disk partition encryption roadmap
Hi,
I'm thinking to do the disk partition encryptions now. However
"Hard drive encryption sounds like an intimating concept, mostly because it is. The thought of taking your precious files, then using a mathematical formula to convert them into random noise before scattering them back across your disk is a hard sell. " [1]
1. http://www.maximumpc.com/article/howtos/ how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt
So I need some demystify of the whole disk/partition encryption thing. The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as 2004-11-17, so I would assume it is *way* outdated. In terms of security, I tend to turn to people that I trust for help. Having tldp.org failed on me, I need your help, people from the grml community, instead of some random blogs found on the interent.
2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/
Linux Encryption HOWTO http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html v0.2.2, 04 October 2000
Here are my questions,
- First very noob question, I don't want whole disk encryption, just want to encrypt some selected already partitioned partitions. If someone mount the encrypted partitions, will it shows up as empty or, there are some hints that the partition have been encrypted?
- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why it is better than others.
3. http://www.humboldt.edu/its/security-encryption-linuxubuntu 4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/
- In terms of encryption used, TrueCrypt supports the following encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish- Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
5. http://www.informit.com/articles/article.aspx?p=1276279
So I need a bit of explanation why the chosen algorithm is better than others.
- Is your choice as cross-platform as TrueCrypt?
- Since I need to encrypt more than one selected partitions, is there any alternative to typing in passphrase for each one of them when mounting them?
- how passphrase are cached? Do I have to repeately typing in passphrase each time I do the mount? I also heard of passphrase-less disk encryptions. Hmm... I don't want to go there so maybe I can skip that.
BTW, I just need a mini how-to about disk encryption, it does not need to be in-depth or comprehensive but rather short and to the point, to allow anyone with a minimum of linux disk encryption knowledge to create encrypted memory sticks, USB disks, or partitions in minutes.
Thanks a lot.
Tong,
For a less intimidating (but still quite effective) HD encryption strategy, check out the grml2hd manpage. It includes straightforward examples of switching to LUKS-managed encrypted /home and swap partitions after installation, as well as examples of mounting directories for temporary files as tmpfs ramdisks. I am using more or less the exact setup described in the man page on my netbook.
You can easily set up passphrases for each encrypted partition if you wish.
Best, Will
On Jan 25, 2011 12:18 PM, T o n g <mlist4suntong@yahoo.com> wrote:
Hi,
I'm thinking to do the disk partition encryptions now. However
"Hard drive encryption sounds like an intimating concept, mostly because
it is. The thought of taking your precious files, then using a
mathematical formula to convert them into random noise before scattering
them back across your disk is a hard sell. " [1]
1. http://www.maximumpc.com/article/howtos/
how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt
So I need some demystify of the whole disk/partition encryption thing.
The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as
2004-11-17, so I would assume it is *way* outdated. In terms of security,
I tend to turn to people that I trust for help. Having tldp.org failed on
me, I need your help, people from the grml community, instead of some
random blogs found on the interent.
2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/
Linux Encryption HOWTO
http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html
v0.2.2, 04 October 2000
Here are my questions,
- First very noob question, I don't want whole disk encryption, just want
to encrypt some selected already partitioned partitions. If someone mount
the encrypted partitions, will it shows up as empty or, there are some
hints that the partition have been encrypted?
- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why
it is better than others.
3. http://www.humboldt.edu/its/security-encryption-linuxubuntu
4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/
- In terms of encryption used, TrueCrypt supports the following
encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these
hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
5. http://www.informit.com/articles/article.aspx?p=1276279
So I need a bit of explanation why the chosen algorithm is better than
others.
- Is your choice as cross-platform as TrueCrypt?
- Since I need to encrypt more than one selected partitions, is there any
alternative to typing in passphrase for each one of them when mounting
them?
- how passphrase are cached? Do I have to repeately typing in passphrase
each time I do the mount? I also heard of passphrase-less disk
encryptions. Hmm... I don't want to go there so maybe I can skip that.
BTW, I just need a mini how-to about disk encryption, it does not need to
be in-depth or comprehensive but rather short and to the point, to allow
anyone with a minimum of linux disk encryption knowledge to create
encrypted memory sticks, USB disks, or partitions in minutes.
Thanks a lot.
T o n g wrote:
Hi,
I'm thinking to do the disk partition encryptions now.
[...]
- First very noob question, I don't want whole disk encryption, just want
to encrypt some selected already partitioned partitions. If someone mount the encrypted partitions, will it shows up as empty or, there are some hints that the partition have been encrypted?
It depends. Mounting will just fail, or the mount command will ask for the passphrase. Truecrypt has the feature of hidden containers, so it should't be possible to see if there is encrypted data in that case, but I've never tried that myself.
- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why it is better than others.
man cryptsetup says: cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension). So cryptsetup is just a wrapper around dm-crypt which means technically they're the same.
- In terms of encryption used, TrueCrypt supports the following
encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish- Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
So I need a bit of explanation why the chosen algorithm is better than others.
I use the grml-crypt's defaults because I trust they are OK.
It's a hard task to say "that algorithm is better than that other one" if you're not a specialist in the crypto area. The mathematics behind the different algorithms is hard, the implementation details are even harder. :) A rule of thumb: Use default algorithms (someone with (hopefully) more knowledge than you trusts in them).
- Is your choice as cross-platform as TrueCrypt?
My choice is grml-crypt, because I only use debian-based systems anyway. In case grml-crypt is not there yet, a simple
git clone git://git.grml.org/grml-crypt.git
will do for me.
- Since I need to encrypt more than one selected partitions, is there any
alternative to typing in passphrase for each one of them when mounting them?
You can setup /etc/crypttab to contain a key file that contains the passphrase. But then you should make sure that key file resides on an encrypted partition itself and only root can read it :-)
- how passphrase are cached? Do I have to repeately typing in passphrase
each time I do the mount? I also heard of passphrase-less disk encryptions. Hmm... I don't want to go there so maybe I can skip that.
See above for /etc/crypttab :) Passphrase-less disk encryption is useless. Everybody can still read your data, so it just costs performance. Don't do it.
BTW, I just need a mini how-to about disk encryption, it does not need to be in-depth or comprehensive but rather short and to the point, to allow anyone with a minimum of linux disk encryption knowledge to create encrypted memory sticks, USB disks, or partitions in minutes.
Linux disk encryption in 4 commands: # get grml-crypt :) git clone git://git.grml.org/grml-crypt.git # create encrypted partition, format it with ext3 grml-crypt -vvv -text3 format /dev/sdaX # mount encrypted partition grml-crypt -vvv -F mount /dev/sdaX /mnt/test # umount encrypted partition grml-crypt -vvv stop /mnt/test
You can skip the -vvv part if you don't want to see what happens in every shining detail.
Thanks a lot.
Bye, Thomas
On Wed, 26 Jan 2011 10:56:51 +0100, Thomas Köhler wrote:
. . . Linux disk encryption in 4 commands . . .
Thanks a lot Thomas for your detailed explanation. You really answered all what I wanted to know.
No further questions. Thanks
On Wed, 26 Jan 2011 10:56:51 +0100, Thomas Köhler wrote:
- Since I need to encrypt more than one selected partitions, is there
any alternative to typing in passphrase for each one of them when mounting them?
You can setup /etc/crypttab to contain a key file that contains the passphrase. But then you should . . .
I skimmed through the man page, but didn't notice how to specify to key file to grml-crypt. Would that be added soon? Is there any easy work around?
Thanks
* T o n g wrote [25.01.11 18:02]: Hi,
Question about disk encryption
There is also a thread on reddit about a similar topic.
http://www.reddit.com/r/linux/comments/f9mtk/recommended_full_disk_encryptio...
BTW, I just need a mini how-to about disk encryption, it does not need to be in-depth or comprehensive but rather short and to the point, to allow anyone with a minimum of linux disk encryption knowledge to create encrypted memory sticks, USB disks, or partitions in minutes.
initial setup: -------------- cryptsetup luksFormat $DEVICE cryptsetup luksOpen $DEVICE $NAME mkfs.$WHATEVER /dev/mapper/$NAME mount /dev/mapper/$NAME /mnt/
closing: -------- umount /mnt cryptsetup luksClose $NAME
open: ----- cryptsetup luksOpen $DEVICE $NAME mount /dev/mapper/$NAME /mnt
done :)
On Thu, 27 Jan 2011 14:16:25 +0100, Ulrich Dangel wrote:
initial setup . . . done :)
Thanks for the informative link and the mini how-to, just the kind of detail info that I was looking for.
Perfect. Thanks
Teilnehmer (4)
-
T o n g -
Thomas Köhler -
Ulrich Dangel -
William Gardella