info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Encrypting Filesystems
0 views
Skip to first unread message
Tom Haddon
Feb 20, 2006, 9:45:20 AM2/20/06
to
Hi Folks,
I'm in the process of writing an article on how to set up encrypted
filesystems on Linux and wanted to check in with this list to see if I'm
missing anything major. I'm planning to focus on EncFS and TrueCrypt in
particular because they approach it from two different angles. I know
using the loop device mechanism to encrypt block devices is another
option, but are there any other major approaches that I'm missing?
Thanks, Tom
Tom Haddon
mailto:mtha...@yahoo.com
Patch griefs with proverbs.
-- William Shakespeare, "Much Ado About Nothing"
-----------------
Random quotes courtesy of fortune.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
Alon Bar-Lev
Feb 20, 2006, 10:39:08 AM2/20/06
to
Hello,
Can you please have a look at:
http://wiki.suspend2.net/EncryptedSwapAndRoot
And tell me what you think.
Best Regards,
Alon Bar-Lev.
Master of Reality
Feb 20, 2006, 3:34:46 PM2/20/06
to
I believe using the loopback device is deprecated... the new kernel uses
device mapper to encrypt the filesystem.
--
View this message in context: http://www.nabble.com/Encrypting-Filesystems-t1155912.html#a3038074
Sent from the Linux Crypto forum at Nabble.com.
Phil H
Feb 21, 2006, 6:17:39 AM2/21/06
to
Yes, IMHO you are missing something very important, and so do a lot of other linux journalists unfortunately.
I'm not an expert, so a flame war with me will useless and not responded to (*note*), however this is what I think I've gleaned in all my googling:
Loop-aes is still regarded as by far the best civilian partition encryption scheme available for linux. Developmentally and in terms of bug fixes is is way ahead of dmcrypt.
Loop-aes developer Jari Rassu has been at pains to point this out - I strongly suggest you search this list for his comments on dmcrypt and truecrypt. Truecrypt, which is also device-mapper based, only very recently attempted to fix a major security hole which Jari had been warning people about for some time.
The rise of dmcrypt is perhaps largely because Fedora has decided it's the thing to go with. Why? Perhaps because it's seen to be "easier to use ", because the loop-aes readme insists that a kernel recompile is necessary => "no newbies please". However the debian packages for loop-aes do not require a kernel recompile unless you want to encrypt the root filesystem. (But I overreach my level of expertise. The person to talk to here might be Max, the maintainer of the debian loop-aes packages. He is a regular on this list). If you look at some of the "serious" security-oriented livecds ie knoppix-STD and INSERT, you'll see they ship with recent versions of loop-aes - not dmcrypt.
I don't want to disparage any efforts in this direction and I really hope dmcrypt and truecrypt continue to improve, but if you look at the dmcrypt wiki the project doesn't inspire confidence in me. I mean, loop-aes has a venerable history. Also, truecrypt cannot yet make containers under linux - it can only mount them.
Recently I was horrified when I read an article on root filesystem en cryption on laptops in Linux Journal by an "expert" who, being a Fedora user, went with dmcrypt. The horrifying thing was this: his instructions used a *PLAIN TEXT single aes256 keyfile* - NOT EVEN a gpg-encrypted, multiline keychain. So your usb stick contains the key in plain text. An attacker gets hold of your usb stick, and game over. Yet it is a simple matter to use a gpg-encrypted key with dmcrypt - I've done it just to prove this.
I don't see how cryptLUKS or whatever it's called is any easier to use than loop-aes, once loop-aes is set up. In fact I find it confusing to use.
Just why has what is often regarded as an inferior encryption scheme been pushed? That in itself would make an interesting article.
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
I'm not an expert, so a flame war with me will useless and not responded to (*note*), however this is what I think I've gleaned in all my googling:
Loop-aes is still regarded as by far the best civilian partition encryption scheme available for linux. Developmentally and in terms of bug fixes is is way ahead of dmcrypt.
Loop-aes developer Jari Rassu has been at pains to point this out - I strongly suggest you search this list for his comments on dmcrypt and truecrypt. Truecrypt, which is also device-mapper based, only very recently attempted to fix a major security hole which Jari had been warning people about for some time.
The rise of dmcrypt is perhaps largely because Fedora has decided it's the thing to go with. Why? Perhaps because it's seen to be "easier to use ", because the loop-aes readme insists that a kernel recompile is necessary => "no newbies please". However the debian packages for loop-aes do not require a kernel recompile unless you want to encrypt the root filesystem. (But I overreach my level of expertise. The person to talk to here might be Max, the maintainer of the debian loop-aes packages. He is a regular on this list). If you look at some of the "serious" security-oriented livecds ie knoppix-STD and INSERT, you'll see they ship with recent versions of loop-aes - not dmcrypt.
I don't want to disparage any efforts in this direction and I really hope dmcrypt and truecrypt continue to improve, but if you look at the dmcrypt wiki the project doesn't inspire confidence in me. I mean, loop-aes has a venerable history. Also, truecrypt cannot yet make containers under linux - it can only mount them.
Recently I was horrified when I read an article on root filesystem en cryption on laptops in Linux Journal by an "expert" who, being a Fedora user, went with dmcrypt. The horrifying thing was this: his instructions used a *PLAIN TEXT single aes256 keyfile* - NOT EVEN a gpg-encrypted, multiline keychain. So your usb stick contains the key in plain text. An attacker gets hold of your usb stick, and game over. Yet it is a simple matter to use a gpg-encrypted key with dmcrypt - I've done it just to prove this.
I don't see how cryptLUKS or whatever it's called is any easier to use than loop-aes, once loop-aes is set up. In fact I find it confusing to use.
Just why has what is often regarded as an inferior encryption scheme been pushed? That in itself would make an interesting article.
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
Phil H
Feb 21, 2006, 6:41:00 AM2/21/06
to
Sorry to reply to my own post. Here is a reader comment from the dmcrypt wiki - not sure to what extent these have been addressed:
[QUOTE]
I'm looking over this dmcrypt stuff but it looks like it still has the old bug of using the sector number as the IV for CBC mode encryption. The security weakness is well known. The maintainers apparently decided to keep the bug in place to help interoperability with legacy cryptoloop instances. But I think at minimum, IV generation for new installations should be done differently. There is no reason to postpone adding a new mode that generates IV's by encrypting the sector number or something like that. Keep the current method available as a backwards compatibility option, but make the default do things securely.
Also, there's also the issue that the passphrase directly generates the bulk encryption key. That means if you want to change passphrases, you have to decrypt and re-encrypt the entire partition. That's painful. It's better to generate a random bulk encryption key, and use the passphrase to encrypt the bulk key on the disk (the first sector could be used for such metadata).
Finally, I think some work should be done on encrypting root partitions WITHOUT needing to boot from an external USB device. Basically just the master boot record (and maybe a little bit of GRUB) would be in cleartext. It would prompt for a passphrase and decrypt the remaining sectors needed to boot the machine.
[/QUOTE]
[QUOTE]
I'm looking over this dmcrypt stuff but it looks like it still has the old bug of using the sector number as the IV for CBC mode encryption. The security weakness is well known. The maintainers apparently decided to keep the bug in place to help interoperability with legacy cryptoloop instances. But I think at minimum, IV generation for new installations should be done differently. There is no reason to postpone adding a new mode that generates IV's by encrypting the sector number or something like that. Keep the current method available as a backwards compatibility option, but make the default do things securely.
Also, there's also the issue that the passphrase directly generates the bulk encryption key. That means if you want to change passphrases, you have to decrypt and re-encrypt the entire partition. That's painful. It's better to generate a random bulk encryption key, and use the passphrase to encrypt the bulk key on the disk (the first sector could be used for such metadata).
Finally, I think some work should be done on encrypting root partitions WITHOUT needing to boot from an external USB device. Basically just the master boot record (and maybe a little bit of GRUB) would be in cleartext. It would prompt for a passphrase and decrypt the remaining sectors needed to boot the machine.
[/QUOTE]
Tom Haddon
Feb 21, 2006, 7:24:15 AM2/21/06
to
Thanks for everyone's feedback. I'll be taking a closer look at loop-aes
and determining how to incorporate that into my article. I'll let you
all know when the article is ready for publication, and if anyone is
interested in proofreading it for corrections I'm open to that at that
stage.
and determining how to incorporate that into my article. I'll let you
all know when the article is ready for publication, and if anyone is
interested in proofreading it for corrections I'm open to that at that
stage.
Thanks, Tom
> ______________________________________________________________________
> Yahoo! Mail
> Use Photomail to share photos without annoying attachments.
Tom Haddon
mailto:mtha...@yahoo.com
Noise proves nothing. Often a hen who has merely laid an egg cackles
as if she laid an asteroid.
-- Mark Twain
-----------------
Random quotes courtesy of fortune.
0 new messages