Re: Disc encryptian.
On Mon, Feb 21, 2011 at 2:00 AM, Heddle Weaver weaver2wo...@gmail.comwrote: On 21 February 2011 15:32, Erwan David er...@rail.eu.org wrote: On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? Everything, including swap. Like Erwan, I use cryptsetup/LUKS. Doing so through the installer will allow/require you to encrypt swap. However, you will be unable to encrypt /boot. The boot manager will need to access /boot to be able to access cryptsetup to decrypt the filesystems. That said, if you don't want a decrypted /boot living on your hard drive, you can insert a thumb drive (512MB-1GB if you can find one that small) during install and configure it as /boot. Have a backup stick and regularly rsync it to account for updated packages, etc as well as in case the first drive fails. I have done this on a couple of laptops. What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. I am not familiar with the xzibit rootkit, but you should probably be looking more toward an IDS/IPS (intrusion detection/prevention system), such as snort, ossec, etc rather than encryption as your defense...try and have multiple layers of security, so that bypassing one will trigger another. --b
Re: Disc encryptian.
On 02/24/2011 06:22 AM, Brad Alexander wrote: [snip] Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d66571b.70...@cox.net
Re: Disc encryptian.
On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: On 02/24/2011 06:22 AM, Brad Alexander wrote: [snip] Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives are harder to move while powered, so they are usually turned off as part of the act of stealing them. In both cases, accessing the data usually requires knowledge of the encryption key or the passphrase that unlocks it. If you want to protect your data from other normal users on the same system, permissions usually suffice. If you want to protect your data from privileged users (e.g. root) on a system, give up. They can modify the system to tell GPG that the memory it has requested is locked, but then capture all the data written there, and that act could be mostly transparent to both GPG and the user. GPG is best used for asymmetrically encrypted transfers of data, or when you only have a few files to protect and don't feel they justify full disk encryption. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Disc encryptian.
Quite true, Boyd. But he specifically mentioned the xzibit rootkit, which means he had to be online to get it. So I framed my answer in light of his concerns. --b On Thu, Feb 24, 2011 at 9:30 AM, Boyd Stephen Smith Jr. b...@iguanasuicide.net wrote: On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: On 02/24/2011 06:22 AM, Brad Alexander wrote: [snip] Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives are harder to move while powered, so they are usually turned off as part of the act of stealing them. In both cases, accessing the data usually requires knowledge of the encryption key or the passphrase that unlocks it. If you want to protect your data from other normal users on the same system, permissions usually suffice. If you want to protect your data from privileged users (e.g. root) on a system, give up. They can modify the system to tell GPG that the memory it has requested is locked, but then capture all the data written there, and that act could be mostly transparent to both GPG and the user. GPG is best used for asymmetrically encrypted transfers of data, or when you only have a few files to protect and don't feel they justify full disk encryption. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/
Re: Disc encryptian.
On 02/24/2011 08:30 AM, Boyd Stephen Smith Jr. wrote: On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: On 02/24/2011 06:22 AM, Brad Alexander wrote: [snip] Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives Except that many laptop users suspend or hibernate their machines for faster startup. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d66d0c1.5070...@cox.net
Re: Disc encryptian.
Le Thu 24/02/2011, Ron Johnson disait On 02/24/2011 08:30 AM, Boyd Stephen Smith Jr. wrote: On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: On 02/24/2011 06:22 AM, Brad Alexander wrote: [snip] Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives Except that many laptop users suspend or hibernate their machines for faster startup. Hibernation is done on encrypted disk, thus it is safe. However suspend to RAM is not, decryption keys stay in RAM, and if RAM is extracted in proper condition (at low temperature, but not so low it is very expnsive to achieve this temperature), itcan be read several minutes after extraction. -- Erwan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110224220338.gb...@rail.eu.org
Re: Disc encryptian.
On Thursday 24 February 2011 15:42:25 Ron Johnson wrote: On 02/24/2011 08:30 AM, Boyd Stephen Smith Jr. wrote: On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: On 02/24/2011 06:22 AM, Brad Alexander wrote: Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. So what you/we need are apps which integrate GPG. That way, files are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives Except that many laptop users suspend or hibernate their machines for faster startup. With sleep (suspend to RAM), the disk remains unprotected; key material is in RAM, among other things. I don't recommend sleeping unless you *know* you'll be back to actively using the system before your battery drains; it can lose data in rare instances. Usually this entails keeping your laptop nearby, although not necessarily the focus of your attention, so there is some increased risk of theft. From what I understand, it is possible to disable the ability to suspend the laptop. This can be used to avoid this extra risk. With hibernate (suspend to Diks), the disk is protected; key material is not in RAM (nothing is). You'll need to provide the passphrase in order to resume. Key material is never written to disk unprotected by the kernel implementation(s) of full-disk encryption; this is a well-known way to accidentally subvert the entire purpose of full-disk encryption. Using safe-sleep (suspend to both), the disk remains unprotected until the battery drains or (if the ACPI and the kernel is smart enough) it switches to a hibernate state. I'm not sure how well Squeeze (in particular) supports this mode at all; it is common under Mac OS X. uswsusp did have some support for this in Lenny, but I think that package or at least that feature is going or has went away. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Disc encryptian.
Heddle Weaver: looking at the collective knowledge factor, what's the best disc encryption package? What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. No damage, just nosy kids. I am not sure what you are saying, but be aware that disk encryption does not protect your data while the system is running and the encrypted filesystems are in use. J. -- I think the environment will be okay. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: Disc encryptian.
On Mon, 21 Feb 2011 06:32:26 +0100 Erwan David er...@rail.eu.org wrote: On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. Eh? No damage, just nosy kids. Or something worse. encfs is what I use. And I use dm-crypt (through cryptsetup) Same here (the Debian installer offers to set this up). Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110221165655.c8007234.cele...@gmail.com
Re: Disc encryptian.
On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. Eh? No damage, just nosy kids. Or something worse. encfs is what I use. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d61e4a3.6070...@cox.net
Re: Disc encryptian.
On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. Eh? No damage, just nosy kids. Or something worse. encfs is what I use. And I use dm-crypt (through cryptsetup) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d61f8ea.5010...@rail.eu.org
Re: Disc encryptian.
On 21 February 2011 15:32, Erwan David er...@rail.eu.org wrote: On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? Everything, including swap. What's everybody using? Two examples of Xzibit this week and hash changes showing up in the logs. Eh? No damage, just nosy kids. Or something worse. encfs is what I use. And I use dm-crypt (through cryptsetup) Thanks for that gentlemen. Regards, Weaver. -- Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful. — Lucius Annæus Seneca. Terrorism, the new religion.
Re: Disc encryptian.
On 02/21/2011 01:00 AM, Heddle Weaver wrote: On 21 February 2011 15:32, Erwan Davider...@rail.eu.org wrote: On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? Everything, including swap. Your original email was a bit vague. What exactly are you trying to prevent them from doing? -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d621722.8060...@cox.net
Re: Disc encryptian.
On Mon, Feb 21, 2011 at 08:41:22AM CET, Ron Johnson ron.l.john...@cox.net said: On 02/21/2011 01:00 AM, Heddle Weaver wrote: On 21 February 2011 15:32, Erwan Davider...@rail.eu.org wrote: On 21/02/11 05:05, Ron Johnson wrote: On 02/20/2011 09:46 PM, Heddle Weaver wrote: Greetings all, looking at the collective knowledge factor, what's the best disc encryption package? Do you want to encrypt *everything* of just a few folders? Everything, including swap. Your original email was a bit vague. What exactly are you trying to prevent them from doing? Note that it is no use to encrypt disc without encrypting swap since the decryption key might be written in swap. Debian installer mandates an encrypted swap when you use encrypted partitions. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110221074608.gi30...@rail.eu.org