Arch Linux

Zibi1981

Member

From: Poland

Registered: 2008-01-31

Posts: 644

Re: Hard Drive Encryption?

Great comment

Which tool for encrypting a single folder meant for sensitive data (i.e. /home/secret) you guys find best suited and least problematic? I've heard a lot of TrueCrypt, but it seemed complicated to me. What do you think?

---

"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."

MSI Raider GE78HX 13VI-032PL

zyghom

Member

From: Poland/currently Africa

Registered: 2006-05-11

Posts: 432

Website

Re: Hard Drive Encryption?

sad but true ;-)
but as some of you already mentioned: it is rather about loosing laptop and then being abused by somebody who can read your data
I prefer to loose my hdd  knowing that nobody reads my mails or whatever afterwords

---

Zygfryd Homonto

rebugger

Member

From: Germany

Registered: 2007-10-28

Posts: 229

Re: Hard Drive Encryption?

http://imgs.xkcd.com/comics/security.png

true true
Have a look at: http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

anrxc

Member

From: Croatia

Registered: 2008-03-22

Posts: 834

Website

Re: Hard Drive Encryption?

http://imgs.xkcd.com/comics/security.png

true true
Have a look at: http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

If anyone missed the article in last edition of Phrack on plausible deniability it's a good time to catch up on elettra, 2c2... http://phrack.org/issues.html?issue=65&id=6#article

---

You need to install an RTFM interface.

Ranguvar

Member

Registered: 2008-08-12

Posts: 2,549

Re: Hard Drive Encryption?

Yeah, you have to keep in mind who you're trying to lock out. If it's some random Joe who might steal your laptop, basic encryption might be good (note that we're assuming they have the technical knowledge to read the (presumably using a non-Windows-compatible filesystem) partition...).

If it's potentially against people who would use the human-brute-force method, forget it.

If it's against the law, and you live in an at least reasonably fair country, look up the laws on whether they can force you to reveal your key (I know they can jail you for a couple years (max) in the UK for not doing so, and there was a recent US court decision that said they couldn't, but I would bet you a thousand bucks this will eventually be overturned, for better or for worse, because everyone will start encrypting eventually if they can't get the key). If they can't _for sure_ (again, I bet they will be able to soon), use simple encryption. If they can, look into plausible deniability. I like TrueCrypt, while it is inflexible, because of the hidden partition ability. Remember that TrueCrypt file containers can be fairly easily detected using (non-conclusive) logic, there are certain properties they have. I would encrypt an entire block device, not a file container.

Also remember to encrypt /var/tmp, /tmp, and swap!

raf_kig

Member

Registered: 2008-11-28

Posts: 143

Re: Hard Drive Encryption?

I do encrypt /home on my laptop and make sure no traces are left behind on /var, /tmp etc.

As in you check them to make sure nothing's there?

No.
I make sure that no relevant data gets written to unencrypted storage in the first place.

SiC

Member

From: Liverpool, England

Registered: 2008-01-10

Posts: 430

Re: Hard Drive Encryption?

I use EncFS on my laptop, works quite well and is simple to use.

jordi

Member

Registered: 2006-12-16

Posts: 103

Website

Re: Hard Drive Encryption?

dm-crypt on root and /home

To just encrypt sensitive data would be too troublesome for me. So I just end up encrypting everything.

---

Blog | Github | Twitter

andre.ramaciotti

Member

From: Brazil

Registered: 2007-04-06

Posts: 649

Re: Hard Drive Encryption?

I've been using luks, and I find it really fast, but I haven't tested any other method to be fair.

(edit: my root, home and swap partitions are encrypted)

Last edited by andre.ramaciotti (2009-03-20 16:23:20)

---

(lambda ())

Mirage

Member

Registered: 2009-03-19

Posts: 19

Re: Hard Drive Encryption?

I use truecrypt (ranging in sizes of 2-4 GB containers hidden in places across my drive)

Ranguvar

Member

Registered: 2008-08-12

Posts: 2,549

Re: Hard Drive Encryption?

Again, Mirage, it's very possible to detect whether files are TrueCrypt containers, just so you know. A hidden partition is much harder to find.

http://en.wikipedia.org/wiki/TrueCrypt# … eniability
http://16systems.com/TCHunt/index.php

Mirage

Member

Registered: 2009-03-19

Posts: 19

Re: Hard Drive Encryption?

Again, Mirage, it's very possible to detect whether files are TrueCrypt containers, just so you know. A hidden partition is much harder to find.

http://en.wikipedia.org/wiki/TrueCrypt# … eniability
http://16systems.com/TCHunt/index.php

Just because they know its one, doesn't mean they're getting into it.

Ranguvar

Member

Registered: 2008-08-12

Posts: 2,549

Re: Hard Drive Encryption?

Again, Mirage, it's very possible to detect whether files are TrueCrypt containers, just so you know. A hidden partition is much harder to find.

http://en.wikipedia.org/wiki/TrueCrypt# … eniability
http://16systems.com/TCHunt/index.php

Just because they know its one, doesn't mean they're getting into it.

But what's the point in using containers scattered across your filesystem when using a block device for encryption is much more resilent and flexible in multiple ways, if they can tell a container is a container? Except for avoiding partitioning, but than eCryptFS works very well
If you go through the TrueCrypt docs (definitely do), there's a lot of problems with file containers. They can't handle journaled filesystems, etc.

Containers may work good for you, though, just make sure you know the risks, etc.

soleblaze

Member

Registered: 2009-01-14

Posts: 12

Re: Hard Drive Encryption?

Not counting the file leaked in /tmp, /var/tmp, swap space, etc argument, I feel there's Only one real reason why you would use full disk encryption vs /home encryption (using pam to mount it on login).  If you aren't leaking temporary files to unencrypted partitions, then the only real benefit full disk encryption gives is protection against someone modifying binaries/scripts on your laptop.  It ends up being what you think the risk is for someone to want your data bad enough to gain access your laptop and change files on it.

Now, if you feel someone will go to the lengths of modifying content to gain your encrypted password, then your /boot partition would also be at risk.  Someone can create a keylogging kernel module, or just edit the script that asks you for the password and cause it to save it somewhere.  The best way to combat this is to keep your boot partition on a usb key that never leaves your sight.  You would also want to create a script that would test the files on the boot partition against their known SHA2 hash and alert you when this has changed.  Of course, the downside to using a usb /boot partition is losing the key, washing it, or it just breaking for a variety of reasons.  You can use dd to create an image of it, and then encrypt it with gpg (you should be able to pipe dd directly into gpg, so nothing unencrypted ever gets written to disk). 

If you want to be really secure, instead of a pass phrase or unencrypted keyfile, you can use a gpg encrypted keyfile.  Then if you break the usb key, no one would ever be able to decrypt it.  This of course, brings the problem of that XKCD..  Unless you feel your data's worth being tortured/killed over, it's probably not the best idea.

Oh, and either way encrypt your swap partition.  If you want to keep hibernation active, the easiest way is to create an encrypted lvm with the partitions and swap space.  That way your computer can be restored from hibernation after you put in your pass phrase/key file.  Otherwise you can setup /etc/crypttab to create a new encrypted swap space every boot.  And of course, whether you would want to risk using sleep or not is up to you (It's a good option if it's sitting on your desk/carried around with in a bag with you all day..but the second it leaves your sight, there's a risk your data can be compromised)

Edit:

I forgot to talk about the performance hit.  If you're using a 2ghz dual core machine, the performance hit isn't generally noticeable.  However, on that 1.6ghz atom processor in a netbook you will notice a difference.  You'll also most likely be combating random theft due to it's size.  encrypting just your home directory, or a subdirectory like what Ubuntu does, is probably the best method if you don't feel you're going to be specifically targeted.

And with regards to US law, from what I understand right now (and IANAL) they are able to get you to provide your pass phrase, but in doing so they cannot use your knowledge of the pass phrase as proof that it is your encrypted volume.  Of course, since you're most likely protecting financial data, web browser history, email history, etc there's a very good chance there's something else on that drive that will point to you as the owner.

Last edited by soleblaze (2009-03-24 16:52:09)