Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Mon, Jul 6, 2020 at 5:05 AM William Kenworthy wrote: > > It also makes the point that any adminstrator will have access to the sticks > data - not just the user (same as root under Linux). This is just a fundamental issue about how computers work. If you attach your storage media to a computer, then potentially anybody who had either physical access or administrative access to that computer before you can read the storage media. If it is encrypted and you enter the decryption key into the computer, then that includes the encrypted data too. There are of course operating systems that try to make this sort of thing harder, but there are many ways to bypass this sort of thing at either the hardware or software level. If you are plugging your USB drive into a computer you don't control, you really have no way to know what hardware or software it is using. It could contain hardware keyloggers, the OS might be tampered with, if the device is supposed to prevent OS tampering you don't know if the hardware was swapped out with hardware that doesn't prevent tampering, and so on. This is why things like hardware password/key managers often implement a minimalistic serial/keyboard interface - to prevent the host they are plugged into from actually being able to directly access their secure storage. I realize that you already said that this is your own hardware - I just wanted to point out this fundamental limitation. This is one of the reasons that when I select laptops/tablets I tend to select ones that are very light/portable - the more likely I am to have it with me the less likely I am to need to access my private data from systems I don't control. -- Rich
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Mon, 6 Jul 2020 04:53:24 -0500, Dale wrote: > > ecryptfs-utils is the userland management of the kernel's ecryptfs. > > Ecryptfs uses an overlay filesystem to encrypt files within a > > directory, it is what Ubuntu uses for encrypted home directories > > > > cryptmount is for working with LUKS filesystems, which appears to be > > the route you are leaning towards. I haven't used it and don't know > > what advantages it has over a user script, if you want to manually > > mount the filesystem, or /etc/crypttab. > I thought Gentoo used /etc/conf.d/dmcypt? I still haven't figured that > part out yet. I need to read up on that more. I'm not sure what it > does exactly, yet. It may do, I only encrypt everything-but-/boot or nothing at all. For your use case, encrypting part of your home directory, ecryptfs may be more suitable. -- Neil Bothwick Ralph's Observation - It is a mistake to allow any mechanical object to realize that you are in a hurry. pgpyPpJH2S194.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Mon, 6 Jul 2020 17:05:48 +0800, William Kenworthy wrote: > > By the way, the USB stick will have instructions about things after > > I'm buried or whatever. I plan to keep the USB stick in a safe and > > share the password with the person that will be taking care of > > things. When I'm gone, they can open the USB stick to access files on > > what to do and such. Until I'm gone, they won't know what is on the > > stick or have access to it. Getting older makes one think about these > > things. :/ External drives will have things that when I'm gone, they > > gone too. > > > Paper in a sealed envelope in a safe (bank safety deposit box etc) ... > too many things to go wrong with an encrypted USB. I too have a USB stick in the safe, but it's not encrypted. As you say, too much to go wrong that way. I actually use 2 sticks, just in case one of them corrupts. -- Neil Bothwick Barnum was wrongit's more like every 30 seconds! pgpV75uH0JrJm.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
Neil Bothwick wrote: > On Sun, 5 Jul 2020 23:49:14 -0500, Dale wrote: > >> Digging around I found these. >> >> [ebuild N ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo USE="gtk >> nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm" >> PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB >> [ebuild N ] sys-fs/cryptmount-5.3.2::gentoo USE="gcrypt largefile >> luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux) >> -systemd" 533 KiB >> >> Looking at the info I've found tho, I don't think it will do what I'm >> looking for. Has anyone used either of these in the past? If so, does >> one of these do what I'm looking for? > ecryptfs-utils is the userland management of the kernel's ecryptfs. > Ecryptfs uses an overlay filesystem to encrypt files within a directory, > it is what Ubuntu uses for encrypted home directories > > cryptmount is for working with LUKS filesystems, which appears to be the > route you are leaning towards. I haven't used it and don't know what > advantages it has over a user script, if you want to manually mount the > filesystem, or /etc/crypttab. > > I thought Gentoo used /etc/conf.d/dmcypt? I still haven't figured that part out yet. I need to read up on that more. I'm not sure what it does exactly, yet. Dale :-) :-)
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
William Kenworthy wrote: > > > On 6/7/20 2:37 pm, Dale wrote: >> William Kenworthy wrote: >>> Hi Dale, I looked at Veracrypt and ran into the fact that it on windows >>> Veracrypt MUST be installed by an administrator which is a blocker for >>> using USB keys on computers I don't control (such as transporting files >>> securely between locations - i.e., where there is potential to lose the >>> usb key): >>> >>> see >>> https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html >>> >>> BillK >>> >> >> Does that mean that on windoze a person can open a encryted USB stick >> without a password? From what I read, it sounds like it doesn't put >> the stick at risk, as long as you are not using key files or sharing >> your password by storing it somewhere. It just means you have to be >> admin to install Veracrypt but not to access a encrypted USB stick. >> From the way it sounds, you insert USB stick, run Veracrypt, enter >> password, do what you want with the stick, close it and then remove >> the stick. Or am I missing something? >> > It means that an administrator must install veracrypt first - if you > cant do that, you cant access the stick. It also makes the point that > any adminstrator will have access to the sticks data - not just the > user (same as root under Linux). The blocker for me was that I could > not get veracrypt installed. > Ah I see what you are saying now. It's a privately owned laptop so that won't be a issue. She may even use a desktop system. >> I might add, when I use cryptsetup and mount a external drive I use, >> I do that as root. Since my password is only in my head, no >> password, no access root or not, right? >> > Maybe, maybe not ... > >> I'm new to this encrypted thing. I'm learning but don't know all of >> it and may never know all of it. I figured out the other day that >> when I select a two part or three part encryption, it actually >> encrypts the thing twice or three times. It's like having to pick >> two or three locks on a door instead of one. Only they have to be >> done in order and you don't really have a way to know if you did it >> right until you figure out the rest. I bet that drives the NSA and >> other Govts nuts. lol >> >> By the way, the USB stick will have instructions about things after >> I'm buried or whatever. I plan to keep the USB stick in a safe and >> share the password with the person that will be taking care of >> things. When I'm gone, they can open the USB stick to access files >> on what to do and such. Until I'm gone, they won't know what is on >> the stick or have access to it. Getting older makes one think about >> these things. :/ External drives will have things that when I'm >> gone, they gone too. >> > Paper in a sealed envelope in a safe (bank safety deposit box etc) ... > too many things to go wrong with an encrypted USB. > > Don't have a bank safety deposit box and even if I get one, that will cause issues when I kick the bucket. >> I just wonder how many encryption tools have been cracked that we >> don't know about. It's not like they going to tell us or anything. >> >> Dale >> >> :-) :-) > > Yep :) > > BillK > I'm just hoping the newer ones, after Snowden, don't have back doors etc. Now let us pray. ;-) Dale :-) :-)
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On 6/7/20 2:37 pm, Dale wrote: > William Kenworthy wrote: >> Hi Dale, I looked at Veracrypt and ran into the fact that it on windows >> Veracrypt MUST be installed by an administrator which is a blocker for >> using USB keys on computers I don't control (such as transporting files >> securely between locations - i.e., where there is potential to lose the >> usb key): >> >> see >> https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html >> >> BillK >> > > Does that mean that on windoze a person can open a encryted USB stick > without a password? From what I read, it sounds like it doesn't put > the stick at risk, as long as you are not using key files or sharing > your password by storing it somewhere. It just means you have to be > admin to install Veracrypt but not to access a encrypted USB stick. > From the way it sounds, you insert USB stick, run Veracrypt, enter > password, do what you want with the stick, close it and then remove > the stick. Or am I missing something? > It means that an administrator must install veracrypt first - if you cant do that, you cant access the stick. It also makes the point that any adminstrator will have access to the sticks data - not just the user (same as root under Linux). The blocker for me was that I could not get veracrypt installed. > I might add, when I use cryptsetup and mount a external drive I use, I > do that as root. Since my password is only in my head, no password, > no access root or not, right? > Maybe, maybe not ... > I'm new to this encrypted thing. I'm learning but don't know all of > it and may never know all of it. I figured out the other day that > when I select a two part or three part encryption, it actually > encrypts the thing twice or three times. It's like having to pick two > or three locks on a door instead of one. Only they have to be done in > order and you don't really have a way to know if you did it right > until you figure out the rest. I bet that drives the NSA and other > Govts nuts. lol > > By the way, the USB stick will have instructions about things after > I'm buried or whatever. I plan to keep the USB stick in a safe and > share the password with the person that will be taking care of > things. When I'm gone, they can open the USB stick to access files on > what to do and such. Until I'm gone, they won't know what is on the > stick or have access to it. Getting older makes one think about these > things. :/ External drives will have things that when I'm gone, they > gone too. > Paper in a sealed envelope in a safe (bank safety deposit box etc) ... too many things to go wrong with an encrypted USB. > I just wonder how many encryption tools have been cracked that we > don't know about. It's not like they going to tell us or anything. > > Dale > > :-) :-) Yep :) BillK
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Sun, 5 Jul 2020 23:49:14 -0500, Dale wrote: > Digging around I found these. > > [ebuild N ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo USE="gtk > nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm" > PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB > [ebuild N ] sys-fs/cryptmount-5.3.2::gentoo USE="gcrypt largefile > luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux) > -systemd" 533 KiB > > Looking at the info I've found tho, I don't think it will do what I'm > looking for. Has anyone used either of these in the past? If so, does > one of these do what I'm looking for? ecryptfs-utils is the userland management of the kernel's ecryptfs. Ecryptfs uses an overlay filesystem to encrypt files within a directory, it is what Ubuntu uses for encrypted home directories cryptmount is for working with LUKS filesystems, which appears to be the route you are leaning towards. I haven't used it and don't know what advantages it has over a user script, if you want to manually mount the filesystem, or /etc/crypttab. -- Neil Bothwick / For security reasons, all text in this mail is double-rot13 encrypted. / pgphW4I7ivyO4.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
William Kenworthy wrote: > Hi Dale, I looked at Veracrypt and ran into the fact that it on windows > Veracrypt MUST be installed by an administrator which is a blocker for > using USB keys on computers I don't control (such as transporting files > securely between locations - i.e., where there is potential to lose the > usb key): > > see > https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html > > BillK > Does that mean that on windoze a person can open a encryted USB stick without a password? From what I read, it sounds like it doesn't put the stick at risk, as long as you are not using key files or sharing your password by storing it somewhere. It just means you have to be admin to install Veracrypt but not to access a encrypted USB stick. From the way it sounds, you insert USB stick, run Veracrypt, enter password, do what you want with the stick, close it and then remove the stick. Or am I missing something? I might add, when I use cryptsetup and mount a external drive I use, I do that as root. Since my password is only in my head, no password, no access root or not, right? I'm new to this encrypted thing. I'm learning but don't know all of it and may never know all of it. I figured out the other day that when I select a two part or three part encryption, it actually encrypts the thing twice or three times. It's like having to pick two or three locks on a door instead of one. Only they have to be done in order and you don't really have a way to know if you did it right until you figure out the rest. I bet that drives the NSA and other Govts nuts. lol By the way, the USB stick will have instructions about things after I'm buried or whatever. I plan to keep the USB stick in a safe and share the password with the person that will be taking care of things. When I'm gone, they can open the USB stick to access files on what to do and such. Until I'm gone, they won't know what is on the stick or have access to it. Getting older makes one think about these things. :/ External drives will have things that when I'm gone, they gone too. I just wonder how many encryption tools have been cracked that we don't know about. It's not like they going to tell us or anything. Dale :-) :-)
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
Hi Dale, I looked at Veracrypt and ran into the fact that it on windows Veracrypt MUST be installed by an administrator which is a blocker for using USB keys on computers I don't control (such as transporting files securely between locations - i.e., where there is potential to lose the usb key): see https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html BillK On 6/7/20 12:49 pm, Dale wrote: > Dale wrote: >> Howdy, >> >> As some know, I been playing with encryption recently. I got doing >> it on the command line and using veracrypt for USB sticks down. I >> use Veracrypt for those that I want to work on windoze as well, I >> hope anyway. Now I'm moving on to something else. >> >> Now that I have a spare drive, I want to encrypt it and have a mount >> point for it, /home/dale/documents for example. What I'd like to do, >> when I login in, it asks me for the encryption password and then >> mounts it. When I log out, it reverses. I'm not doing all of /home >> because I want to separate some info. I may do it later. >> >> I did some googling but maybe my search terms aren't good enough. I >> mostly find for /home as a whole but not separate parts of it. When >> I add in Gentoo does some things differently, it may be that this >> isn't even doable. Also, my user password and password for the >> encryption will be different. I'm using KDE but anything that will >> work as part of KDE or along with KDE will be fine with me. >> >> Does anyone have a howto they can link to? Is this even doable? >> >> Thanks. >> >> Dale >> >> :-) :-) > > > Digging around I found these. > > [ebuild N ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo USE="gtk > nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm" > PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB > [ebuild N ] sys-fs/cryptmount-5.3.2::gentoo USE="gcrypt > largefile luks nls openssl udev -argv0switch -cswap -fsck -mount > (-selinux) -systemd" 533 KiB > > Looking at the info I've found tho, I don't think it will do what I'm > looking for. Has anyone used either of these in the past? If so, > does one of these do what I'm looking for? > > I'm surprised someone hasn't come up with this before. Surely I'm not > the only one who would like a automatic way to decrypt, mount, umount > and encrypt with some sort of automated process. Sort of like a USB > stick only with encryption. > > Dale > > :-) :-)
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
Dale wrote: > Howdy, > > As some know, I been playing with encryption recently. I got doing it > on the command line and using veracrypt for USB sticks down. I use > Veracrypt for those that I want to work on windoze as well, I hope > anyway. Now I'm moving on to something else. > > Now that I have a spare drive, I want to encrypt it and have a mount > point for it, /home/dale/documents for example. What I'd like to do, > when I login in, it asks me for the encryption password and then > mounts it. When I log out, it reverses. I'm not doing all of /home > because I want to separate some info. I may do it later. > > I did some googling but maybe my search terms aren't good enough. I > mostly find for /home as a whole but not separate parts of it. When I > add in Gentoo does some things differently, it may be that this isn't > even doable. Also, my user password and password for the encryption > will be different. I'm using KDE but anything that will work as part > of KDE or along with KDE will be fine with me. > > Does anyone have a howto they can link to? Is this even doable? > > Thanks. > > Dale > > :-) :-) Digging around I found these. [ebuild N ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo USE="gtk nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm" PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB [ebuild N ] sys-fs/cryptmount-5.3.2::gentoo USE="gcrypt largefile luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux) -systemd" 533 KiB Looking at the info I've found tho, I don't think it will do what I'm looking for. Has anyone used either of these in the past? If so, does one of these do what I'm looking for? I'm surprised someone hasn't come up with this before. Surely I'm not the only one who would like a automatic way to decrypt, mount, umount and encrypt with some sort of automated process. Sort of like a USB stick only with encryption. Dale :-) :-)
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Saturday, 4 July 2020 04:49:07 BST Francesco Turco wrote: > On Sat, Jul 4, 2020, at 04:23, Dale wrote: > > Now that I have a spare drive, I want to encrypt it and have a mount > > point for it, /home/dale/documents for example. What I'd like to do, > > when I login in, it asks me for the encryption password and then mounts > > it. When I log out, it reverses. I'm not doing all of /home because I > > want to separate some info. I may do it later. > I would use LUKS (warning: all data on the spare drive will be lost): > 0. Partition the spare drive: parted /dev/sdx > 1. Format the drive's partition with LUKS: cryptsetup luksFormat /dev/sdxn > 2. Decrypt the LUKS partition: cryptsetup luksOpen /dev/sdxn documents > 3. Create a filesystem on the decrypted partition: mke2fs -t ext4 -m 0 > /dev/mapper/documents 4. Add the new filesystem to /etc/fstab (use the UUID > for easier matching) 5. Mount the filesystem: mount /home/dale/documents > > In order to close the filesystem, you need the following steps: > 1. Unmount the filesystem: umount /home/dale/documents > 2. Lock the LUKS partition: cryptsetup luksClose documents > > Since you use KDE you may try Vault instead, but I haven't tested that > personally. As I understand it the KDE Vaults is a filesystem-level encryption scheme, using CryFS or EncFS, one of which has had no independent security audit and the other which has had a number of security weaknesses reported. Either way, they can be used to encrypt directories or individual files and are potentially useful for storing your encrypted data on the cloud - should you want to store your *private* and potentially precious data on someone else's computers. o_O signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
On Sat, Jul 4, 2020, at 04:23, Dale wrote: > Now that I have a spare drive, I want to encrypt it and have a mount point > for it, /home/dale/documents for example. What I'd like to do, when I login > in, it asks me for the encryption password and then mounts it. When I log > out, it reverses. I'm not doing all of /home because I want to separate some > info. I may do it later. I would use LUKS (warning: all data on the spare drive will be lost): 0. Partition the spare drive: parted /dev/sdx 1. Format the drive's partition with LUKS: cryptsetup luksFormat /dev/sdxn 2. Decrypt the LUKS partition: cryptsetup luksOpen /dev/sdxn documents 3. Create a filesystem on the decrypted partition: mke2fs -t ext4 -m 0 /dev/mapper/documents 4. Add the new filesystem to /etc/fstab (use the UUID for easier matching) 5. Mount the filesystem: mount /home/dale/documents In order to close the filesystem, you need the following steps: 1. Unmount the filesystem: umount /home/dale/documents 2. Lock the LUKS partition: cryptsetup luksClose documents Since you use KDE you may try Vault instead, but I haven't tested that personally. -- https://fturco.net/
