Re: Linux disk partition encryption
>On the 26/01/2011 06:36, T o n g wrote:
> Hi,
>
> I'm thinking to do the disk partition encryptions now. However
>
> "Hard drive encryption sounds like an intimating concept, mostly because
> it is. The thought of taking your precious files, then using a
> mathematical formula to convert them into random noise before scattering
> them back across your disk is a hard sell. " [1]
>
> 1. http://www.maximumpc.com/article/howtos/
> how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt
>
> So I need some demystify of the whole thing around disk/partition
> encryption
[...]
Can't comment on the crypto science, but I am using it and it works just
fine, both full disk (cryptsetup LUKS on raid and usb sticks) and for
files (ecryptfs).
>
> Here are my questions,
>
> - First very noob question, I don't want whole disk encryption, just want
> to encrypt some selected already partitioned partitions. If someone mount
> those encrypted partitions, will they shows up as empty or, there are
> some hints that the partitions have been encrypted?
Don't know what you mean exactly by "show up as empty", with ecryptfs
the mountpoint will indeed be empty unless the crypted directory is
open. But it's always possible to guess that encryption is being used,
or guess it from "missing space" on the hard drive.
>
> - The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
> (widely-used?) cryptsetup-luks. So I need a bit of explanation which is
> better than others.
>
> 3. http://www.humboldt.edu/its/security-encryption-linuxubuntu
> 4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/
Using cryptsetup and doing good. cryptsetup (LUKS) is using dm_crypt.
The old alternative (and insecure) way was cryptoloop.
>
> - In terms of encryption used, TrueCrypt supports the following
> encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
> Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these
> hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
>
> 5. http://www.informit.com/articles/article.aspx?p=1276279
>
> So I need a bit of explanation why your chosen algorithm is better than
> others. Very very brief will do.
Used standard aes (256), serpent and twofish, settled with twofish since
it seems really solid, standard enough, and didn't show any speed hit
with my workload.
More specifically lately I used twofish-cbc-essiv:sha256 with a keysize
of 256. I believe unless I am nominated as public enemy my data are safe
from the average lone cracker, and most probably even the serious ones.
> - Is your partition encryption choice as cross-platform as TrueCrypt?
I don't care about cross-platform, can't comment. For me if it works on
any linux flavours it's good enough, I will always be able to retrieve
my data.
>
> - If I put the encrypted partitions in fstab, then I have to enter
> passphrase for each one of them when PC boot up, I guess. Will the whole
> boot up be hold up waiting for encrypted partitions passphrases?
Yes, unless you do as mentioned below. Yes the boot process will "wait"
for you to type in the passphrases, or will look for the keyfiles.
>
> - Since I need to encrypt more than one selected partitions, if I want to
> mount encrypted partitions manually, is there any alternative way than to
> typing in passphrase for each one of them when mounting them?
You can "chain" the mounting by using a passphrase or keyfile for the
first, and then store keyfiles for the subsequent in keyfiles on the
first encrypted partition to be mounted (unsafe, maybe just for swap ?),
or all the keyfiles on a usb stick. This is less secure since if the
system is compromised the keyfiles could be stolen, but using a usb
stick only when mounting is needed reduces the risk.
I never tried but maybe pam could be used for this ?
For swap I resorted to use (clear) swap file on encrypted partitions
(could be /, /home or any as long as it's mounted at boot time), it's
more flexible and works as good as a dedicated partition for me, but my
systems have plenty of ram with reduced swappiness and I rarely see
swapping.
>
> - how passphrase are cached? Do I have to repeatedly typing in passphrase
> each time I do the mount? I also heard of passphrase-less disk
> encryptions. Hmm... I don't want to go there so maybe I can skip that.
I don't think caching the passphrases anywhere would be secure, when the
volume is in use it is "in clear" (as opposed to encrypted), so is the
swap and ram, caching would not be safe. Maybe some "keyring" daemon can
take care of that, but then your passphrases are only as safe as the one
of the keyring.
>
> BTW, I just need a mini intro about disk encryption, it does not need to
> be in-depth or comprehensive but rather short and to the point.
>
> Thanks a lot.
>
>
I used the man and:
General:
https://secure.wikimedia.org/wikipedia/en/wiki/Disk_encryption_theory#XTS
https://secure.wikimedia.org/wikipedia/en/wiki/Full_disk_encryption
http://clemens.endorphin.org/cryptography
https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt
Crash course on common crypto weaknesses :
http://clemens.endorphin.org/LinuxHDEncSettings
Have fun.
Reply to: