
- improved installation steps,
- Funtoo stable profiles.

Stages supported

Gentoo builds (stable).
Funtoo builds (stable) and its stable git’d portage
Funtoo builds (unstable) and its unstable git’d portage version
Exherbo builds (as standard as the doc says )
Stage4 builds (highly customizable).

Profiles supported

doc/gentoo.profile
doc/gentoo-noboot.profile
doc/gentoo-lvm.profile
doc/gentoo-luks.profile
doc/gentoo-luks-noswap.profile
doc/funtoo.profile
doc/funtoo-noboot.profile
doc/funtoo-luks.profile
doc/funtoo-luks-noswap.profile
doc/~funtoo-noboot.profile
doc/~funtoo-luks.profile
doc/~funtoo-luks-noswap.profile
doc/exherbo-noboot.profile
doc/stage4.profile

1 Comment more...

Kicktoo-0.2.6 – improved flexibility & stage4 profile

by erick on Jan.07, 2010, under Exherbo, Funtoo, Gentoo, Kicktoo

kicktoo-0.2.6.tar.bz2 18Kb (source) sha1sum: b305352f2af3e7f62f74cf8d719c591ea42d2710

What’s new:
- removed some error checking to give more freedom on a profile level (you can skip setting the $rootpw variable – handy when deploying stage4 – and you can skip the $part variable in case of dual boot – assumes your partition design is already done)
- new $stage_path variable for profile (use with caution due to size issue on a livecd)
- new .tar.gz stage support (for the $stage_uri profile variable)
- new .tar.lzma stage support (for the $stage_uri profile variable)
- new .tar.xz stage support (for the $stage_uri profile variable)
- stage4 support
- removed $logger variable from profile along with the install_logging_daemon routine (use $extra_packages to set syslog-ng for example)
- removed the $cron variable from profile along with the install_cron_daemon routine (use $extra_packages to set vixie-cron for example)
- removed the call to sanity_check_config() before starting the installation. Use ‘kicktoo -s ‘ to check the profile.
- ‘kicktoo-rescue’ now properly mounts /proc when chrooting.
- ‘kicktoo’ default password behavior uses Gentoo settings. In Gentoo you can still use ‘chpasswd –md5′ as no options are provided for chpasswd in Funtoo but rather uses SHA512 by default. Hence the extra password configuration in every Funtoo profile.

You can now install Gentoo/Funtoo stage4 tarballs (why not Exherbo too? not tested)
New default profiles have been updated.

Stages supported

Gentoo builds (stable).
Funtoo builds (stable) and its stable git’d portage
Funtoo builds (unstable) and its unstable git’d portage version
Exherbo builds (as standard as the doc says )
Stage4 builds (highly customizable).

Profiles supported

doc/gentoo.profile
doc/gentoo-lvm.profile
doc/gentoo-luks.profile
doc/gentoo-luks-noswap.profile
doc/~funtoo.profile
doc/~funtoo-luks.profile
doc/~funtoo-luks-noswap.profile
doc/exherbo.profile
doc/stage4.profile

2 Comments more...

Back online – new server/bandwidth

by erick on Nov.15, 2009, under Chill

2 weeks offline and now we’re back online! Yiiihaaa

I was hosting all my vhosts on the same server behind a router. The real problem was that I had to go through 2 different carriers.
First wireless from the wifi router to my own room (in France) and another link going through a PLC (powerline coms). Sometimes the PLC link goes down which makes me debug by phone with my ol’ man and sometimes the wifi has just too much interference.

Now a friend is hosting me in exchange of maintenance: fair enough

DenyFS-0.2.2 – dfstouch progress bar bugfix

by erick on Sep.29, 2009, under DenyFS

denyfs-0.2.2.tar.bz2 41Kb (source) sha1sum: 80a1bd509224597e36f731eb427e6a5d136ed673
denyfs-0.2.2.ebuild 1Kb (gentoo/funtoo)

What’s fixed:
- dfstouch progress bar bugfix (passing 1024K->1M 1024M->1G 1024G->1T resets to 0%, not anymore)

1 Comment more...

DenyFS-0.2.1 – dfstest released & bugfixes

by erick on Sep.13, 2009, under DenyFS

denyfs-0.2.1.tar.bz2 41Kb (source) sha1sum: c213f6b3e4d82d4b5b26704d5f6b8d248f9670bb
denyfs-0.2.1.ebuild 1Kb (gentoo/funtoo)
denyfs_0.2.1-1_i386.deb 15Kb (debian) sha1sum: 46cf176b8772427af1d2834d27faaf553f4d05b4

What’s new:
- dfstest released
- dfstouch –size option accepts M/G/T bytes
- dfstouch now displays a percent progress bar
- dfsopen –password prefix

aspire ~ # dfstest -h Usage: /usr/sbin/dfstest [options]

Options: -f, --file [/path/fs] Path to your container -l, --loop [loopback dev] Loopback device (typically /dev/loop0) -s, --size [int]M/G/T Size of filesystem -i, --hidden [int] Number of hidden devices -b, --blocks [int] Number of blocks per hidden device -p, --password [prefix] Provide an iterative password prefix -h, --help This -v, --version Version

Exampe: /usr/sbin/dfstest -f /tmp/fs -l loop0 -s 400M -i 3
aspire ~ #

‘dfstest’ is now shipped within the denyfs project. It aims at running automatic create/open/inject data/close/reopen/compare data/reclose processes. You can provide parameters such the number of hidden device and/or the number of blocks (size of hidden device) per device.

By running ‘dfstest’ one will know whether your device design works or not. It prevents the user from manually testing all combinations. ‘dfstest’ will help the user finding the correct ‘dfstouch/dfsopen’ parameters.
‘dfstest’ is just an upper layer of ‘dfstouch/dfsopen/dfsclose’ where ‘dfsopen’ is an upper layer of ‘denyfs’ (it makes sense at the end).

Here is an example of what it would look like:
aspire denyfs-0.2.1 # dfstest -f /tmp/fs -l loop0 -s 400M -i 3 -b 2 >>> Creating filesystem 100% >>> Binding to /dev/loop0 ... OK >>> Setting up cryptsetup block devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Sizing up block devices ... Enlarging ... Empty block 161 becomes block 0 of /dev/mapper/fs1 Empty block 60 becomes block 1 of /dev/mapper/fs1 Enlarging ... Empty block 182 becomes block 0 of /dev/mapper/fs2 Empty block 187 becomes block 1 of /dev/mapper/fs2 Enlarging ... Empty block 91 becomes block 0 of /dev/mapper/fs3 Empty block 124 becomes block 1 of /dev/mapper/fs3 >>> Mapping crytpsetup block devices to a new filesystem... >>> Creating filesystems ... >>> Mounting filesystems ... /mnt/here1 mounted /mnt/here2 mounted /mnt/here3 mounted >>> Injecting data ... hidden1 > /mnt/here1/hidden1 hidden2 > /mnt/here2/hidden2 hidden3 > /mnt/here3/hidden3 >>> Dumping data ... hidden1 hidden2 hidden3 >>> Unmounting filesystems ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping dmsetup block devices ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping cryptsetup devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Unbinding /dev/loop0 ... >>> Binding to /dev/loop0 ... OK >>> Setting up cryptsetup block devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Sizing up block devices ... >>> Mapping crytpsetup block devices to a new filesystem... >>> Mounting filesystems ... /mnt/here1 mounted /mnt/here2 mounted /mnt/here3 mounted >>> Comparing data ... /mnt/here1/hidden1 data OK /mnt/here2/hidden2 data OK /mnt/here3/hidden3 data OK Nb of blocks Device Device nb Size + 2 /dev/mapper/fs1 1 4Mb + 2 /dev/mapper/fs2 2 4Mb + 2 /dev/mapper/fs3 3 4Mb + 193 < -- Total nb of free blocks ----------- = 199 <-- Total nb of blocks space ratio: 96% free >>> Unmounting filesystems ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping dmsetup block devices ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping cryptsetup devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Unbinding /dev/loop0 ... >>> SUCCESS aspire denyfs-0.2.1 #

6 Comments more...

DenyFS-0.2.0 – unlimited devices supported!

by erick on Sep.08, 2009, under DenyFS

denyfs-0.2.0.tar.bz2 42Kb (source) sha1sum: 6aca575dcf53cc8064f96c7bfff0a57a1493ee8a
denyfs-0.2.0.ebuild 1Kb (gentoo/funtoo)

Should I precise unlimited under certain constraints; your environment especially the passwords entropy (generated by your kernel device), the size of the filesystem, the limitations of system open files and the hardware (especially the processor and the hard drive). Given a configured GNU/Linux system, denyfs can create a whole lot of hidden containers.

denyfs-0.2.0 ships a new –yes option that if passed will not ask you any question when it comes to resize. If you type in a wrong password then nothing will mount the process will fail. The usefulness of this option stands up during automated testings. It is advised to use the default behaviour.

‘dfstest’ is planned for the 0.2 branch but not yet ready. One step at a time. I’m currently writing it and the implementation is almost finished. I need to test dfstest before any release. Awesome, test the testers!

denyfs-0.2.0 supports hidden devices up to thousands. The maximum test yet performed so far succeeded in creating 1001 hidden devices of 512K size each (1 block) inside a 20Gb file in 129 minutes on a Gentoo Linux given appropriate ulimit rules:

openchill denyfs # uname -a Linux openchill.org 2.6.30-gentoo-r2 #1 SMP Fri Jul 31 14:46:49 Local time zone must be set--see zic i686 Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz GenuineIntel GNU/Linux openchill denyfs # ulimit -a | grep open open files (-n) 20048 openchill denyfs #

Such a command line would look like that (no space within the -d parameter, it’s just text formatting here):
openchill denyfs # dfsopen -f /tmp/fs -l loop0 -d 1=1,2=1,3=1,4=1,5=1,6=1,7=1,8=1,9=1,10=1, 11=1,12=1,13=1,14=1,15=1,16=1,17=1,18=1,19=1,20=1, 21=1,22=1,23=1,24=1,25=1,26=1,27=1,28=1,29=1,30=1, 31=1,32=1,33=1,34=1,35=1,36=1,37=1,38=1,39=1,40=1, 41=1,42=1,43=1,44=1,45=1,46=1,47=1,48=1,49=1,50=1, 51=1,52=1,53=1,54=1,55=1,56=1,57=1,58=1,59=1,60=1, 61=1,62=1,63=1,64=1,65=1,66=1,67=1,68=1,69=1,70=1, 71=1,72=1,73=1,74=1,75=1,76=1,77=1,78=1,79=1,80=1, 81=1,82=1,83=1,84=1,85=1,86=1,87=1,88=1,89=1,90=1, 91=1,92=1,93=1,94=1,95=1,96=1,97=1,98=1,99=1,100=1, 101=1,102=1,103=1,104=1,105=1,106=1,107=1,108=1,109=1,110=1, 111=1,112=1,113=1,114=1,115=1,116=1,117=1,118=1,119=1,120=1, 121=1,122=1,123=1,124=1,125=1,126=1,127=1,128=1,129=1,130=1, 131=1,132=1,133=1,134=1,135=1,136=1,137=1,138=1,139=1,140=1, 141=1,142=1,143=1,144=1,145=1,146=1,147=1,148=1,149=1,150=1, 151=1,152=1,153=1,154=1,155=1,156=1,157=1,158=1,159=1,160=1, 161=1,162=1,163=1,164=1,165=1,166=1,167=1,168=1,169=1,170=1, 171=1,172=1,173=1,174=1,175=1,176=1,177=1,178=1,179=1,180=1, 181=1,182=1,183=1,184=1,185=1,186=1,187=1,188=1,189=1,190=1, 191=1,192=1,193=1,194=1,195=1,196=1,197=1,198=1,199=1,200=1, 201=1,202=1,203=1,204=1,205=1,206=1,207=1,208=1,209=1,210=1, 211=1,212=1,213=1,214=1,215=1,216=1,217=1,218=1,219=1,220=1, 221=1,222=1,223=1,224=1,225=1,226=1,227=1,228=1,229=1,230=1, 231=1,232=1,233=1,234=1,235=1,236=1,237=1,238=1,239=1,240=1, 241=1,242=1,243=1,244=1,245=1,246=1,247=1,248=1,249=1,250=1, 251=1,252=1,253=1,254=1,255=1,256=1,257=1,258=1,259=1,260=1, 261=1,262=1,263=1,264=1,265=1,266=1,267=1,268=1,269=1,270=1, 271=1,272=1,273=1,274=1,275=1,276=1,277=1,278=1,279=1,280=1, 281=1,282=1,283=1,284=1,285=1,286=1,287=1,288=1,289=1,290=1, 291=1,292=1,293=1,294=1,295=1,296=1,297=1,298=1,299=1,300=1, 301=1,302=1,303=1,304=1,305=1,306=1,307=1,308=1,309=1,310=1, 311=1,312=1,313=1,314=1,315=1,316=1,317=1,318=1,319=1,320=1, 321=1,322=1,323=1,324=1,325=1,326=1,327=1,328=1,329=1,330=1, 331=1,332=1,333=1,334=1,335=1,336=1,337=1,338=1,339=1,340=1, 341=1,342=1,343=1,344=1,345=1,346=1,347=1,348=1,349=1,350=1, 351=1,352=1,353=1,354=1,355=1,356=1,357=1,358=1,359=1,360=1, 361=1,362=1,363=1,364=1,365=1,366=1,367=1,368=1,369=1,370=1, 371=1,372=1,373=1,374=1,375=1,376=1,377=1,378=1,379=1,380=1, 381=1,382=1,383=1,384=1,385=1,386=1,387=1,388=1,389=1,390=1, 391=1,392=1,393=1,394=1,395=1,396=1,397=1,398=1,399=1,400=1, 401=1,402=1,403=1,404=1,405=1,406=1,407=1,408=1,409=1,410=1, 411=1,412=1,413=1,414=1,415=1,416=1,417=1,418=1,419=1,420=1, 421=1,422=1,423=1,424=1,425=1,426=1,427=1,428=1,429=1,430=1, 431=1,432=1,433=1,434=1,435=1,436=1,437=1,438=1,439=1,440=1, 441=1,442=1,443=1,444=1,445=1,446=1,447=1,448=1,449=1,450=1, 451=1,452=1,453=1,454=1,455=1,456=1,457=1,458=1,459=1,460=1, 461=1,462=1,463=1,464=1,465=1,466=1,467=1,468=1,469=1,470=1, 471=1,472=1,473=1,474=1,475=1,476=1,477=1,478=1,479=1,480=1, 481=1,482=1,483=1,484=1,485=1,486=1,487=1,488=1,489=1,490=1, 491=1,492=1,493=1,494=1,495=1,496=1,497=1,498=1,499=1,500=1, 501=1,502=1,503=1,504=1,505=1,506=1,507=1,508=1,509=1,510=1, 511=1,512=1,513=1,514=1,515=1,516=1,517=1,518=1,519=1,520=1, 521=1,522=1,523=1,524=1,525=1,526=1,527=1,528=1,529=1,530=1, 531=1,532=1,533=1,534=1,535=1,536=1,537=1,538=1,539=1,540=1, 541=1,542=1,543=1,544=1,545=1,546=1,547=1,548=1,549=1,550=1, 551=1,552=1,553=1,554=1,555=1,556=1,557=1,558=1,559=1,560=1, 561=1,562=1,563=1,564=1,565=1,566=1,567=1,568=1,569=1,570=1, 571=1,572=1,573=1,574=1,575=1,576=1,577=1,578=1,579=1,580=1, 581=1,582=1,583=1,584=1,585=1,586=1,587=1,588=1,589=1,590=1, 591=1,592=1,593=1,594=1,595=1,596=1,597=1,598=1,599=1,600=1, 601=1,602=1,603=1,604=1,605=1,606=1,607=1,608=1,609=1,610=1, 611=1,612=1,613=1,614=1,615=1,616=1,617=1,618=1,619=1,620=1, 621=1,622=1,623=1,624=1,625=1,626=1,627=1,628=1,629=1,630=1, 631=1,632=1,633=1,634=1,635=1,636=1,637=1,638=1,639=1,640=1, 641=1,642=1,643=1,644=1,645=1,646=1,647=1,648=1,649=1,650=1, 651=1,652=1,653=1,654=1,655=1,656=1,657=1,658=1,659=1,660=1, 661=1,662=1,663=1,664=1,665=1,666=1,667=1,668=1,669=1,670=1, 671=1,672=1,673=1,674=1,675=1,676=1,677=1,678=1,679=1,680=1, 681=1,682=1,683=1,684=1,685=1,686=1,687=1,688=1,689=1,690=1, 691=1,692=1,693=1,694=1,695=1,696=1,697=1,698=1,699=1,700=1, 701=1,702=1,703=1,704=1,705=1,706=1,707=1,708=1,709=1,710=1, 711=1,712=1,713=1,714=1,715=1,716=1,717=1,718=1,719=1,720=1, 721=1,722=1,723=1,724=1,725=1,726=1,727=1,728=1,729=1,730=1, 731=1,732=1,733=1,734=1,735=1,736=1,737=1,738=1,739=1,740=1, 741=1,742=1,743=1,744=1,745=1,746=1,747=1,748=1,749=1,750=1, 751=1,752=1,753=1,754=1,755=1,756=1,757=1,758=1,759=1,760=1, 761=1,762=1,763=1,764=1,765=1,766=1,767=1,768=1,769=1,770=1, 771=1,772=1,773=1,774=1,775=1,776=1,777=1,778=1,779=1,780=1, 781=1,782=1,783=1,784=1,785=1,786=1,787=1,788=1,789=1,790=1, 791=1,792=1,793=1,794=1,795=1,796=1,797=1,798=1,799=1,800=1, 801=1,802=1,803=1,804=1,805=1,806=1,807=1,808=1,809=1,810=1, 811=1,812=1,813=1,814=1,815=1,816=1,817=1,818=1,819=1,820=1, 821=1,822=1,823=1,824=1,825=1,826=1,827=1,828=1,829=1,830=1, 831=1,832=1,833=1,834=1,835=1,836=1,837=1,838=1,839=1,840=1, 841=1,842=1,843=1,844=1,845=1,846=1,847=1,848=1,849=1,850=1, 851=1,852=1,853=1,854=1,855=1,856=1,857=1,858=1,859=1,860=1, 861=1,862=1,863=1,864=1,865=1,866=1,867=1,868=1,869=1,870=1, 871=1,872=1,873=1,874=1,875=1,876=1,877=1,878=1,879=1,880=1, 881=1,882=1,883=1,884=1,885=1,886=1,887=1,888=1,889=1,890=1, 891=1,892=1,893=1,894=1,895=1,896=1,897=1,898=1,899=1,900=1, 901=1,902=1,903=1,904=1,905=1,906=1,907=1,908=1,909=1,910=1, 911=1,912=1,913=1,914=1,915=1,916=1,917=1,918=1,919=1,920=1, 921=1,922=1,923=1,924=1,925=1,926=1,927=1,928=1,929=1,930=1, 931=1,932=1,933=1,934=1,935=1,936=1,937=1,938=1,939=1,940=1, 941=1,942=1,943=1,944=1,945=1,946=1,947=1,948=1,949=1,950=1, 951=1,952=1,953=1,954=1,955=1,956=1,957=1,958=1,959=1,960=1, 961=1,962=1,963=1,964=1,965=1,966=1,967=1,968=1,969=1,970=1, 971=1,972=1,973=1,974=1,975=1,976=1,977=1,978=1,979=1,980=1, 981=1,982=1,983=1,984=1,985=1,986=1,987=1,988=1,989=1,990=1, 991=1,992=1,993=1,994=1,995=1,996=1,997=1,998=1,999=1,1000=1,1001=1 -m /mnt/here -k -y

This will run for a couple of hours. To run such a huge number of containers in “production” you’ll _have_ to alter dfsopen and write your own password generator. You don’t want to manually type in 1000 passwords. You want a clever loop that will autogenerate your passwords for the flaring containers and ask interactively for your real hidden password when processing the 754th container for example. You can now hide 512Kb of data in each of the 1000 containers.

I think it may become handy to have such a program. One that will autogenerate passwords for flaring containers and just ask the manual typing for the real hidden container. I will think about that.

1 Comment more...

DenyFS-0.1.3 – dfsclose bugfix again

by erick on Sep.04, 2009, under DenyFS

denyfs-0.1.3.tar.bz2 42Kb (source) sha1sum: 967c1eff3a8877781a9286f880b17905f29e41a6
denyfs-0.1.3.ebuild 1Kb (gentoo/funtoo)

dfsclose usage() now reflects what it does:
aspire 0.1.3 # dfsclose -h Usage: /usr/sbin/dfsclose [options]


Options:

        -f, --file [/path/file] Path to filename

        -l, --loop [loop]       Loop device

        -n, --numdev [int]      Number of subdevices to close in FIFO order

        -h, --help              This

        -v, --version           Print version

Example: /usr/sbin/dfsclose -f /tmp/fs -l loop0 -n 9 aspire 0.1.3 #

1 Comment more...

DenyFS-0.1.2 – dfstouch progress bar & dfsclose bugfix

by erick on Sep.02, 2009, under DenyFS

denyfs-0.1.2.tar.bz2 42Kb (source) sha1sum: 5a7f5983d01c8c8f7f5b40715e471410574d5456
denyfs-0.1.2.ebuild 1Kb (gentoo/funtoo)

dfstouch has been updated to display a progress bar. It will look like:
12+6 enregistrements lus 12+5 enregistrements écrits 8416766 octets (8,4 MB) copiés, 11,3928 s, 739 kB/s
The user gets informed in real time of the file creation. Convenient when you create a 50G file.

dfsclose usage() now reflects what it does:
aspire 0.1.2 # dfsclose -h Usage: scripts/dfsclose [options]


Options:

        -f, --file [filename]       Just the filename no paths

        -l, --loop [loop]       Loop device

        -n, --numdev [int]    Number of sub devices

        -h, --help                This

        -v, --version            Print version

Example: dfsclose -f fs -l loop0 -n 9 aspire 0.1.2 #

Minor header update in denyfs itself.

2 Comments more...

DenyFS-0.1.1 dusted – a steganographic and deniable filesystem

by erick on Aug.24, 2009, under DenyFS

sha1sum: 55c03bfc83d3b030447f9b6f7a9ddc5dd4f135eb
denyfs-0.1.1.tar.bz2 39Kb (source)
denyfs-0.1.1.ebuild 1Kb (gentoo/funtoo)

I recently came across this news:
http://it.slashdot.org/story/09/08/12/1255241/Encryption-What-Encryption?from=rss

I was expecting it since the first time I dug into steganographic filesystems. This goes back to when I was in university. At that time in UK the RIP Act had been voted in 2000.

From wikipedia:

Especially contentious was Part III of the Act, which requires persons to supply decrypted information (which had been previously encrypted by the owner) and/or the cryptographic key to government representatives. Failure to disclose these items is a criminal offence, with a maximum penalty of two years in jail.

Reading through the post I went back to have a look at denyfs I hosted on tuxfamily that was doing the job so well. I still have that denyfs-cvs.ebuild somewhere I thought. And then I went back to google and saw what had been done since the past few years. Surprisingly only Truecrypt is still supporting this feature. The old and dusty Rubberhose has not moved from an inch I still can’t make it work and deniability filesystems are still not popular. Few know its concept (outside image processing which is lame honestly;) and even fewer actually use this tool in the public domain except paranoid or curious users.

I don’t understand how Truecrypt implements their steganographic feature; it creates a standard Truecrypt volume and using the free space from this same volume it hides data within it says. From a social perspective who would that convince you are not using the steganographic feature? It is too much of a binary concept. You have a steganographic filesystem or not but noone can prove it exists or not so it still sucks because you get prosecuted by part III.

The way I see steganographic filesystems is more nuanced and balanced; a user should be able to have as many passwords as his social deniability scheme requires him to, period.

To create deniability you have to fit the profile that you don’t hold information people want and most of all you gotta prove it. What if now you do provide them data but a convincing flare instead? The purpose of a data flare would be to confuse as to the fact you hold sensitive information. The deniability concept lives by its social application. The system should allow the user to deny as much as he planned to knowing that to deny you have to prove it in the real world. You may hold not valuable information which especially crafted and presented may incline to a plausible and probable deniability. This becomes possible with multiple volumes; and the more volumes the more arguments a user may have.

The idea is to let the software fit the user social scheme and the precious data it hides. A user could create 9 hidden volumes within a single random file each of which would decrypt sensitively increasing data. Depending on the password you provide one of the 9 volumes will open. This scheme would allow a greater ability to adapt on social events and social scenarios may be built and accredited by providing a password that would decrypt a precise volume only.

In theory, the denyfs design should allow an unlimited amount of volumes (given constraints). In practice it is limited to 9 (more will fail – known bug) volumes (with an 80% free space ratio) within a single file or less depending on your password combination (because some hash password combinations will overlap blocks therefore failing during creation, you’ll have to change password of the specific device failure).

denyfs-0.1.1 ships:

denyfs – core program
dfstouch – will allocate random space for your outer container
dfsopen – will open your container and the devices within
dfsclose – will close all devices and the container

The ‘/usr/sbin/denyfs’ binary is still available but you don’t have to interact with it anymore for a daily use or if you want to customize stuff then you’d be better wrapping your own scripts around. The good news too is that I made a ‘configure.in’ file and a ‘Makefile.in’; you can use make install’ and ‘make uninstall’ regardless of your package manager. Whatever your Linux distro installing from sources should be easier than using an ebuild or dpkg.

denyfs-0.1.1 requires:

util-linux (losetup)
cryptsetup (to create a cryptsetup volume)
device-mapper (libdevmapper.h is required to compile)

Tutorial:

First create a container in a location of your choice.

aspire 0.1.1 # dfstouch -h Usage: /usr/sbin/dfstouch [options]

Options: -f, --file [/path/fs] Path to your filesystem -c, --count [int] Block iteration (multiple of 512K) -h, --help This -v, --version Print version

Example: # this creates a 200M file container /usr/sbin/dfstouch -f fs -c 400

aspire 0.1.1 # aspire 0.1.1 # dfstouch -f /tmp/fs -c 400 >>> Creating 204M fs ... OK aspire 0.1.1 #

Then open the file and give your secret volume mapping. Assume the stealth volume is the 3rd one. The -m option will create your volume mount points within /mnt/here. The -k option asks to create an Ext2 filesystem an top of the new volumes. Of course -k is required only for the first time.

aspire 0.1.1 # dfsopen -h Usage: /usr/sbin/dfsopen [options]

Options: -f, --file [/path/fs] Path to your container -b, --block [int]K/M Size of a single block -c, --count [int] Block iteration (-b X -c = size of file) -m, --mount [/path] Path to mountpoint -k, --mkfs Initialize the filesystem (run the first time only) -h, --help This -v, --version Print version

Example: # note the -k option will create a filesystem when first run /usr/sbin/dfsopen -f fs -l loop0 -d 1=2,2=2,3=5,4=2,5=6,6=4,7=2,8=3,9=2 -m /mnt/here -k

# a daily command /usr/sbin/dfsopen -f fs -l loop0 -d 1=2,2=2,3=5,4=2,5=6,6=4,7=2,8=3,9=2 -m /mnt/here

aspire 0.1.1 # aspire 0.1.1 # dfsopen -f /tmp/fs -l loop0 -d 1=10,2=3,3=1 -m /mnt/here -k >>> Binding to loop0 ... OK >>> Mapping cryptsetup block devices ... Enter passphrase: Enter passphrase: Enter passphrase: >>> Sizing up block devices ... device 1 ... Checking device structure ... Do you intend to resize? (CTRL-C to abort) Enlarging ... using empty block 81 becomes block 0 of /dev/mapper/fs1 using empty block 84 becomes block 1 of /dev/mapper/fs1 using empty block 5 becomes block 2 of /dev/mapper/fs1 using empty block 83 becomes block 3 of /dev/mapper/fs1 using empty block 86 becomes block 4 of /dev/mapper/fs1 using empty block 95 becomes block 5 of /dev/mapper/fs1 using empty block 15 becomes block 6 of /dev/mapper/fs1 using empty block 18 becomes block 7 of /dev/mapper/fs1 using empty block 64 becomes block 8 of /dev/mapper/fs1 using empty block 67 becomes block 9 of /dev/mapper/fs1 device 2 ... Checking device structure ... Do you intend to resize? (CTRL-C to abort) Enlarging ... using empty block 4 becomes block 0 of /dev/mapper/fs2 using empty block 8 becomes block 1 of /dev/mapper/fs2 device 3 ... Checking device structure ... Do you intend to resize? (CTRL-C to abort) Enlarging ... using empty block 90 becomes block 0 of /dev/mapper/fs3 >>> Mapping to crytpsetup block devices ... Checking device structure ... Checking device structure ... Checking device structure ... >>> Creating filesystems ... mke2fs 1.41.8 (11-July-2009) Étiquette de système de fichiers= Type de système d'exploitation : Linux Taille de bloc=1024 (log=0) Taille de fragment=1024 (log=0) 5136 i-noeuds, 20480 blocs 0 blocs (0.00%) réservés pour le super utilisateur Premier bloc de données=1 Nombre maximum de blocs du système de fichiers=20971520 3 groupes de blocs 8192 blocs par groupe, 8192 fragments par groupe 1712 i-noeuds par groupe Superblocs de secours stockés sur les blocs : 8193

Écriture des tables d'i-noeuds : complété Écriture des superblocs et de l'information de comptabilité du système de fichiers : complété

Le système de fichiers sera automatiquement vérifié tous les 20 montages ou après 180 jours, selon la première éventualité. Utiliser tune2fs -c ou -i pour écraser la valeur. mke2fs 1.41.8 (11-July-2009) Étiquette de système de fichiers= Type de système d'exploitation : Linux Taille de bloc=1024 (log=0) Taille de fragment=1024 (log=0) 1024 i-noeuds, 4096 blocs 0 blocs (0.00%) réservés pour le super utilisateur Premier bloc de données=1 Nombre maximum de blocs du système de fichiers=4194304 1 groupe de bloc 8192 blocs par groupe, 8192 fragments par groupe 1024 i-noeuds par groupe

Écriture des tables d'i-noeuds : complété Écriture des superblocs et de l'information de comptabilité du système de fichiers : complété

Le système de fichiers sera automatiquement vérifié tous les 37 montages ou après 180 jours, selon la première éventualité. Utiliser tune2fs -c ou -i pour écraser la valeur. mke2fs 1.41.8 (11-July-2009) Étiquette de système de fichiers= Type de système d'exploitation : Linux Taille de bloc=1024 (log=0) Taille de fragment=1024 (log=0) 256 i-noeuds, 2048 blocs 0 blocs (0.00%) réservés pour le super utilisateur Premier bloc de données=1 Nombre maximum de blocs du système de fichiers=2097152 1 groupe de bloc 8192 blocs par groupe, 8192 fragments par groupe 256 i-noeuds par groupe

Écriture des tables d'i-noeuds : complété Écriture des superblocs et de l'information de comptabilité du système de fichiers : complété

Le système de fichiers sera automatiquement vérifié tous les 21 montages ou après 180 jours, selon la première éventualité. Utiliser tune2fs -c ou -i pour écraser la valeur. >>> Mounting filesystems ... /mnt/here1 mounted /mnt/here2 mounted /mnt/here3 mounted aspire 0.1.1 #

Check things are as expected. Verify your block table matches your design. The -t option will dump you a view of the space ratio. Dump the block offset per volume using the -o option.

aspire 0.1.1 # aspire 0.1.1 # df -h | grep here /dev/mapper/fs1_new 20M 172K 20M 1% /mnt/here1 /dev/mapper/fs2_new 3,9M 29K 3,9M 1% /mnt/here2 /dev/mapper/fs3_new 2,0M 21K 2,0M 2% /mnt/here3 aspire 0.1.1 # aspire 0.1.1 # mount | grep here /dev/mapper/fs1_new on /mnt/here1 type ext2 (rw) /dev/mapper/fs2_new on /mnt/here2 type ext2 (rw) /dev/mapper/fs3_new on /mnt/here3 type ext2 (rw) aspire 0.1.1 # aspire 0.1.1 # tree -h /mnt/here? /mnt/here1 `-- [ 12K] lost+found /mnt/here2 `-- [ 12K] lost+found /mnt/here3 `-- [ 12K] lost+found

3 directories, 0 files aspire 0.1.1 # aspire 0.1.1 # denyfs -h Usage: denyfs [option]

Where [option] is one of the following: -t, --table [loop]? display devices block table -l, --list-freeblocks [loop]? list free blocks -o, --offset [cryptsetup device] print offsets of blocks of a single device -s, --setsize [int1],[int2] [loop]? set size of device nb [int1] with [int2] block -d, --dmsetup [new device] dmsetup device mount -v, --version version -h, --help this.

Example: denyfs -o /dev/mapper/fs1 denyfs -t /dev/mapper/fs? denyfs -s 1,12 /dev/mapper/fs? denyfs -s 2,2 /dev/mapper/fs? denyfs -l /dev/mapper/fs? denyfs -d fs1_new /dev/mapper/fs1

aspire 0.1.1 # aspire 0.1.1 # denyfs -t /dev/mapper/fs? Checking device structure ... Nb of blocks Device Device nb Size + 10 /dev/mapper/fs1 1 20Mb + 2 /dev/mapper/fs2 2 4Mb + 1 /dev/mapper/fs3 3 2Mb + 86 < -- Total nb of free blocks ----------- = 99 <-- Total nb of blocks space ratio: 86% free aspire 0.1.1 # aspire 0.1.1 # denyfs -o /dev/mapper/fs1 Checking device structure ... 0 4096 linear /dev/mapper/fs1 331882 4096 4096 linear /dev/mapper/fs1 344170 8192 4096 linear /dev/mapper/fs1 20586 12288 4096 linear /dev/mapper/fs1 340074 16384 4096 linear /dev/mapper/fs1 352362 20480 4096 linear /dev/mapper/fs1 389226 24576 4096 linear /dev/mapper/fs1 61546 28672 4096 linear /dev/mapper/fs1 73834 32768 4096 linear /dev/mapper/fs1 262250 36864 4096 linear /dev/mapper/fs1 274538 aspire 0.1.1 # aspire 0.1.1 # denyfs -o /dev/mapper/fs2 Checking device structure ... 0 4096 linear /dev/mapper/fs2 16490 4096 4096 linear /dev/mapper/fs2 32874 aspire 0.1.1 # aspire 0.1.1 # denyfs -o /dev/mapper/fs3 Checking device structure ... 0 4096 linear /dev/mapper/fs3 368746 aspire 0.1.1 # aspire 0.1.1 #

Now hide your data. Fill in /mnt/here1 /mnt/here2 and /mnt/here3 the last one being your secret place, here2 a data flare (supposed to be a fake secret place) and here1 just personal garbage. Let’s put 15Mb in here1 3Mb in here2 and 1Mb in here1.

aspire 0.1.1 # ls -lh sizzla* -rwxr-xr-x 1 root root 4,0M août 23 14:56 sizzla.mp3 -rwxr-xr-x 1 root root 691K août 23 15:26 sizzla-small.mp3 -rw-r--r-- 1 root root 16M août 23 14:57 sizzlax4.mp3 aspire 0.1.1 # cp sizzlax4.mp3 /mnt/here1 aspire 0.1.1 # cp sizzla.mp3 /mnt/here2/ aspire 0.1.1 # cp sizzla-small.mp3 /mnt/here3 aspire 0.1.1 # aspire 0.1.1 # tree -h /mnt/here? /mnt/here1 |-- [ 12K] lost+found `-- [ 16M] sizzlax4.mp3 /mnt/here2 |-- [ 12K] lost+found `-- [4.0M] sizzla.mp3 /mnt/here3 |-- [ 12K] lost+found `-- [691K] sizzla-small.mp3

3 directories, 3 files aspire 0.1.1 #

Close all volumes.

aspire 0.1.1 # dfsclose -h Usage: /usr/sbin/dfsclose [options]

Options: -f, --file [/path/fs] Path to your filesystem -l, --loop [loop] Loop device -n, --numdev [int] Number of sub devices -h, --help This -v, --version Print version

Example: /usr/sbin/dfsclose -f fs -l loop0 -n 9 aspire 0.1.1 # aspire 0.1.1 # dfsclose -f fs -l loop0 -n 3 >>> Unmounting filesystems ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping dmsetup block devices ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping cryptsetup devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Unbinding /dev/loop0 ... aspire 0.1.1 # aspire 0.1.1 # mount | grep here aspire 0.1.1 # ls /dev/mapper/ control root swap aspire 0.1.1 #

Let’s reopen them all and check we still have the files and close again.

aspire 0.1.1 # dfsopen -f /tmp/fs -l loop0 -d 1=10,2=3,3=1 -m /mnt/here >>> Binding to loop0 ... OK >>> Mapping cryptsetup block devices ... Enter passphrase: Enter passphrase: Enter passphrase: >>> Sizing up block devices ... device 1 ... Checking device structure ... device 2 ... Checking device structure ... device 3 ... Checking device structure ... >>> Mapping to crytpsetup block devices ... Checking device structure ... Checking device structure ... Checking device structure ... >>> Mounting filesystems ... /mnt/here1 mounted /mnt/here2 mounted /mnt/here3 mounted aspire 0.1.1 # tree -h /mnt/here? /mnt/here1 |-- [ 12K] lost+found `-- [ 16M] sizzlax4.mp3 /mnt/here2 |-- [ 12K] lost+found `-- [4.0M] sizzla.mp3 /mnt/here3 |-- [ 12K] lost+found `-- [691K] sizzla-small.mp3

3 directories, 3 files aspire 0.1.1 # dfsclose -f fs -l loop0 -n 3 >>> Unmounting filesystems ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping dmsetup block devices ... /dev/mapper/fs1_new OK /dev/mapper/fs2_new OK /dev/mapper/fs3_new OK >>> Unmapping cryptsetup devices ... /dev/mapper/fs1 OK /dev/mapper/fs2 OK /dev/mapper/fs3 OK >>> Unbinding /dev/loop0 ... aspire 0.1.1 #

Open the hidden volume only add a file to it and close it.

aspire 0.1.1 # dfsopen -f /tmp/fs -l loop0 -d 3=1 -m /mnt/here >>> Binding to loop0 ... OK >>> Mapping cryptsetup block devices ... Enter passphrase: >>> Sizing up block devices ... device 1 ... Checking device structure ... >>> Mapping to crytpsetup block devices ... Checking device structure ... >>> Mounting filesystems ... /mnt/here1 mounted aspire 0.1.1 # aspire 0.1.1 # tree -h /mnt/here? /mnt/here1 |-- [ 12K] lost+found `-- [691K] sizzla-small.mp3 /mnt/here2 /mnt/here3

1 directory, 2 files aspire 0.1.1 # aspire 0.1.1 # echo pi > /mnt/here1/secret aspire 0.1.1 # tree -h /mnt/here? /mnt/here1 |-- [ 12K] lost+found |-- [ 3] secret `-- [691K] sizzla-small.mp3 /mnt/here2 /mnt/here3

1 directory, 2 files aspire 0.1.1 # aspire 0.1.1 # dfsclose -f fs -l loop0 -n 1 >>> Unmounting filesystems ... /dev/mapper/fs1_new OK >>> Unmapping dmsetup block devices ... /dev/mapper/fs1_new OK >>> Unmapping cryptsetup devices ... /dev/mapper/fs1 OK >>> Unbinding /dev/loop0 ... aspire 0.1.1 #

Open the hidden volume only with a wrong password.

aspire 0.1.1 # dfsopen -f /tmp/fs -l loop0 -d 3=1 -m /mnt/here >>> Binding to loop0 ... OK >>> Mapping cryptsetup block devices ... Enter passphrase: >>> Sizing up block devices ... device 1 ... Checking device structure ... Do you intend to resize? (CTRL-C to abort) ^C aspire 0.1.1 #
At this point you should be _very_ careful. If you do not intend to resize your volume than you must realize that your password is wrong (the password is parameter of the block mapping logic). If you do pursue you will resize the hidden volume. Although in some very lucky and special cases, if you enlarge your volume you may again access your previously hidden data, don’t assume that in general as shrinking the volume will erase it for sure (unless again you free unused blocks but you’d really be lucky and you should play Euromillion).

Finally, as long as you understand that given the password you provide a different block mapping will appear, you should be fine as a user.

To really measure the true power of denyfs you have to “feel”. You have to feel the volume size compared to one another, the free space ratio and the randomness of all your passwords. This is the human parameter to that program. Strange I know, but denyfs is a system which logic on passwords and size mapping shoudn’t be written (it is way more complex than denyfs itself) and won’t work for any given size mapping and passwords.
You are strongly advised to play around and test it (wisely choose your size mapping and passwords) before actually using it for “hurm”… production purposes.

2 Comments more...