Laptop hdd total encryption

aio7 · 2008-07-05 04:48:41

Hi

I'm new with Linux, two days ago I was a proud Windows user.

It's a pleasure to use Arch as a desktop. I haven't experienced any troubles which wasn't possible to overcome. But looks like I finally found one ;(

I use laptop for work. Lots of sensitive emails and office files stored here. In case of Windows it was simple: truecrypt and whole hdd encrypted, no worries. On Linux that way aint working.

Here's what I trying to accomplish:
1) Encrypt /tmp, swap, /home;
2) Protect / from physical access, like putting software keylogger in or modifying /etc/shadow. If I can encrypt /, I can sleep tight and use my laptop with smile

Any ideas, maybe solutions?
Thanks in advance

sam · 2008-07-05 05:15:36

I agree this is simpler in windows, and I frankly gave up trying in linux. From my research you can't encrypt the whole hdd, not even in windows. You have to leave at least /boot. If you do encrypt everything, you can't unencrypted it in order to boot the os. If you're still interested check http://www.truecrypt.org/ and http://wiki.archlinux.org/index.php/Truecrypt.

Welcome to the community, I'm impressed if arch is your first distro. Most users start off on ubuntu, fedora, suse, mandrake, or pclinux before using a more involved distro like arch.

bender02 · 2008-07-05 06:07:56

Google for luks. It's supported by mkinitcpio and initscripts, so it shouldn't be too hard to encrypt everything except /boot. Starting point on arch wiki.

aio7 · 2008-07-05 06:41:57

If boot left unencrypted, what's the chance for attacker to plant something like keylogger on my machine?

Possible situation is, I leave my laptop for 3-6 hours in not enough friendly environment.

What's the best way to act against corporate espionage? In case of Windows I know for sure, all my data including system files are under password (TrueCrypt).

edit
First time was easy enough. Thanks to the beginners guide on cd.

Last edited by aio7 (2008-07-05 06:46:14)

WhiteMagic · 2008-07-05 08:16:30

A possible solution to the /boot problem is to have the /boot partition on a usb stick or some other bootable device which you carry with you. And your laptop only boots into Linux when the stick is attached to the device, else nothing happens, it boots windows or whatever.
But even then going by this paper http://citp.princeton.edu/memory/ none of the encryption schemes really is safe if an attacker really knows what he's doing and is prepared. In short they show how it is possible to extract the encryption key from memory if the PC was in hibernation oder even shut off.

Generally for installing Luks on arch it's relatively easy when you follow the above wiki link.

aio7 · 2008-07-05 14:15:56

thanks guys, will try this

Berticus · 2008-07-05 16:11:50

aio7 wrote:

If boot left unencrypted, what's the chance for attacker to plant something like keylogger on my machine?

Huh? That's not the purpose of encryption... Encryption is more for if someone takes your hard drive and you want to prevent them from looking at stuff on your hard drive. I mean sure they need the encryption key to first write to it, but there are other ways around that for example I could change your BIOS and boot to a USB device if I ever wanted to compromise your desktop. Securing a BIOS is what you want really... Have it boot from a USB device and then what? Anybody who has a kernel image on their usb flash drive can boot into your system. However, secure your BIOS, make it bootable from only the hard drive, secure root, they won't be able to do anything. I wouldn't store the encryption key anywhere, not even on a usb device.

And even if you do encrypt your hard drive, it doesn't guarantee anything. Someone could take your RAM and have the encryption key to read your hard drive. If they need to carry it a long distance, they can simply freeze the RAM and that buys them enough time to get a computer they need to do their stuff.

When it comes to security, the idea is to limit things. You want to limit the amount of acceptable boot devices, limit who knows important keys and passwords (and don't store any of them anywhere in any way), just limit as much as you can.

Arch Linux

#1 2008-07-05 04:48:41

Laptop hdd total encryption

#2 2008-07-05 05:15:36

Re: Laptop hdd total encryption

#3 2008-07-05 06:07:56

Re: Laptop hdd total encryption

#4 2008-07-05 06:41:57

Re: Laptop hdd total encryption

#5 2008-07-05 08:16:30

Re: Laptop hdd total encryption

#6 2008-07-05 14:15:56

Re: Laptop hdd total encryption

#7 2008-07-05 16:11:50

Re: Laptop hdd total encryption

Board footer