Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
On Mon, Apr 28, 2014 at 09:51:18PM -0400, Rick Zero_Chaos Farina wrote I suggest with LUKS. Also I suggest using ext4 and disabling the journal (mkfs.ext4 -O ^has_journal). I didn't know you could do that, but what's the point? I'm not trying to be argumentative, but isn't ext4 without a journal a glorified ext2? I believe that an ext2 driver can read ext4, if none of the fancy ext4 options have been invoked. And ext4 can read ext2. Another couple of things I didn't realize. According to https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the crypt target in the kernel. It also suggests * SHA224 and SHA256 digest algorithm Any comments on their strength? I'm not worried about the NSA or CSIS as much as opportunistic criminals. One other item in passing. The make menuconfig help text for CONFIG_DM_CRYPT points to http://www.saout.de/misc/dm-crypt/ but that site says, and I quote... Note: This page is horribly out of date. You can find the current pages for the dm-crypt project (the Linux kernel part) here: http://code.google.com/p/cryptsetup/wiki/DMCrypt and the project page for the command line tool cryptsetup (with Linux Unified Key Setup - LUKS) here: http://code.google.com/p/cryptsetup/. Who should be notified about this? I don't think kernel help text (except for Gentoo Sources patches) is handled by Gentoo developers. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/29/2014 12:27 PM, Walter Dnes wrote: On Mon, Apr 28, 2014 at 09:51:18PM -0400, Rick Zero_Chaos Farina wrote I suggest with LUKS. Also I suggest using ext4 and disabling the journal (mkfs.ext4 -O ^has_journal). I didn't know you could do that, but what's the point? I'm not trying to be argumentative, but isn't ext4 without a journal a glorified ext2? I believe that an ext2 driver can read ext4, if none of the fancy ext4 options have been invoked. And ext4 can read ext2. I'm not a filesystem expert but there are more differences between ext2 and ext4 than the journal... I think :-) Another couple of things I didn't realize. According to https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the crypt target in the kernel. It also suggests * SHA224 and SHA256 digest algorithm Any comments on their strength? I'm not worried about the NSA or CSIS as much as opportunistic criminals. I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit which seems nice. One other item in passing. The make menuconfig help text for CONFIG_DM_CRYPT points to http://www.saout.de/misc/dm-crypt/ but that site says, and I quote... Note: This page is horribly out of date. You can find the current pages for the dm-crypt project (the Linux kernel part) here: http://code.google.com/p/cryptsetup/wiki/DMCrypt and the project page for the command line tool cryptsetup (with Linux Unified Key Setup - LUKS) here: http://code.google.com/p/cryptsetup/. Who should be notified about this? I don't think kernel help text (except for Gentoo Sources patches) is handled by Gentoo developers. https://bugzilla.kernel.org/ Thanks, Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTX+I+AAoJEKXdFCfdEflKolMP/isYoZMccymIqKeVI/MVDxSM 2EMuEFVpopcvmvuDwRXw0U9XB0b04Yr8SDevL+Tb+zOgSGidKGX4cAwHkAH5p2fp KOchjP0gXzO/oHfRJgaECP7G8ovtvaOyiUdokb352D1RJsYcq/aqXGbNNDLmziZo Ng3qR8R3/3TuwJSZZ8TGFFN/wBc05yUzWy+FD9YDWucn6fBQrloogU/Ie5Pdussf xxQt/Hb4+6Rjz8mUsGs2vWcoHHkyYmOAt/Qp5HaZ4bwXtZEpxB49xAPXjAyi2Z2n Z99+xR14BpAi61RdsJE3OIbOscf5w5prx7gWtoWKKCSvWX9OL7/F22duBZP2KnVx Epwv4+sySlb0Cco+gd6Chxw3HsKPqiNhSoObTMzdFVoqZHoBhut8/d1ynwcI46+J +kVfXUOhKIchFf4KVTcQxO3uD3BniDhZc17AB5KNy52A9cKX+OEEZGdu/JxzwwjQ BTkUkbb8cDc5PSB/zE0udksxFWcSIJR231oUMesWdtCT7R81ZonBEg3lE1UpmCaB neg+RPhdEMA7zPLq8SdaNUuz0xoxDRRFX43mwLyXdf/EcHoGIFazjHb9AW/Yu3WF 4cYVXAlNQ69/Q84M6jlLR+9ED5zegLy3WsVApE1+Am9uEwYmoO5Lnk69wxr3pGkf mDfrIIdHQlY45aP/tnFz =JKfw -END PGP SIGNATURE-
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick Zero_Chaos Farina wrote On 04/29/2014 12:27 PM, Walter Dnes wrote: Another couple of things I didn't realize. According to https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the crypt target in the kernel. It also suggests * SHA224 and SHA256 digest algorithm Any comments on their strength? I'm not worried about the NSA or CSIS as much as opportunistic criminals. I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit which seems nice. Sorry to pester you, but I'm beginning to realize just how much is involved here that I'm a newbie at. Two more questions... 1) If multiple encryption algorithms are enabled in the kernel, how does the system decide which one to use? 2) I assume that if I want to use the same encrypted USB key on 2 or more machines, then the kernels of all the machines must be built with the same encryption algorithms? -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/29/2014 03:58 PM, Walter Dnes wrote: On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick Zero_Chaos Farina wrote On 04/29/2014 12:27 PM, Walter Dnes wrote: Another couple of things I didn't realize. According to https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the crypt target in the kernel. It also suggests * SHA224 and SHA256 digest algorithm Any comments on their strength? I'm not worried about the NSA or CSIS as much as opportunistic criminals. I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit which seems nice. Sorry to pester you, but I'm beginning to realize just how much is involved here that I'm a newbie at. Two more questions... 1) If multiple encryption algorithms are enabled in the kernel, how does the system decide which one to use? dmcrypt/luks stores the proper encryption algorithm, as long as the correct one is supported you are all set. 2) I assume that if I want to use the same encrypted USB key on 2 or more machines, then the kernels of all the machines must be built with the same encryption algorithms? No, but they do both need the encryption and hashing algorithm you are using. - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTYGTkAAoJEKXdFCfdEflKmd8QAIYHiSe6oPPDjHcbuzQBxqmf xCx0bdcs3vaHCgb8Nh0AZrckR4tgyedkk2OWyXVkPI29fQl5up1PLnSBqgePJQou oJT/q/kNXhFOoWVc0iNCWASoSjmv6X/F5JQGCK/kfJMR0FOM373JPx2iBk6Dhbxf FGepnQkDKGLSlm+BUjLfNPX161EC+EwEw5B29gtKZZpk9VlI7aeRDTPtjXQClB8g sdJA5h/1g21YX47gqvgQ3KKH7dJjav4l0eom+yO/WkhDAzySqtXl0OaGLg2vnqND OIy8sX3Dc6qwMr6h0G6o3Wdc7YpRlIPYuINv4HQFfl9l745/Cmv6SDBLF5BHpIg2 pXGOimwc/drSkzxjC9i8f2boa8piSAAE+YITykarVaJnlF8pqs+lB2fMt0kW34aH oFlzuPLZjb4Rdzq5MwypGfTumRKTa2zn6A9EdrvJugazY9b5WGtTet2Du8i5o7Xp z6bwS97+1GvwhybzKCk2BE+h1FQAaTQo0hBhCIKwxn5AHyL5VS2yA53Oz8c2yM8B xKfu96hwTBCIVSBXEWU1QM++vFRYhPuOtug4GgLixbXi7WEed2q3eUEDyb0I5Oba CJTrrAfl97wuL8RJrZyVVlXkcsHAqVeDtmT2IWeDU1CmAi58aXsDfRGDRoRHq7e/ a3/DHVGvebwUxEac8NgB =53C+ -END PGP SIGNATURE-
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
On Wednesday 30 Apr 2014 03:50:12 Rick Zero_Chaos Farina wrote: On 04/29/2014 03:58 PM, Walter Dnes wrote: On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick Zero_Chaos Farina wrote On 04/29/2014 12:27 PM, Walter Dnes wrote: Another couple of things I didn't realize. According to https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the crypt target in the kernel. It also suggests * SHA224 and SHA256 digest algorithm Any comments on their strength? I'm not worried about the NSA or CSIS as much as opportunistic criminals. If it's only opportunistic criminals you're worried about then SHA1 with its 160-bit string is ample and so is MD5 with its 128-bit. Both are considered weak hashes these days and should be avoided for business critical set ups, but they are soo widely used (esp. by internet browsers, VPN routers, etc.) that it would be difficult to upgrade everything overnight to SHA2. I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit which seems nice. Whirlpool is of course better, because it has an even longer 521-bit string. Sorry to pester you, but I'm beginning to realize just how much is involved here that I'm a newbie at. Two more questions... 1) If multiple encryption algorithms are enabled in the kernel, how does the system decide which one to use? dmcrypt/luks stores the proper encryption algorithm, as long as the correct one is supported you are all set. It will use the default. Run: cryptsetup -h to see the default that it was compiled with. Or, it will use the --hash and --cipher options that you specify when you run cryptsetup. Have a look at the fine manual. 2) I assume that if I want to use the same encrypted USB key on 2 or more machines, then the kernels of all the machines must be built with the same encryption algorithms? No, but they do both need the encryption and hashing algorithm you are using. As I understand it, but may be wrong because I have not used LUKS you need to have the same ciphers and hashes on both machines. Thankfully, all PCs these days have aes and sha1. :-) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/28/2014 04:57 PM, Walter Dnes wrote: I want to set up my notebook for use whilst travelling. I intend to have an innocuous /home/waltdnes partion on the notebook, and have the real $HOME (a copy of my desktop machine's $HOME) on a 128 gigabyte USB key. When I want to access it, I'll mount the USB key over /home/waltdnes. That protects against the notebook being lost/stolen. The next question is how do I guard the data on the USB key. I'm looking at using cryptsetup to encrypt the USB key. Some interesting stuff on Google... http://sleepyhead.de/howto/?href=cryptpart shows how to use cryptsetup with and without LUKS. dm-crypt without LUKS # cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0 # dmsetup ls # check it, will display: sdc1 (254, 0) # mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time! # mount -t ext3 /dev/mapper/sdc1 /mnt # umount /mnt/ # cryptsetup remove sdc1 # Detach the encrypted partition Do exactly the same (without the mkfs part!) to re-attach the partition. If the password is not correct, the mount command will fail. In this case simply remove the map sdc1 (cryptsetup remove sdc1) and create it again. I did a --pretend emerge of cryptsetup, and I see that it pulls in lvm2 as a dependancy, presumably to enable the /dev/mapper/* entries. Any comments on whether I'm better off with or without LUKS? I also intend to use ext2, because I understand that a journalling fs is murder on USB keys. I suggest with LUKS. Also I suggest using ext4 and disabling the journal (mkfs.ext4 -O ^has_journal). Gentoo has some pretty good init scripts for dmcrypt that you can use to mount your usb key when ready, check it out in /etc/conf.d/dmcrypt. - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTXwWWAAoJEKXdFCfdEflKgMkP/AjZAEi+ltpEDS320Kf70SFd tIrQrYhNM+DggnX0JlW0C37zM82ecCbfOGqvSGgkgbUtmUznBCKKfa1wbauljQS1 aBlXYv4RfNH/ZJ2ldrnnfd/BHbHLIJIkobXBfFsMS8s7EIQI+IOLr3dbWiYAzqIb eKfqjGAJqlvWK+9MmFTJkZdT3KgQU1KJdvKyq7UK7bt6Fi/3a8zRm7N0UU4h0lQd VQcfUm7Lq6nNUMJldtwp4uL+vxZREFSszSID1blqHQpzxBAHZO8ntSwLq98W0W1P E0fqTbifEu7jBY14ek2jysdPj/bHvNJulUIj6sqTc5qenu8ozwnt0olzkS1M0Yrr vzzF/HKbV70GjSjbx9cSVgv5opyTq+9n3oH5u7L87T0sXQdAch2yW0HpeQlCuYQe EPHt10zP0AtnSlLMIr7D2pVNI2NvsIrWsIdAC9op9ZtxYSnTgruBGyH2xw3QM6XZ A2NAemrbq6J2DGihC0kEBvBDTylUW5RL7WOQuxjmelp27sV2/lqtRTBaWz/cFGrK PvqEZuKkWW9ThpuAdEsSbZNGhf+wka+B8swAOlBXqSVIx5VKmTsxp92wJs3UEzT+ 3NyjWx/nmk1IHFAAQqLebcciBKE4/5Ix+9CJ1QHQsvC70iSXcyyBH6YkrHor9bJM X0M40ycF4uss0QtKmWEe =6vUW -END PGP SIGNATURE-
