| View previous topic :: View next topic |
| Author |
Message |
Baho Utot
Guest
|
 Posted: Tue Oct 28, 2008 4:23 am Post subject: Encrypted partitions - file systems |
 |
|
I am currently looking into encrypting the root and /home filesystems on my
Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use only
a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only? |
|
| |
|
 Back to top |
David W. Hodgins
Guest
|
| Posted: Tue Oct 28, 2008 6:58 pm Post subject: Re: Encrypted partitions - file systems |
|
|
On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot <baho-utot@invalid.invalid> wrote:
| Quote: | I am currently looking into encrypting the root and /home filesystems on my
Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use only
a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
|
I'm using the xfs filesystem on a luks encrypted lvm logical volume, however
I haven't encrypted the root filesystem.
Encrypting the root filesystem will require using an initrd, or compiling all
of the needed modules into the kernel, and the distro must include support
for getting the passphrase/key, to mount the encrypted volume(s), during boot.
Note that /boot must be on a seperate filesytem, that is not encrypted, so
that lilo/grub can read the kernel, and initrd.
I haven't used Arch (I'm using Mandriva), but take a look at ...
http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt
For creating the filesystem, I used ...
BaseDevice=/dev/mapper/90-data
MapperName=luks90
MountPoint=/var/mnt/90data
fsType=xfs
Label="-L 90-data"
/sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat $BaseDevice
/sbin/cryptsetup luksOpen $BaseDevice $MapperName
/sbin/mkfs.$fsType $Label /dev/mapper/$MapperName
/sbin/cryptsetup luksClose $MapperName
The base device can be a regular partition, rather then a logical volume.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.) |
|
| |
|
| Back to top |
Douglas Mayne
Guest
|
| Posted: Tue Oct 28, 2008 7:15 pm Post subject: Re: Encrypted partitions - file systems |
|
|
On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
| Quote: | I am currently looking into encrypting the root and /home filesystems on my
Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use only
a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
I have used xfs with dm_crypt on Slackware. I have used encrypted root, |
swap, and other partitions. I haven't noticed any problems with any of
them, YMMV.
The only trick is setting up to use an encrypted root filesystem from
boot. Shutdown is handled via the standard rc.6 script, which works fine-
at least for Slackware 12.0+
--
Douglas Mayne |
|
| |
|
| Back to top |
Baho Utot
Guest
|
| Posted: Wed Oct 29, 2008 3:46 am Post subject: Re: Encrypted partitions - file systems |
|
|
David W. Hodgins wrote:
| Quote: | On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot <baho-utot@invalid.invalid
wrote:
I am currently looking into encrypting the root and /home filesystems on
my Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use
only a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
I'm using the xfs filesystem on a luks encrypted lvm logical volume,
however I haven't encrypted the root filesystem.
Encrypting the root filesystem will require using an initrd, or compiling
all of the needed modules into the kernel, and the distro must include
support for getting the passphrase/key, to mount the encrypted volume(s),
during boot. Note that /boot must be on a seperate filesytem, that is not
encrypted, so that lilo/grub can read the kernel, and initrd.
I haven't used Arch (I'm using Mandriva), but take a look at ...
http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt
For creating the filesystem, I used ...
BaseDevice=/dev/mapper/90-data
MapperName=luks90
MountPoint=/var/mnt/90data
fsType=xfs
Label="-L 90-data"
/sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat
$BaseDevice /sbin/cryptsetup luksOpen $BaseDevice $MapperName
/sbin/mkfs.$fsType $Label /dev/mapper/$MapperName
/sbin/cryptsetup luksClose $MapperName
The base device can be a regular partition, rather then a logical volume.
Regards, Dave Hodgins
|
Ok thanks, I am going to use jfs then form the file system and see if I
have breakage. |
|
| |
|
| Back to top |
Baho Utot
Guest
|
| Posted: Wed Oct 29, 2008 3:52 am Post subject: Re: Encrypted partitions - file systems |
|
|
Douglas Mayne wrote:
| Quote: | On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
I am currently looking into encrypting the root and /home filesystems on
my Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use
only a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
I have used xfs with dm_crypt on Slackware. I have used encrypted root,
swap, and other partitions. I haven't noticed any problems with any of
them, YMMV.
The only trick is setting up to use an encrypted root filesystem from
boot. Shutdown is handled via the standard rc.6 script, which works fine-
at least for Slackware 12.0+
|
Thanks, I am going to try and set this up this weekend.
I will be traveling to the US this Dec. and want to secure my notebook.
Just in case I happen to miss place it or gets stolen on the way.
( Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can.  ) |
|
| |
|
| Back to top |
Mark Hobley
Guest
|
| Posted: Wed Oct 29, 2008 5:13 am Post subject: Re: Encrypted partitions - file systems |
|
|
Baho Utot <baho-utot@invalid.invalid> wrote:
| Quote: | Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can.
|
You could probably get away with just encrypting your /home, /usr,
/var and /opt partitions, leaving the root partition unencrypted.
Mark.
--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/ |
|
| |
|
| Back to top |
Nico Kadel-Garcia
Guest
|
| Posted: Wed Oct 29, 2008 7:38 am Post subject: Re: Encrypted partitions - file systems |
|
|
Mark Hobley wrote:
| Quote: | Baho Utot <baho-utot@invalid.invalid> wrote:
Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can.
You could probably get away with just encrypting your /home, /usr,
/var and /opt partitions, leaving the root partition unencrypted.
Mark.
|
Your / partition has /etc. That includes system configurations and especially
password information. |
|
| |
|
| Back to top |
Douglas Mayne
Guest
|
| Posted: Wed Oct 29, 2008 7:16 pm Post subject: Re: Encrypted partitions - file systems |
|
|
On Tue, 28 Oct 2008 18:52:53 -0400, Baho Utot wrote:
| Quote: | Douglas Mayne wrote:
On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
I am currently looking into encrypting the root and /home filesystems on
my Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use
only a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
I have used xfs with dm_crypt on Slackware. I have used encrypted root,
swap, and other partitions. I haven't noticed any problems with any of
them, YMMV.
The only trick is setting up to use an encrypted root filesystem from
boot. Shutdown is handled via the standard rc.6 script, which works fine-
at least for Slackware 12.0+
Thanks, I am going to try and set this up this weekend.
I will be traveling to the US this Dec. and want to secure my notebook.
Just in case I happen to miss place it or gets stolen on the way.
( Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can. )
The news is full of cases of data breaches from lost laptops, |
non-encrypted backups, etc. Millions of people have been affected by
someone else losing their data. This has been a driving force for many
businesses to require that their mobile equipment be encrypted. The US
government has similar mandates for their systems, but IIRC their
execution has been lagging- a lot of their laptops are still not
encrypted. Using encryption makes good business sense whenever data loss
would trigger mandatory reporting and and other penalties
defined by law (HIPAA, and newer laws designed to protect "PII,"
Personally Identifiable Information). It is better to lock the horse in
the barn now, rather than deal with him after he's already out.
I have a project for encrypting the root filesystem, but I haven't updated
in a while:
http://www.xmission.com/~ddmayne2/erf-dm/
One feature which is missing from the project is the potential for "key
recovery." I hacked that into the version that I use now. The startup
is similiar, except that there is more than one authorized user
(username, gpg passphrase). Each user is able to decrypt a message
which contains the key and other dm_crypt (cryptsetup) parameters for the
disk partitions. This step is handled by a small startup environment in
the initrd. It's definitely a good idea because users forget their
passphrase, leave the company, etc. They are much more likely to be able
to remember their gpg passphrase, rather than a single "shared secret."
This allows the key to have complexity beyond a common phrase, etc. A nice
thing about gpg messages is that they may have multiple recipients. That
fact accomodates the multiple user requirement very easily.
The documentation for the project explains that a "two factor" mode is
possible. For example, you can setup to boot from an optical disc or from
a USB key. The boot media contains the startup environment which will
prompt for the user's credentials (simple passphrase, or gpg passphrase to
decrypt message).
--
Douglas Mayne |
|
| |
|
| Back to top |
Baho Utot
Guest
|
| Posted: Thu Oct 30, 2008 2:12 am Post subject: Re: Encrypted partitions - file systems |
|
|
Douglas Mayne wrote:
| Quote: | On Tue, 28 Oct 2008 18:52:53 -0400, Baho Utot wrote:
Douglas Mayne wrote:
On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
I am currently looking into encrypting the root and /home filesystems
on my Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use
only a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file
system?
Or should I use ext2 only?
I have used xfs with dm_crypt on Slackware. I have used encrypted root,
swap, and other partitions. I haven't noticed any problems with any of
them, YMMV.
The only trick is setting up to use an encrypted root filesystem from
boot. Shutdown is handled via the standard rc.6 script, which works
fine- at least for Slackware 12.0+
Thanks, I am going to try and set this up this weekend.
I will be traveling to the US this Dec. and want to secure my notebook.
Just in case I happen to miss place it or gets stolen on the way.
( Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can. )
The news is full of cases of data breaches from lost laptops,
non-encrypted backups, etc. Millions of people have been affected by
someone else losing their data. This has been a driving force for many
businesses to require that their mobile equipment be encrypted. The US
government has similar mandates for their systems, but IIRC their
execution has been lagging- a lot of their laptops are still not
encrypted. Using encryption makes good business sense whenever data loss
would trigger mandatory reporting and and other penalties
defined by law (HIPAA, and newer laws designed to protect "PII,"
Personally Identifiable Information). It is better to lock the horse in
the barn now, rather than deal with him after he's already out.
I have a project for encrypting the root filesystem, but I haven't updated
in a while:
http://www.xmission.com/~ddmayne2/erf-dm/
One feature which is missing from the project is the potential for "key
recovery." I hacked that into the version that I use now. The startup
is similiar, except that there is more than one authorized user
(username, gpg passphrase). Each user is able to decrypt a message
which contains the key and other dm_crypt (cryptsetup) parameters for the
disk partitions. This step is handled by a small startup environment in
the initrd. It's definitely a good idea because users forget their
passphrase, leave the company, etc. They are much more likely to be able
to remember their gpg passphrase, rather than a single "shared secret."
This allows the key to have complexity beyond a common phrase, etc. A nice
thing about gpg messages is that they may have multiple recipients. That
fact accomodates the multiple user requirement very easily.
The documentation for the project explains that a "two factor" mode is
possible. For example, you can setup to boot from an optical disc or from
a USB key. The boot media contains the startup environment which will
prompt for the user's credentials (simple passphrase, or gpg passphrase to
decrypt message).
|
Thanks I'll have a look at it |
|
| |
|
| Back to top |
Baho Utot
Guest
|
| Posted: Thu Oct 30, 2008 2:14 am Post subject: Re: Encrypted partitions - file systems |
|
|
Mark Hobley wrote:
| Quote: | Baho Utot <baho-utot@invalid.invalid> wrote:
Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can.
You could probably get away with just encrypting your /home, /usr,
/var and /opt partitions, leaving the root partition unencrypted.
Mark.
|
What and miss /tmp..... No its going to be all or nothing |
|
| |
|
| Back to top |
Erik Hahn
Guest
|
| Posted: Thu Oct 30, 2008 2:36 am Post subject: Re: Encrypted partitions - file systems |
|
|
On 2008-10-29, Baho Utot <baho-utot@invalid.invalid> wrote:
| Quote: | Mark Hobley wrote:
Baho Utot <baho-utot@invalid.invalid> wrote:
Not that I have any thing to hide other than Arch linux and all the
software packages on the notebook, I just don't like someone looking
through my stuff just because they can.
You could probably get away with just encrypting your /home, /usr,
/var and /opt partitions, leaving the root partition unencrypted.
Mark.
What and miss /tmp..... No its going to be all or nothing
|
Mount /tmp as a tmpfs unless you use programs that put lots of stuff
there.
--
hackerkey://v4sw5hw2ln3pr5ck0ma2u7LwXm4l7Gi2e2t4b7Ken4/7a16s0r1p-5.62/-6.56g5OR |
|
| |
|
| Back to top |
jayjwa
Guest
|
| Posted: Fri Nov 07, 2008 8:31 am Post subject: Re: Encrypted partitions - file systems |
|
|
Baho Utot <baho-utot@invalid.invalid> writes:
| Quote: | I am currently looking into encrypting the root and /home filesystems on my
Arch linux install.
I am going to use dm_crypt and LUKS.
The information that I have been able to find states that I should use only
a non-journaled file system.
Has anyone here used ext3 or JFS with encryption on the root file system?
Or should I use ext2 only?
|
No journaling. That's the way I was taught. Journaling aids in data
recovery - such as someone running forensics on your disk. Of course, if
you don't care about that, then I guess journaling is OK.
--
Freedom? [** America, The Police State **] Rights?
http://www.hermes-press.com/police_state.htm
http://www.theregister.co.uk/2008/10/08/teen_charged_for_cell_phone_pics/ |
|
| |
|
| Back to top |
|
