Re: [gentoo-user] Guidance on encrypting my /home
Richard Fish wrote: http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS This guide seems reasonable. I think the current live CD includes the version of cryptsetup that understands LUKS though, so it shouldn't be necessary to download that. And I prefer to randomize the disk by encrypting with a random password before I setup the actual mapping. If you want to get started on this before your new laptop arrives, I suggest starting with the initramfs and encrypting swap only. You should be able to create an initramfs that will setup the mapping and do the swapon before your root filesystem mounts. Once you have that working, and are comfortable with how the initramfs works, you can move on to your root filesystem. I followed that guide and have now managed to boot from my encrypted root-fs, using the current genkernel, which provides LUKS-support via --luks. Doing it this way I skipped the init-script on that page completely. But this only works for /root, not for swap. As my goal is to encrypt root and swap *and* use suspend2, I had to go slightly different paths than the mentioned howto says. There are various HOWTOs out there, but no one that exactly meets my requirements. (For example I also tried genkernel-luks 3.1.0, but AFAI can see, this is already merged into the current genkernel 3.4.0) Would you recommend to use the initramfs from the HOWTO, or might there be another way of doing it, staying closer at the genkernel-way of doing it? - I also didn't fully understand that note about having two swap-partitions, one for swap and one for suspend: Wouldn't the suspended image be unencrypted? - Are there any comparisons between the speed of using aes-cbc-essiv:sha256, 128bit and aes-cbc-essiv:sha256, 256bit ? I write this on my P4-M 1.8GHz, using this root-partition: /dev/mapper/root is active: cipher: serpent-cbc-essiv:sha256 keysize: 256 bits device: /dev/hda6 offset: 2056 sectors size:20111261 sectors mode:read/write and the performance seems OK to me. But it could always be better ;) I will have a look through the docs to see the security-implications of using only 128bit. Greetings, Stefan. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On 8/19/06, Stefan G. Weichinger [EMAIL PROTECTED] wrote: Would you recommend to use the initramfs from the HOWTO, or might there be another way of doing it, staying closer at the genkernel-way of doing it? Well genkernel also allows you to specify a custom linuxrc (--linuxrc=). This is probably the route I would take with genkernel. The default is in /usr/share/genkernel/generic/linuxrc, which you can use for inspiration. Generally that script does everything that you will want to do, just not in the order you want to do it in. You have a few options for this setup. If you don't mind typing your password twice, you can just use cryptsetup twice in your linuxrc to decrypt swap and root. Actually, with suspend2 usage, you would probably have something like: cryptsetup ... crypt_swap if test -f /proc/suspend2/resume2; then devnum=`busybox stat -c 0x%.2t%.2T /dev/mapper/crypt_swap` echo $devnum /proc/suspend2/resume2 fi if test -f /proc/suspend2/do_resume; then echo /proc/suspend2/do_resume fi # didn't resume, so continue booting cryptsetup ... crypt_root ... An option to allow typing your password once duing bootup is to suspend to a file on the root filesystem, and encrypt your swap partition randomly. I've never tried this, but I expect the resume part would be something like: cryptsetup ... crypt_root mount -o ro /dev/mapper/crypt_root /mnt/newroot if test -f /proc/suspend2/resume2; then echo /mnt/newroot/.suspend.img /proc/suspend2/resume2 fi if test -f /proc/suspend2/do_resume; then echo /proc/suspend2/do_resume fi Another option if you want to keep a single combined swap/suspend2 'partition' is to use LVM. In this case, you would combine your swap and root partitions, and setup a dm-crypt mapping. On the encrypted volume, you make an LVM physical volume, create a volume group on the pv, and then create logical volumes within the volume group. It sounds complex, but it really isn't too hard. The bootup sequence there looks like: cryptsetup ... crypt_pv vgchange -a y if test -f /proc/suspend2/resume2; then devnum=`busybox stat -c 0x%.2t%.2T /dev/mapper/vg0-swap` echo $devnum /proc/suspend2/resume2 fi if test -f /proc/suspend2/resume2; then echo /mnt/newroot/.suspend.img /proc/suspend2/resume2 fi # didn't resume, so continue booting mount -o ro /dev/mapper/vg0-root /mnt/newroot ... You do have to remember to update your lvm configuration to scan encrypted device-mapper volumes: filter = [ a|/dev/mapper/crypt_*|, r|/dev/mapper/*| ] Are there any comparisons between the speed of using aes-cbc-essiv:sha256, 128bit and aes-cbc-essiv:sha256, 256bit ? I don't have any comparisons, but it should be easy enough for you to create. Just setup a bare (not luks) mapping and do: dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152 This will read 3G of 'encrypted' data from the drive. You can do this without affecting any data on the disk, as long as you do *not* luksFormat it. Remember to keep an eye on the CPU usage of this with vmstat or top as well. /dev/mapper/root is active: cipher: serpent-cbc-essiv:sha256 Generally I've found AES to be slightly faster... and the performance seems OK to me. But it could always be better ;) I will have a look through the docs to see the security-implications of using only 128bit. Just be sure to keep in mind the type of data you have and who you are trying to defend against. Researching encryption on the net is a quick way to get irrationally paranoid. The bottom line is that everything can be broken given enough time and money. So if you work for the CIA and keep the secret identies of all spies and informants on your laptop, well, then dm-crypt is not sufficient to begin with. If you work for my investment brokerage and have all your customers' financial records on your disk, I want you to use 256-bit encryption. If it is just your bank records and personal emails, use whatever you want. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
Richard Fish wrote: On 8/19/06, Stefan G. Weichinger [EMAIL PROTECTED] wrote: Would you recommend to use the initramfs from the HOWTO, or might there be another way of doing it, staying closer at the genkernel-way of doing it? Well genkernel also allows you to specify a custom linuxrc (--linuxrc=). This is probably the route I would take with genkernel. The default is in /usr/share/genkernel/generic/linuxrc, which you can use for inspiration. Generally that script does everything that you will want to do, just not in the order you want to do it in. You have a few options for this setup. If you don't mind typing your [...] Great infos, thank you. I will look through them in more detail as soon as I have recovered from getting my current setup done. My main concern in this context is the question: How to maintain the encrypted partitions over time? What do I have to do/remind when I want to use a newer kernel? The maintenance-steps should be clear, as I for sure don't want to go through all of this everytime a new kernel is released. Or even worse, lose data ... (backups are done regularly, *yes*) So this was the/one reason to ask for the genkernel-way. Are there any comparisons between the speed of using aes-cbc-essiv:sha256, 128bit and aes-cbc-essiv:sha256, 256bit ? I don't have any comparisons, but it should be easy enough for you to create. Just setup a bare (not luks) mapping and do: dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152 This will read 3G of 'encrypted' data from the drive. You can do this without affecting any data on the disk, as long as you do *not* luksFormat it. Remember to keep an eye on the CPU usage of this with vmstat or top as well. Maybe I give this a try after writing this ... /dev/mapper/root is active: cipher: serpent-cbc-essiv:sha256 Generally I've found AES to be slightly faster... I found this link at the end of the used HOWTO: http://www.saout.de/tikiwiki/tiki-index.php?page=UserPageChonhulio It also shows that AES is faster than Serpent, and additionally that, contrary to the Serpent-Algo, AES with 128 bits is faster than AES with a 256bit key. I will think about this a bit more before I move my data into place. and the performance seems OK to me. But it could always be better ;) I will have a look through the docs to see the security-implications of using only 128bit. Just be sure to keep in mind the type of data you have and who you are trying to defend against. Researching encryption on the net is a quick way to get irrationally paranoid. The bottom line is that everything can be broken given enough time and money. So if you work for the CIA and keep the secret identies of all spies and informants on your laptop, well, then dm-crypt is not sufficient to begin with. If you work for my investment brokerage and have all your customers' financial records on your disk, I want you to use 256-bit encryption. If it is just your bank records and personal emails, use whatever you want. No CIA, no. IT-consultant, trying to keep customer-related data protected. As well as my own business-related data. Sounds like AES-256 then. Thanks a lot for your infos, greets, Stefan -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On Sun, August 13, 2006 3:22 am, John J. Foster wrote: [snip] So, before I get to settled on using this, a few questions. Do you encrypt your home directory? /home and swap What apps and/or combination of apps do you use, and why? cryptsetupLUKS Which ciphers do you prefer? Why? AES and Serpent are popular choices AFAIK. Is it well supported? What apps and/or files don't play well with encrytion? DRBD. But then again it might work. I didnot spend too much time trying to make them play nice together. -- Eray -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On 8/13/06, John J. Foster [EMAIL PROTECTED] wrote: Ok, this looks like a setup I'd be pleased with. Right now I have / /boot swap How much of a pain will it be to implement now? Or will I be better off waiting about 6 months till I get a laptop, and then following the guide at http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS This guide seems reasonable. I think the current live CD includes the version of cryptsetup that understands LUKS though, so it shouldn't be necessary to download that. And I prefer to randomize the disk by encrypting with a random password before I setup the actual mapping. If you want to get started on this before your new laptop arrives, I suggest starting with the initramfs and encrypting swap only. You should be able to create an initramfs that will setup the mapping and do the swapon before your root filesystem mounts. Once you have that working, and are comfortable with how the initramfs works, you can move on to your root filesystem. Cheers, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
Am Montag, 14. August 2006 08:59 schrieb ext Richard Fish: If you want to get started on this before your new laptop arrives, I suggest starting with the initramfs and encrypting swap only. You should be able to create an initramfs that will setup the mapping and do the swapon before your root filesystem mounts. Once you have that working, and are comfortable with how the initramfs works, you can move on to your root filesystem. I can offer a script to create an initramfs for an all on LUKS-encrypted EVMS-managed logical volumes machine (all but /boot, of course). Bye... Dirk -- Dirk Heinrichs | Tel: +49 (0)162 234 3408 Configuration Manager | Fax: +49 (0)211 47068 111 Capgemini Deutschland | Mail: [EMAIL PROTECTED] Hambornerstraße 55 | Web: http://www.capgemini.com D-40472 Düsseldorf | ICQ#: 110037733 GPG Public Key C2E467BB | Keyserver: www.keyserver.net pgpx9lyDCyOFk.pgp Description: PGP signature
Re: [gentoo-user] Guidance on encrypting my /home
On Sun, Aug 13, 2006 at 11:59:48PM -0700, Richard Fish wrote: If you want to get started on this before your new laptop arrives, I suggest starting with the initramfs and encrypting swap only. You should be able to create an initramfs that will setup the mapping and do the swapon before your root filesystem mounts. Once you have that working, and are comfortable with how the initramfs works, you can move on to your root filesystem. Thanks Richard, that sounds like sound advice. Creating the initramfs at first glance seems difficult. But after a little more reading, maybe not to bad. By working with only swap to begin with, I _should_ be limited to minimal damage. festus -- In all the millions of years dinosaurs roamed this planet, did any of them feel the need to invent, say, nuclear weapons? Mickeyz pgpJ9Lfdu3iYH.pgp Description: PGP signature
Re: [gentoo-user] Guidance on encrypting my /home
On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote: Do you encrypt your home directory? I encrypt everything except /boot. Is there any benefit in encrypting the likes of /usr and /opt? Unless you don't want anyone to know which software you have installed :) What apps and/or combination of apps do you use, and why? dm-crypt with cryptsetup using the LUKS format. Same here, but only for /home and my backup directory. I really should encrypt swap too. Which ciphers do you prefer? Why? aes-cbc-essiv:sha256, 128bit, because it is fast. Ditto. -- Neil Bothwick Top Oxymorons Number 10: Computer security signature.asc Description: PGP signature
Re: [gentoo-user] Guidance on encrypting my /home
On 8/13/06, Neil Bothwick [EMAIL PROTECTED] wrote: On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote: [snip] What apps and/or combination of apps do you use, and why? dm-crypt with cryptsetup using the LUKS format. Same here, but only for /home and my backup directory. I really should encrypt swap too. This thread piqued my interest; I found this: http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS/loopback_devices Is that how you do your home dir? Where do you put the open/close commands? Is fstab smart enough to do this natively? -- Ryan W Sims () ascii ribbon /\ campaign - against html mail - against proprietary attachments -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On Sun, 13 Aug 2006 13:42:50 -0400, Ryan Sims wrote: This thread piqued my interest; I found this: http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS/loopback_devices Is that how you do your home dir? No, I use a full partition, not a loop device. Where do you put the open/close commands? Is fstab smart enough to do this natively? baselayout handles this, just edit /etc/conf.d/cryptfs. -- Neil Bothwick To whom the gods destroy, they first teach Windows... signature.asc Description: PGP signature
Re: [gentoo-user] Guidance on encrypting my /home
On 8/13/06, Neil Bothwick [EMAIL PROTECTED] wrote: On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote: Is there any benefit in encrypting the likes of /usr and /opt? Unless you don't want anyone to know which software you have installed :) Not really :-P It was just easy to do since I use LVM and just encrypt the partition that all the LVM volumes live on. The hard part was that I needed a custom-built initramfs to prompt me for the decryption password at boot. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On Sat, Aug 12, 2006 at 06:32:49PM -0700, Richard Fish wrote: On 8/12/06, John J. Foster [EMAIL PROTECTED] wrote: Do you encrypt your home directory? I encrypt everything except /boot. What apps and/or combination of apps do you use, and why? dm-crypt with cryptsetup using the LUKS format. Which ciphers do you prefer? Why? aes-cbc-essiv:sha256, 128bit, because it is fast. Is it well supported? In the kernel, about as well supported as you can get. Ok, this looks like a setup I'd be pleased with. Right now I have / /boot swap How much of a pain will it be to implement now? Or will I be better off waiting about 6 months till I get a laptop, and then following the guide at http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS and in the meantime continue using cfs? Is that guide pretty accurate? Thanks, festus -- In all the millions of years dinosaurs roamed this planet, did any of them feel the need to invent, say, nuclear weapons? Mickeyz pgpN8lrjpO4II.pgp Description: PGP signature
[gentoo-user] Guidance on encrypting my /home
Hi, I've been playing with encrypting my home directory using cfs and following the instructions at http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS I guess it mostly works, although I've had cfsd die randomly a few times in a couple days. It sorta bothers me that app-crypt/cfs is almost 2 years old and is still testing (~x86). This is one of those apps I'd prefer stable. So, before I get to settled on using this, a few questions. Do you encrypt your home directory? What apps and/or combination of apps do you use, and why? Which ciphers do you prefer? Why? Is it well supported? What apps and/or files don't play well with encrytion? I'm sure I'll have more questions after I've read some more. Thanks, festus -- In all the millions of years dinosaurs roamed this planet, did any of them feel the need to invent, say, nuclear weapons? Mickeyz pgpNslrNKTYFm.pgp Description: PGP signature
Re: [gentoo-user] Guidance on encrypting my /home
John J. Foster wrote: Do you encrypt your home directory? Not on my desktop. On my laptop, however, everything except /boot is encrypted (/, /home, swap). What apps and/or combination of apps do you use, and why? sys-apps/util-linux with USE=crypt, and app-crypt/loop-aes. Which ciphers do you prefer? Why? AES256, because that's what the HOWTO used. :P Is it well supported? It has a README... :P Actually, I've never had a problem with it. :) It's ~arch only, though, and it's been that way for as long as I've used it. What apps and/or files don't play well with encrytion? None that I've found. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Guidance on encrypting my /home
On Saturday 12 August 2006 20:22, John J. Foster wrote: Hi, I've been playing with encrypting my home directory using cfs and following the instructions at http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS I guess it mostly works, although I've had cfsd die randomly a few times in a couple days. It sorta bothers me that app-crypt/cfs is almost 2 years old and is still testing (~x86). This is one of those apps I'd prefer stable. So, before I get to settled on using this, a few questions. Do you encrypt your home directory? Yes and others as well. What apps and/or combination of apps do you use, and why? We use dmcrypt, which is used to encrypt loop devices as well as complete partitions. Which ciphers do you prefer? Why? aes-i586 keeps prying eyes out of sensitive data. Is it well supported? Most of it is in the kernel... so it's pretty well supported right out of the box... What apps and/or files don't play well with encrytion? None that we run. I'm sure I'll have more questions after I've read some more. Feel free to post here or email me directly. Cheers, Jerry. P.S. is your name foster or festus? -- gentoo-user@gentoo.org mailing list