PupVault v8 - a luks encrypted file store

[gyro]

PupVault works a bit like a physical vault.
Once you've set it up, if you want access to any of the files inside you "Open" it,
and after you "Close" it, you can't access what is inside or even see what is inside.

The "combination" to this PupVault is a password which you define when you "Create" it.
Without this password the contents of the PupVault are inaccessible, all you can do is delete the PupVault file.
So, don't forget the password.
Guessing the password is also the easiest way for "attackers" to gain access to the PupVault.
So the password needs to be difficult to guess.

A PupVault is a file, just like a luks encrypted savefile.
So, it can be stored any where, on any filesystem.

When you "Create" a PupVault file, you need to specify the size of the file in MiB.
The minimum size is 4MiB, but with this size there is only a little less than 1MiB of available space inside.
So I suggest that, once you have worked out which files you want to keep secret and how much space they require,
you create a trial PupVault to see if your files will easily fit inside.

Also when you "Create" a PupVault file, you will be asked for a "name", the default being 'vault'.
Whatever "name" you choose, '_luks.4fs' will be appended to produce the filename of the PupVault file,
so the default filename is 'vault_luks.4fs'.


Prerequisites:

1. A working "cryptsetup" utility to do the luks stuff.

2. Bionicpup32, Bionicpup64 or similar woof-ce vintage Puppy.

PupVault v8 is released as a ydrv...sfs for these Puppies because it makes use of the enhanced luks support contained within "ydrv_pupvault_8.sfs".
These luks enhancements replace some existing woof-ce files that have significantly changed over recent months, the replacements won't work properly in older Puppies.


Usage:

1. Download the "ydrv_pupvault_8.sfs" file, move it into the frugal install directory of a suitable Puppy,
rename it to the appropriate ydrv filename for that Puppy, and reboot.

2. "PupVault - encrypted file store" should be available in the "Filesystem" menu beside "Pmount".

3. Run "PupVault" and "Create" a PupVault file.

4. "Open" the PupVault file, which opens a filemanager window at the mountpoint.

5. copy/move some "secret" files into the opened directory.

6. "Close" the PupVault file, which closes the filemanager window opened in 4.

Notes:

1. The default PupVault file is "$HOME/vault_luks.4fs", usually '/root/vault_luks.4fs'.

2. The default mountpoint is '/mnt/vault'


Why do this when Puppy already has luks encrypted savefiles available?

1. Savefiles contain a lot of files that are Puppy files and hence easily available in the public domain.
What's the point of encrypting these files? Remember that any software installed via a ".pet" is in there.

2. Some Puppy users prefer to use a savefolder rather than a savefile, but would still like to encrypt some of their files.

3. A PupVault file can be stored any where in the mounted filesystem, so it can be stored outside the save mechanism and hence be shared between many Puppies.

gyro

[gyro]

"ydrv_pupvault_8.sfs" includes enhanced luks support in the following files:

/sbin/mount.crypto_LUKS:

The major changes are a re-implementation of parameter processing.
This includes a new parameter to request an fsck of the embedded ext4 filesystem.
A new parameter to allow the password to be provided by the calling application.
Support passing on of mount options, e.g. "-o ro", "-o discard" to the mounting of the embedded ext4 filesystem.
Allow "mount -t crypto_LUKS /root/vault_luks.4fs /mnt/vault" to work as well as "mount -t crypto_LUKS /dev/sdc3 /mnt/sdc3".

Also change the names generated for /dev/mapper/ devices to be of the form, either /dev/mapper/luks_loop3 or /dev/mapper/luks_sdc3,
so the host block device name can always be derived from the /dev/mapper/ device name.
If it starts with /dev/mapper/luks_loop then it's a file, else it's a partition.

/bin/umount:

Now recognises a mounted luks file or partition, and appropriately calls umount.crypto_LUKS.
If the device name found in an entry in /proc/mounts starts with /dev/mapper/luks then it's luks.
So "umount /mnt/sdc3" works if sdc3 is an ordinary partition or a luks partition,
and "umount /mnt/vault" also works for a mounted luks file, e.g. a PupVault file.
This is important so that the stray filesystem cleanup code in rc.shutdown will work properly for stray mounted luks devices.

/sbin/umount.crypto_LUKS:

Modified to support the changes in mount.crypto_LUKS, and umount.

/usr/local/pup_event/frontend_rox_funcs:
/usr/sbin/pmount:
/usr/sbin/filemnt:

These have been modified to take advantage of the enhancements noted above.

Note: It is my intention to patch woof-ce with these modified files.

gyro

[gyro]

"ydrv_pupvault_7.sfs" is a version of "ydrv_pupvault_8.sfs" that has been "hacked" to allow it to work with slightly older versions of Puppy.
The "7" refers to Puppy v7 and the "8" refers to Puppy v8.
The pupvault files, mount.crypto_LUKS, umount.crypto_LUKS, and umount files are the same, but other support files have been "hacked",
if you are looking at the code, please ignore these "hacked" files.
It works for me with xenialpup (with yad binary replaced with yad 0.39.0) and upupbb (the pre-bionicpup32 version).

To use: Rename downloaded sfs file to appropriate ydrv....sfs filename for the Puppy you are using.

Note1: A working version of cryptsetup is still a prerequisite.

Note2: PupVault might fail to run in xenialpup because the version of yad is too old.
Upgrading yad should fix this.

gyro

[gyro]

I have attached updated "ydrv_pupvault_8.sfs" and "ydrv_pupvault_7.sfs".

As I recall, there is a bug in "drive_all" processing, (that's the drive icons on the rox desktop).

These files can also be downloaded from http://www.mediafire.com/folder/4nla3vcbco1ot/pupvault

gyro