T o n g wrote:
Hi,
I'm thinking to do the disk partition encryptions now.
[...]
- First very noob question, I don't want whole disk encryption, just want
to encrypt some selected already partitioned partitions. If someone mount the encrypted partitions, will it shows up as empty or, there are some hints that the partition have been encrypted?
It depends. Mounting will just fail, or the mount command will ask for the passphrase. Truecrypt has the feature of hidden containers, so it should't be possible to see if there is encrypted data in that case, but I've never tried that myself.
- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why it is better than others.
man cryptsetup says: cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension). So cryptsetup is just a wrapper around dm-crypt which means technically they're the same.
- In terms of encryption used, TrueCrypt supports the following
encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish- Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
So I need a bit of explanation why the chosen algorithm is better than others.
I use the grml-crypt's defaults because I trust they are OK.
It's a hard task to say "that algorithm is better than that other one" if you're not a specialist in the crypto area. The mathematics behind the different algorithms is hard, the implementation details are even harder. :) A rule of thumb: Use default algorithms (someone with (hopefully) more knowledge than you trusts in them).
- Is your choice as cross-platform as TrueCrypt?
My choice is grml-crypt, because I only use debian-based systems anyway. In case grml-crypt is not there yet, a simple
git clone git://git.grml.org/grml-crypt.git
will do for me.
- Since I need to encrypt more than one selected partitions, is there any
alternative to typing in passphrase for each one of them when mounting them?
You can setup /etc/crypttab to contain a key file that contains the passphrase. But then you should make sure that key file resides on an encrypted partition itself and only root can read it :-)
- how passphrase are cached? Do I have to repeately typing in passphrase
each time I do the mount? I also heard of passphrase-less disk encryptions. Hmm... I don't want to go there so maybe I can skip that.
See above for /etc/crypttab :) Passphrase-less disk encryption is useless. Everybody can still read your data, so it just costs performance. Don't do it.
BTW, I just need a mini how-to about disk encryption, it does not need to be in-depth or comprehensive but rather short and to the point, to allow anyone with a minimum of linux disk encryption knowledge to create encrypted memory sticks, USB disks, or partitions in minutes.
Linux disk encryption in 4 commands: # get grml-crypt :) git clone git://git.grml.org/grml-crypt.git # create encrypted partition, format it with ext3 grml-crypt -vvv -text3 format /dev/sdaX # mount encrypted partition grml-crypt -vvv -F mount /dev/sdaX /mnt/test # umount encrypted partition grml-crypt -vvv stop /mnt/test
You can skip the -vvv part if you don't want to see what happens in every shining detail.
Thanks a lot.
Bye, Thomas