Re: Extreme Security Suggestions?
Timothy,
There are a few encrypted filesystems for Linux.
Ones aimed at distributed filesystems (NFS replacements):
- "CFS", which has been packaged and is available from non-us.debian.org.
- "TCFS", http://tcfs.dia.unisa.it/
I used CFS several years ago and it seemed to work well. My only
complaint was that triple DES was a bit slow on my 486/33.
Another approach which I am currently using involves patching the
kernel to provide kernel level encrypted filesystems. I have updated
a patch for kernel 2.0.36 which was originally released in 1996 for
kernel 2.0.11. I have gotten good results with this using IDEA
encryption on systems ranging from a 486/33 to PII-350.
There are now encryption patches available for the new 2.2.x kernels.
ftp://ftp.kerneli.org/pub/linux/kerneli/v2.2/patch-int-2.2.1.1.gz
will add encryption to linux 2.2.1. I have not used this patch yet,
but I will give it a try as soon as I update to slink and have a
2.2.x compatible system.
When unmounted, the ability to scan the raw partition will not give
your cracker any useful information. If they are really determined,
they could scan raw /tmp and swap partitions for traces of sensitive
data. Whether this is an issue depends on your required security level.
When mounted, a root cracker would be able to read the all files on
the partition. Mounting the partition requires a passphrase.
The kernel approach will require patching and building custom versions
of the kernel and mount programs.
If you want more detail on these, let me know,
John
On Fri, Feb 05, 1999 at 12:56:56AM -0400, Timothy Hospedales wrote:
> Hi,
> I am wondering what is the recommended way to secure a sizeable volume (0.5-2GB
> ) of confidential data such that it is non-retreivable/unusable even in the
> event that a hacker has gained user level or <shudder> root access?
Reply to: