Re: Linux disk partition encryption

To: Celejar <celejar@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Linux disk partition encryption
From: Brad Alexander <storm16@gmail.com>
Date: Wed, 26 Jan 2011 15:48:15 -0500
Message-id: <[🔎] AANLkTikyHiEaTunK3qEFzG=eGVinNBuGxNBWp1r8_e5L@mail.gmail.com>
In-reply-to: <[🔎] 20110126092929.adc7f6c8.celejar@gmail.com>
References: <[🔎] ihobsl$pt9$1@dough.gmane.org> <[🔎] 20110126092929.adc7f6c8.celejar@gmail.com>

On Wed, Jan 26, 2011 at 9:29 AM, Celejar <celejar@gmail.com> wrote:

> A partition cannot be mounted; filesystems can.  If the partition is
> encrypted, no filesystem will be visible.  If you mean to ask whether
> someone analyzing the disk will be able to detect an encrypted
> datastore, in general the answer is probably yes.  There may be some
> methods to prevent that, but I'm unfamiliar with them.

Basically, the primary way to slow down this analysis is to write
random data to the entire hard drive. This is how the full-disk LUKS
encryption works from the installer. Obviously, since the OP is only
wanting to encrypt certain directories, this has limited utility.

However, IMHO, if you are considering building or rebuilding a
machine, you should consider using the full-disk LUKS encryption. I
have been using it for years on a number of machines in a variety of
settings. In fact, in my last job, it was required for laptops that
their drives be encrypted (it was mainly a Mac/Windows shop), so we
Linux admins used LUKS, and as a further step, I put /boot (the only
partition that cannot be encrypted) on a USB stick, so that if anyone
got the laptop, they had no access to the data.

The way I set it up is as follows:

Hard drive
      --> /boot partition
      --> encrypted swap partition (filled w/random data)
      --> rest of disk for encryption (filled w/random data)
                    --> LVM
                                --> filesystems

As you can see, the LVM and filesystems are within the encrypted
portion of the disk. On boot, I am prompted for my passphrase, and
once I give it, the filesystems are made available and booting
continues. It is possible to place key files on other media and be
able to, for instance, boot from a USB key or even boot one encrypted
partition from a key file on another encrypted partition. I have done
this before, as I have not been able to figure out how to get one
encrypted partition to traverse multiple drives.) An additional
benefit is that having a key file on another encrypted partiton means
that you only have to unlock one partition with a passphrase. The rest
will be decrypted automatically.

Further reading (Ubuntu has some really good docs on this):
https://help.ubuntu.com/community/EncryptedFilesystemHowto
http://main.uab.edu/Sites/it/faqs/63837/
There are a number of other Ubuntu EncryptedFilesystemHowto docs,
ranging in age from 6.06 to present. Search on help.ubuntu.com...

--b

Reply to:

Follow-Ups:
- Re: Linux disk partition encryption
  - From: Celejar <celejar@gmail.com>

References:
- Linux disk partition encryption
  - From: T o n g <mlist4suntong@yahoo.com>
- Re: Linux disk partition encryption
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: Ubuntu -> LMDE: migrate packages using `aptitude` alone?
Next by Date: Why are my emails not making it to the list?
Previous by thread: Re: Linux disk partition encryption
Next by thread: Re: Linux disk partition encryption
Index(es):
- Date
- Thread