Re: Decrypt, Edit and Encrypt a File
On Wed, Apr 08, 2009 at 11:26:20AM -0400, H.S. wrote:
> Douglas A. Tutty wrote:
> > On Tue, Apr 07, 2009 at 06:17:56PM -0400, H.S. wrote:
> >> Douglas A. Tutty wrote:
> >>> On Tue, Apr 07, 2009 at 05:46:31PM -0400, H.S. wrote:
> >>>> Douglas A. Tutty wrote:
> > $ cat /proc/swaps:
> > Filename Type Size Used Priority
> > /dev/mapper/sda2_crypt partition 979956 0 -1
> >
> > $ mount | grep -i /tmp
> > /dev/mapper/sdb1_crypt on /var/tmp type ext3 (rw,data=journal)
> > tmpfs on /tmp type tmpfs (rw,size=500m)
> > There are a limited number of place where a piece of software can leak
> > info:
> >
> > 1. to /tmp: Its encrypted
> > 2. to /var/tmp: Its encrypted
> > 3. to somewhere on ~/ I have /home encrypted
> > 4. left in swap its encrypted
> > 5. in a core dump after a crash: use ulimit (see man bash) to
> > limit core dump size to 0
> >
> > Of course, the uncrypted data is in memory, so anything that can read
> > any memory segment can read your data.
> I am curious, what is the performance cost to have your ~/ and /tmp and
> /swap encrypted? What kind of machine are you using?
I see no performance cost and I've done this on a PII-233 on old IDE
disks and now on a PII-450 with two SCSI disks.
Think of it this way: Data has to go out to disk. That takes a lot of
time compared to moving data in the memory. It doesn't take that much
time to start the encryption process (which can continue while the data
is streaming to the disk). I'm sure its more complex than this, but
that's the idea.
If I want to have the fastest streaming possible, I'll have a
non-encrypted partition in a convenient spot, say /var/local/cache but
I've found that I haven't had a problem without it. I suppose it may be
important if you're doing streaming video or something, but you'd want a
separate raid array for that anyway.
> Also, since you have to use mount, which requires root privileges, the
> above method is not possible for a normal (non-root) user, is it?
These partitions are all mounted on boot. I set up the encrypted
partitions during the install (Etch). Here's fstab:
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
#/dev/sda1 / ext3 defaults,data=journal,errors=remount-ro 0 1
LABEL=root / ext3 defaults,data=journal,errors=remount-ro 0 1
/dev/mapper/sdb2_crypt /home ext3 defaults,data=journal 0 2
#/dev/sda3 /usr ext3 defaults,data=journal 0 2
LABEL=usr /usr ext3 defaults,data=journal 0 2
#/dev/sda5 /var ext3 defaults,data=journal 0 2
LABEL=var /var ext3 defaults,data=journal 0 2
/dev/mapper/sda6_crypt /var/local ext3 defaults,data=journal 0 2
/dev/mapper/sdb1_crypt /var/tmp ext3 defaults,data=journal 0 2
/dev/mapper/sda2_crypt none swap sw 0 0
tmpfs /tmp tmpfs size=500m 0 0
/dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Thus, its totally transparent to the normal user. I have to enter the
pass phrases at boot; I've been too lazy to set it up to only require
one, so I have to do it three times (one for each encrypted partition)
(swap doesn't need a passphrase). LUKS is flexible enough that you
could use a USB key if you like.
Doug.
Reply to:
- References:
- Re: Decrypt, Edit and Encrypt a File
- From: Axel Freyn <axel-freyn@gmx.de>
- Re: Decrypt, Edit and Encrypt a File
- From: Samuel Bächler <linux@boeser.ch>
- Re: Decrypt, Edit and Encrypt a File
- From: Sven Joachim <svenjoac@gmx.de>
- Re: Decrypt, Edit and Encrypt a File
- From: Samuel Bächler <linux@boeser.ch>
- Re: Decrypt, Edit and Encrypt a File
- From: "Douglas A. Tutty" <dtutty@vianet.ca>
- Re: Decrypt, Edit and Encrypt a File
- From: "H.S." <hs.samix@gmail.com>
- Re: Decrypt, Edit and Encrypt a File
- From: "Douglas A. Tutty" <dtutty@vianet.ca>
- Re: Decrypt, Edit and Encrypt a File
- From: "H.S." <hs.samix@gmail.com>
- Re: Decrypt, Edit and Encrypt a File
- From: "Douglas A. Tutty" <dtutty@vianet.ca>
- Re: Decrypt, Edit and Encrypt a File
- From: "H.S." <hs.samix@gmail.com>