Did I set my enryption right?

T0MAS · 2009-02-25 17:04:43

Hi,
I'm trying to setup encryption on one of my partitions. Here's what I did.

modprobe dm-crypt
modprobe aes-i586
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda4
cryptsetup luksOpen /dev/sda4 private
mkfs.ext4 /dev/mapper/private
mount -t ext4 /dev/mapper/private /home/archie/private

Then to mount after restart I do:

cryptsetup luksOpen /dev/sda4 private
mount -t ext4 /dev/mapper/private /home/archie/private

Is my /dev/sda4 safe?

Cheers,
Tomas

Dieter@be · 2009-02-25 19:03:51

Yes that's safe (as long as you don't give your passphrase away)

Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)

Ranguvar · 2009-02-25 22:22:41

Sure, if you encrypted your /var/tmp, /tmp, and swap (in order of least to most important) too Otherwise, the second your key or some files from the encrypted part that you read in are either swapped out or placed in a temp directory, *boom* they've been written unencrypted and can be recovered by a dedicated individual. If you're willing to go through the trouble of encrypting a partition, it's IMO mandatory to do those other parts too.

Remember, /var/tmp needs to be persistent (it's used for temp files that can't be deleted after a shutdown), but /tmp doesn't (an idea is to mount it as a tmpfs, basically a ramdisk that can use RAM or swap, that'd be secure as long as swap is encrypted), so another idea is to encrypt both /tmp and swap with random keys on every boot (I think the Wiki says how to do this) - that's even more secure.

For an example on how easy it would be to get something written to a temp directory, say you make an ISO from files on the encrypted partition. AFAIK every big ISO-maker stores the temporary files in /tmp (I'm pretty sure the standard CLI tool does at least).

T0MAS · 2009-02-26 09:21:29

Thanks for your responses, I'll look into encrypting swap and tmp

Regards,
Tomas

bender02 · 2009-02-26 09:33:58

Dieter@be wrote:

Yes that's safe (as long as you don't give your passphrase away)
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)

I thought that encrypt hook in mkinitcpio is when you have encrypted root (/), since that needs to be decrypted before mounting root (/). For the other encrypted partitions, you could/should? use /etc/crypttab (utilized by initscripts).

zyghom · 2009-02-26 10:36:06

Dieter@be wrote:

Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)

false
mkinitcpio.conf is for initrd only so only if you have / encrypted
for /etc/fstab mouting is responsible /etc/rc.sysinit
for /etc/crypttab as well

Dieter@be · 2009-02-26 12:20:17

bender02 wrote:

Dieter@be wrote:
Yes that's safe (as long as you don't give your passphrase away)
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)
I thought that encrypt hook in mkinitcpio is when you have encrypted root (/), since that needs to be decrypted before mounting root (/). For the other encrypted partitions, you could/should? use /etc/crypttab (utilized by initscripts).

Right.
My mistake.

Arch Linux

#1 2009-02-25 17:04:43

Did I set my enryption right?

#2 2009-02-25 19:03:51

Re: Did I set my enryption right?

#3 2009-02-25 22:22:41

Re: Did I set my enryption right?

#4 2009-02-26 09:21:29

Re: Did I set my enryption right?

#5 2009-02-26 09:33:58

Re: Did I set my enryption right?

#6 2009-02-26 10:36:06

Re: Did I set my enryption right?

#7 2009-02-26 12:20:17

Re: Did I set my enryption right?

Board footer