Re: Linux disk partition encryption
On Wed, 26 Jan 2011 05:36:22 +0000 (UTC)
T o n g <mlist4suntong@yahoo.com> wrote:
...
> 2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/
> also, Linux Encryption HOWTO
> http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html
> v0.2.2, 04 October 2000
>
> Here are my questions,
>
> - First very noob question, I don't want whole disk encryption, just want
> to encrypt some selected already partitioned partitions. If someone mount
> those encrypted partitions, will they shows up as empty or, there are
> some hints that the partitions have been encrypted?
A partition cannot be mounted; filesystems can. If the partition is
encrypted, no filesystem will be visible. If you mean to ask whether
someone analyzing the disk will be able to detect an encrypted
datastore, in general the answer is probably yes. There may be some
methods to prevent that, but I'm unfamiliar with them.
> - The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
> (widely-used?) cryptsetup-luks. So I need a bit of explanation which is
> better than others.
Don't understand this. In Debian, there's cryptsetup, which includes
LUKS support (cryptsetup-luks is a virtual package satisfied (only) by
cryptsetup). From the cryptsetup README.Debian:
"Cryptsetup is a command-line interface for configuring encrypted block
devices via dm-crypt, a kernel device-mapper target."
> 3. http://www.humboldt.edu/its/security-encryption-linuxubuntu
> 4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/
>
> - In terms of encryption used, TrueCrypt supports the following
> encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
> Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these
> hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
>
> 5. http://www.informit.com/articles/article.aspx?p=1276279
>
> So I need a bit of explanation why your chosen algorithm is better than
> others. Very very brief will do.
[Rough, brief explanation - may not be totally accurate.]
AES is both a standards process, as well as a method chosen by that
process. AES was the winner of that process; some of the others on
your list were finalists. AES has the advantage of having been
extensively tested, in both labs and the real world, but some of the
others (e.g., Twofish) are supposed to be quite good.
Further reading:
http://www.schneier.com/paper-aes-comparison.html
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
http://www.brighthub.com/computing/smb-security/articles/53270.aspx
http://en.wikipedia.org/wiki/Twofish
http://www.schneier.com/twofish.html
http://www.image-in.co.il/HTML/SEC4NET/aes_history.html
> - Is your partition encryption choice as cross-platform as TrueCrypt?
No idea, but LUKS / dm-crypt can apparently be used on Windows with
FreeOTFE:
"This software is compatible with Linux encrypted volumes (e.g. LUKS,
cryptoloop, dm-crypt), allowing data encrypted under Linux to be read
(and written) freely. It was the first open source transparent disk
encryption system to support Windows Vista and PDAs."
http://en.wikipedia.org/wiki/FreeOTFE>
> - If I put the encrypted partitions in fstab, then I have to enter
> passphrase for each one of them when PC boot up, I guess. Will the whole
> boot up be hold up waiting for encrypted partitions passphrases?
This obviously depends what's on the partitions you encrypt.
> - Since I need to encrypt more than one selected partitions, if I want to
> mount encrypted partitions manually, is there any alternative way than to
> typing in passphrase for each one of them when mounting them?
Yes - use keyfiles, and have the system use them to unlock partitions.
You can / should encrypt the keyfile, or put it on an encrypted disk
which requires a passphrase.
Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: