Re: [gentoo-user] Encripting /home
Richard Fish schrieb: Alexander Skwar wrote: Richard Fish schrieb: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup hard to setup? How? What's hard about it? You just encrypt the block device and create an fs on it. /sbin/lvcreate -nToBeEnc -L5g sys \ echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ mkfs -t reiser4 /dev/mapper/Crypted \ mount /dev/mapper/Crypted /some/where Obviously, the lvcreate and mkfs steps are just a one time step :) First, I did not say dm-crypt was hard to setup. I said I find it harder to be setup than loop-AES. Yes, you're right. But since dm-crypt is so easy to setup with cryptsetup, I can't imagine how much more easy you want to have it. Have you used both loop-AES and dm-crypt? I have. No. dm-crypt is good enough for me. No need for something else. Is it possible to encrypt the complete block device with loop-AES? Or does it only encrypt a file that's afterwards loop mounted? If you want to know what, specifically, I find more difficult about cryptsetup, it is the documentation. Well. The grand sum of documentation available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is cryptsetup --help. Well. I didn't need more. And yes, I know there are better guides online, but it is not always possible to go online. Well. Download the stuff and print it, or something. For me, it's always possible to go online. Also, I wanted to be able to change my password. With loop-AES, this is a simple matter of re-encrypting my key file with a new password. cryptsetup makes this more difficult. Not impossible, just more difficult. Well, no. It IS impossible. You need to create a new crypted device. advice Also, echoing your password on a command line to cryptsetup is an extremely bad idea. If an attacker happens to be on your system at that moment, a simple 'ps' will show them your passphrase. How? /bin/crypsetup file-with-passphrase Where does the attacker see the passphrase? Oh. You took my example way too literally. *echo*ing the password is an extremely bad idea. You're of course right. But in reality I of course don't do that. Further, I said, that the password can be piped to cryptsetup. Alexander Skwar -- Paul: Good way to avoid frostbite, folks, put your hands between your buttocks. That's nature's pocket. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Alle 13:53, domenica 31 luglio 2005, Alexander Skwar ha scritto: How? /bin/crypsetup file-with-passphrase Where does the attacker see the passphrase? Oh. You took my example way too literally. *echo*ing the password is an extremely bad idea. You're of course right. But in reality I of course don't do that. Further, I said, that the password can be piped to cryptsetup. I did it: I wrote in /etc/con.d/local.start: echo ebegin Loading Shared device /root/cshared.sh eend $? Failed to load Shared device and the script cshared.sh is: #!/bin/bash /bin/cryptsetup -h ripemd160 -c aes create disc_hda /dev/hda3 /bin/mount /shared In the boot, the system stops at the local init service and wait your password, just press enter and the system continues to boot! Luigi -- Public key GPG(0x073A0960) on http://keyserver.linux.it/ pgpki3Rr1WXzV.pgp Description: PGP signature
Re: [gentoo-user] Encripting /home
Alexander Skwar wrote: Is it possible to encrypt the complete block device with loop-AES? Or does it only encrypt a file that's afterwards loop mounted? Yes. Everything that can be encrypted with dm-crypt can also be encrypted with loop-AES. For example, my laptop has two hard drives. I have a raid0 array with hda2 and hdd2. Loop-AES encrypts /dev/md0, giving me /dev/loop/0. That in turn is a physical volume for LVM2, which gives me the logical devices for all of my filesystems (except /boot, obviously) and swap. Oh. You took my example way too literally. Yep. :-) Cheers, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Alexander Skwar wrote: Pupeno schrieb: On Wednesday 27 July 2005 20:54, Luigi Pinna wrote: I use the dm-crypt from the kernel I've read that it is unsecure Where? And how is it insecure? Some history: The original crypto-loop from 2.4 is very susceptible to watermark attacks, where the attacker can write known data to the disk, and look at the encrypted results, and then calculate the key from the two. Actually, the attacker doesn't even need to write data to the disk if he can make a good guess at what a particular block already contains, such as with filesystem superblocks. Dm-crypt has some protection against this by using the sector number of the disk as a IV (initial vector) for the hash. This makes the attack more difficult, but not impossible, because the sector number is very predictable. loop-AES can provide much more secure protection against watermark attacks in 'multi-key mode' by using a set of 64 keys that are rotated for the encryption. So an attacker must crack 64 keys, instead of just 1. So dm-crypt today provides the same level of security as loop-AES in single key mode, which as I already stated in a previous email, should be sufficient for most people. However, you did ask how it was insecure! :-) -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Alexander Skwar wrote: Richard Fish schrieb: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup hard to setup? How? What's hard about it? You just encrypt the block device and create an fs on it. /sbin/lvcreate -nToBeEnc -L5g sys \ echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ mkfs -t reiser4 /dev/mapper/Crypted \ mount /dev/mapper/Crypted /some/where Obviously, the lvcreate and mkfs steps are just a one time step :) First, I did not say dm-crypt was hard to setup. I said I find it harder to be setup than loop-AES. Please quote me correctly. :-) Have you used both loop-AES and dm-crypt? I have. If you want to know what, specifically, I find more difficult about cryptsetup, it is the documentation. The grand sum of documentation available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is cryptsetup --help. Not terribly informative compared to man losetup or /usr/share/doc/loop-aes-3.0d/README.gz. And yes, I know there are better guides online, but it is not always possible to go online. Also, I wanted to be able to change my password. With loop-AES, this is a simple matter of re-encrypting my key file with a new password. cryptsetup makes this more difficult. Not impossible, just more difficult. advice Also, echoing your password on a command line to cryptsetup is an extremely bad idea. If an attacker happens to be on your system at that moment, a simple 'ps' will show them your passphrase. Even if you are not worried about that, you should still take special precautions regarding the shell history file. Otherwise all someone has to do is crack your system while it is up and cat your .bash_history file. /advice and less 'flexible' than loop-AES (the changing passphrase thing, for example). Any other example? Sure: o Ability to specify encryption parameters in fstab. o Automatic cleanup of the encrypted device when the filesystem is unmounted. o Additional security options, if someone really requires them. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Alexander Skwar wrote: Richard Fish schrieb: So dm-crypt today provides the same level of security as loop-AES in single key mode, which as I already stated in a previous email, should be sufficient for most people. However, you did ask how it was insecure! :-) Yep, I did ask and I wish to thank you for your explanation! If I understood you right, the statement that dm-crypt is insecure is, as far as the usage pattern of most of the users will go, nothing but FUD. Yep, FUD, or based on very outdated information, as early versions of dm-crypt had the same vulnerability as cryptoloop. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
I'm not sure if anyone has covered this, but the following pdf was very useful for me to encrypt my home dir: www.flyn.org/docs/ehd.pdf The interesting part was using openssl to encrypt the key and then using your account's linux password to encrypt the openssl file. This way, you can change your account password and without having to change the encrypted filesystem password/key (in the example, they create a very random key for the encrypted filesystem and then use pam_mount to automatically decrypt and mount the filesystems during login). HTH, -Hani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. You read wrong. Dm-crypt *is* the encryption technique now used in the kernel, and it wasn't chosen out of a hat. What you do with it can make it insecure though, like a postit with the password attached to the monitor ;-) As for being supported, well if something is actually in the kernel itself (without patches), then it IS fully supported. Dm-crypt is fully supported since linux 2.6.4 Basically, as with any encryption, your secret is as safe as your password. There are of course tools to help you make your password even harder to crack, like hashalot, which basically sends your password though a pipe which hashes it into greek ;-) I know I don't need a key, but I do want a key (stored in a remobable modia) encripted with a passphrase I will be able to change, or best, my wife can have the key protected with a different passphrase than I do. Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. It seems what you are looking for with your key is probably a GPG key needed to unlock your drive. This is definitely possible, but you will have to do the research yourself. I do know there are tutorials to use gpg keys with encryption passsords etc... and iirc there was a tutorial for loop-AES too on their site. If you need this is another story. I know that gpg can have two separate kleys to do the same thing, so I presume separate keys and passwords are an option, but I have never ventured down that lane, as I'm not that paranoid. I use gpg myself for mailing, and encrypting certain files themselves, but I'm not paranoid enough to encrypt all my files with such heavy encryption. In fact, not even the US military is that bad. They now use 256bit AES encryption, which is the default of dm-crypt, and from an atricle I read it still would take them a couple of decades to crack. I use dm-crypt on all three of my machines (laptop, workstation and server), but none of them are fully encrypted ~ just partitions (and in one case a looped back file acting as partition). All are mounted with a simple #bash script I wrote to create the decrypted device link, ask to password, mount the device link to the filesystem. This means that none of this is found in /etc/fstab either. Users who are allowed to mount (use that script) are added into sudoers. Good luck ... Ralph -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC6dctAWKxH5yWMT8RAttKAJ0Y+NErA8lbji5HwzG+tPWbvnbzRACfYD4t DuFFNkZcURq3r41wHxjVuBM= =slBW -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
On Friday 29 July 2005 04:13, Ralph Slooten wrote: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. You read wrong. Dm-crypt *is* the encryption technique now used in the kernel, and it wasn't chosen out of a hat. What you do with it can make it insecure though, like a postit with the password attached to the monitor ;-) As for being supported, well if something is actually in the kernel itself (without patches), then it IS fully supported. Dm-crypt is fully supported since linux 2.6.4 As I said in another message, what I read is that the userland tools weren't supporting dm-crypt propersy. Probably I've read something that was outdated. Basically, as with any encryption, your secret is as safe as your password. There are of course tools to help you make your password even harder to crack, like hashalot, which basically sends your password though a pipe which hashes it into greek ;-) I know I don't need a key, but I do want a key (stored in a remobable modia) encripted with a passphrase I will be able to change, or best, my wife can have the key protected with a different passphrase than I do. Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. It seems what you are looking for with your key is probably a GPG key needed to unlock your drive. This is definitely possible, but you will have to do the research yourself. I do know there are tutorials to use gpg keys with encryption passsords etc... and iirc there was a tutorial for loop-AES too on their site. If you need this is another story. I know that gpg can have two separate kleys to do the same thing, so I presume separate keys and passwords are an option, but I have never ventured down that lane, as I'm not that paranoid. I use gpg myself for mailing, and encrypting certain files themselves, but I'm not paranoid enough to encrypt all my files with such heavy encryption. In fact, not even the US military is that bad. They now use 256bit AES encryption, which is the default of dm-crypt, and from an atricle I read it still would take them a couple of decades to crack. I didn't mean to use gpg to encrypt the whole file system, that would be insane. I mean that instead of using a password te encript, to use a generated key, which is stronger and to encrypt that key with a password (and keep it on a remobable media). But now that I think of it, I don't need that much security (Am I the only one that when reading about security gets paranoid ?). I'd like this: home to be encripted in a way that can be mounted thru fstab asking the passphrase at mount-time, with the posibility to change the password easily. I think that can be achieved by using a key and encripting the key on cryptoloop, or it is simpler on loop-AES, because the passphrase con be changed easily, right ? What about dm-crypt ? is the passphrase changeable ? Thanks. -- Pupeno [EMAIL PROTECTED] (http://pupeno.com) Reading ? Science Fiction ? http://sfreaders.com.ar pgpxuJZvJEj3q.pgp Description: PGP signature
Re: [gentoo-user] Encripting /home
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As I said in another message, what I read is that the userland tools weren't supporting dm-crypt propersy. Probably I've read something that was outdated. An old bug I believe. ATM there is nothing I know of that supports a bug or flaw in any way. I didn't mean to use gpg to encrypt the whole file system, that would be insane. I mean that instead of using a password te encript, to use a generated key, which is stronger and to encrypt that key with a password (and keep it on a remobable media). But now that I think of it, I don't need that much security (Am I the only one that when reading about security gets paranoid ?). I agree you don't need that much security, but no, you are not the only one paranoid ;-) I do not think howevere that any agency would spend more than 2 days trying to hack your computer without literally trying to force it out of you. If it's more serious than that, then I guess they suspect you of having all the plans /addresses of the taliban on your comp ;-) Then you're on your own, lol. Either way, with plain old AES it's a matter of brute-force, and with dm-crypt the choice is up to you what hashing you use. What I mean with hashing is that your PW is send though a whatever hash. The password passwd becomes kæ?GòÝ3e.!+1´¦G·Áç.??ñÓû (in plain ASCII through a sha256 bit system used by dm-crypt). Of couse it's more compicated than that, but try getting just that password (the ascii version) with just plain text ;-) ... See you next century. To give you an example: in Holland they can give you a maximum of 3 months jail sentence for something you refuse to co-operate on .. IE: the password to your filesystem. If you think the contents are worth more then 3 months jail sentence keep your mouth shut, else just tell them. They won't crack your system even if you use 265kbit encryption. Take the .. ummm what was it called... something with a cow-logo... it was like [EMAIL PROTECTED], they solved it, using thousands of computers all over the world, and it took quite some time (2 years or so? anyone?). The thing was, it was 56bit encryption ;-) 256bit is a little (actually a LOT) more. I'd like this: home to be encripted in a way that can be mounted thru fstab asking the passphrase at mount-time, with the posibility to change the password easily. I think that can be achieved by using a key and encripting the key on cryptoloop, or it is simpler on loop-AES, because the passphrase con be changed easily, right ? What about dm-crypt ? is the passphrase changeable ? I believe with loop-AES, yes, but not with dm-crypt .. at least not yet. They are working on this, but I don't know how far they are. The thing is, does it need to be changed? This is for home use right? You are your spouce know the password, but how many others? A password of this measure does (IMHO) not need to be changes often at all, unless sent over an uncrypted line often. As I believe I mentioned in my previous post (beer has gotten hold of me) I mough my partitions with a bash script. It just has a list of the commands (with some error-correction) saves as an executable file. Let's call it secdrive ... all I say is `secdrive on` and it mounts it, asking for the password, and `secdrive off` umounting it. Pretty much the same way as fstab, except no trace of it there, and what can't be seen there isn't notived even (at least until they search your .bash_history files etc). I hope this os actually of some relevance ;-) If you would like more info, I wrote a tutorial on http://axljab.homelinux.org/Encryption_-_dm-crypt , and if you want I can send you my bash script which you can modify to you needs. Greetings Ralph PS: excuse the spelling mistakes. It wasn't my fault ;-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC6obvAWKxH5yWMT8RAo8bAJ0SZdjAZAa4poKxfScSMeNDJCglBgCg4XS9 UEoMt3M9a1dTJD5SEVf4JKw= =PuMm -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Pupeno schrieb: On Wednesday 27 July 2005 20:54, Luigi Pinna wrote: I use the dm-crypt from the kernel I've read that it is unsecure Where? And how is it insecure? Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. Bullocks. With enough time, key-encrypted stuff can be broken into as well. Brute forcing is (theoretically) *ALWAYS* possible. So, if you make the password random enough, there's no risk. A few hundred chars should be sufficient - since you can easily pipe the passphrase to cryptsetup (and thus don't need to type it in manually), that's not a real problem. Alexander Skwar -- Love is a grave mental disease. -- Plato -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Richard Fish schrieb: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup hard to setup? How? What's hard about it? You just encrypt the block device and create an fs on it. /sbin/lvcreate -nToBeEnc -L5g sys \ echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ mkfs -t reiser4 /dev/mapper/Crypted \ mount /dev/mapper/Crypted /some/where Obviously, the lvcreate and mkfs steps are just a one time step :) and less 'flexible' than loop-AES (the changing passphrase thing, for example). Any other example? Well, technically, anything can be cracked given enough time and computing power. Yep. Alexander Skwar -- Men of peace usually are [brave]. -- Spock, The Savage Curtain, stardate 5906.5 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Pupeno schrieb:
On Thursday 28 July 2005 02:54, Richard Fish wrote:
Pupeno wrote:
I use the dm-crypt from the kernel
I've read that it is unsecure and I also read that it is not yet vory well
suported.
Dm-crypt is fairly well supported, since it is in the kernel, but I find
it to be harder to setup and less 'flexible' than loop-AES (the changing
passphrase thing, for example).
I know it is in the kernes, but I've read that there weren't good userland
tool to work with dm-crypt.
Well, there's only cryptsetup. It does all that's needed, is easy
to use and flexible enough (for me).
What's bad about cryptsetup?
Maybe that has changed and Gentoo's userland
tools can work with dm-crypt, what's the status of that ?
?
Well, technically, anything can be cracked given enough time and
computing power.
Yes, ok. I should have added a 'practically' there somewhere.
Yep. And passphrases are *practically* just as unbreakable - if
they are long and difficult enough. Like:
b^moe-.bw28Ge^[3Ru:M{0KR[es~#$TY~VRe+jJ{t0Ko+VSUeuW$e?'@hj!=]I^fa.lJ;lh4z}?-D5xBQ)F!W7fZ%X;7j'x[-:*_yZ6aGw`ZdIu-z|@,;3rP4'+np]pis47I;\9z|SqLHHhv
Alexander Skwar
--
A man is like a rusty wheel on a rusty cart,
He sings his song as he rattles along and then he falls apart.
-- Richard Thompson
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
On Thursday 28 July 2005 02:54, Richard Fish wrote: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup and less 'flexible' than loop-AES (the changing passphrase thing, for example). I know it is in the kernes, but I've read that there weren't good userland tool to work with dm-crypt. Maybe that has changed and Gentoo's userland tools can work with dm-crypt, what's the status of that ? Regarding loop-AES I've read it needs some heavy patching here and there, I don't want to do any patching myself because I am likely to loose track of it. It provides rougly the equivalent security as loop-AES in single-key mode (where a single key is used to encrypt every block). loop-AES also supports multi-key mode, where 64 different keys are used to encrypt the blocks. Multi-key makes certain kinds of attacks (specifically, watermark) more difficult, but is slower. However, I seem to recall reading somewhere in the last couple of weeks that dm-crypt was also getting multi-key support...maybe in the mm-kernel, or for 2.6.13... Single key is enough for me. I know I don't need a key, but I do want a key (stored in a remobable modia) encripted with a passphrase I will be able to change, or best, my wife can have the key protected with a different passphrase than I do. Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. Well, technically, anything can be cracked given enough time and computing power. Yes, ok. I should have added a 'practically' there somewhere. For using different passwords, this is possible. You would need to encrypt the same key file with gpg to two different .gpg filesyour wife can use one, and you can use the other. If the key files are stored on separate pieces of removable media, then you each have your own keys to the system. That's the idea, that scheme plus the best superted method out fo the box (or the net, hehehe). I believe it is cryptoloop, but I am not sure. Thanks. -- Pupeno [EMAIL PROTECTED] (http://pupeno.com) Reading ? Science Fiction ? http://sfreaders.com.ar pgpd6SXZCz4zG.pgp Description: PGP signature
Re: [gentoo-user] Encripting /home
Pupeno wrote: On Thursday 28 July 2005 02:54, Richard Fish wrote: Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup and less 'flexible' than loop-AES (the changing passphrase thing, for example). I know it is in the kernes, but I've read that there weren't good userland tool to work with dm-crypt. Maybe that has changed and Gentoo's userland tools can work with dm-crypt, what's the status of that ? Personally, I find cryptsetup/dm-crypt to be much more difficult to use than losetup/mount. With loop-AES, I have my fstab setup to automatically enable the encryption and prompt for the password when certain filesystems are mounted (of course, that only works if running 'mount' from the command line, for now). I do not think this is possible with dm-crypt yet. Regarding loop-AES I've read it needs some heavy patching here and there, I don't want to do any patching myself because I am likely to loose track of it. Gentoo already includes the necessary patches if you have USE=crypt. You just have to remember to do emerge loop-aes after each kernel upgrade to rebuild the kernel module. That's the idea, that scheme plus the best superted method out fo the box (or the net, hehehe). I believe it is cryptoloop, but I am not sure. No no no, cryptoloop is completely brain-damaged security, and AFAIK, out of the kernel. Loop-AES would be the logical successor to cryptoloop from a functional and setup standpoint. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Alle 01:18, giovedì 28 luglio 2005, Pupeno ha scritto: Hello, I want to have the /home of my laptop encripted, with an external key (in a CD or floppy, until I get an usb pain drive), specially to be able to change the passphrase easily and have various medias with different passphrases and the same key (so, my wife can uses her own passphrase), is this possible ? it'll be the non written 13th item here: http://www.sdc.org/~leila/usb-dongle/readme.html, right ? Any docs that explains how to achieve this (as close as possible to Gentoo). Thanks. I have my home encrypt... But I cannot change the passphrase! I use the dm-crypt from the kernel With these options, I can create a dynamic passphrase... /bin/cryptsetup -h ripemd160 -c aes create home /path/device You don't need a key (that someone can keep and force) but the key is created from the passphrase: that means that without that word works nothing,but you need a good password (and please, don't write it on the monitor ;-) ...) cryptsetup is in portage tree, dm-crypt option is in the kernel... See you, Luigi -- Public key GPG(0x073A0960) on http://keyserver.linux.it/ pgpEYlmWuXcdG.pgp Description: PGP signature
Re: [gentoo-user] Encripting /home
On Wednesday 27 July 2005 07:54 pm, Luigi Pinna wrote: Alle 01:18, giovedì 28 luglio 2005, Pupeno ha scritto: Hello, I want to have the /home of my laptop encripted, with an external key (in a CD or floppy, until I get an usb pain drive), specially to be able to change the passphrase easily and have various medias with different passphrases and the same key (so, my wife can uses her own passphrase), is this possible ? it'll be the non written 13th item here: http://www.sdc.org/~leila/usb-dongle/readme.html, right ? Any docs that explains how to achieve this (as close as possible to Gentoo). Thanks. I have my home encrypt... But I cannot change the passphrase! I use the dm-crypt from the kernel With these options, I can create a dynamic passphrase... /bin/cryptsetup -h ripemd160 -c aes create home /path/device You don't need a key (that someone can keep and force) but the key is created from the passphrase: that means that without that word works nothing,but you need a good password (and please, don't write it on the monitor ;-) ...) cryptsetup is in portage tree, dm-crypt option is in the kernel... See you, Luigi On another twist, I was using my own cryptoloop setup untill I tripped over encfs. I use it every where now, docs are on the home site of the encfs author. -- ** Registered Linux User Number 185956 FSF Associate Member number 2340 since 05/20/2004 Join me in chat at #linux-users on irc.freenode.net Buy an Xbox for $149.00, run linux on it and Microsoft loses $150.00! 8:41pm up 9 days, 20:40, 1 user, load average: 0.00, 0.00, 0.00 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
On Wednesday 27 July 2005 20:54, Luigi Pinna wrote: Alle 01:18, giovedì 28 luglio 2005, Pupeno ha scritto: Hello, I want to have the /home of my laptop encripted, with an external key (in a CD or floppy, until I get an usb pain drive), specially to be able to change the passphrase easily and have various medias with different passphrases and the same key (so, my wife can uses her own passphrase), is this possible ? it'll be the non written 13th item here: http://www.sdc.org/~leila/usb-dongle/readme.html, right ? Any docs that explains how to achieve this (as close as possible to Gentoo). Thanks. I have my home encrypt... But I cannot change the passphrase! I don't want a fixed passphrase. I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. With these options, I can create a dynamic passphrase... What is a dynamic passphrase ? You don't need a key (that someone can keep and force) but the key is created from the passphrase: that means that without that word works nothing,but you need a good password (and please, don't write it on the monitor ;-) ...) I know I don't need a key, but I do want a key (stored in a remobable modia) encripted with a passphrase I will be able to change, or best, my wife can have the key protected with a different passphrase than I do. Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. Thanks. -- Pupeno [EMAIL PROTECTED] (http://pupeno.com) Reading ? Science Fiction ? http://sfreaders.com.ar pgpcDrc0FBA0p.pgp Description: PGP signature
Re: [gentoo-user] Encripting /home
Pupeno wrote: Hello, I want to have the /home of my laptop encripted, with an external key (in a CD or floppy, until I get an usb pain drive), specially to be able to change the passphrase easily and have various medias with different passphrases and the same key (so, my wife can uses her own passphrase), is this possible ? it'll be the non written 13th item here: http://www.sdc.org/~leila/usb-dongle/readme.html, right ? Any docs that explains how to achieve this (as close as possible to Gentoo). Thanks. I use loop-aes to encrypt all filesystems. It is very secure and very fast. If you have USE=crypt, Gentoo already has support for it in the mount and losetup commands. You just need the kernel module (emerge loop-aes). After you emerge it, read the documentation at /usr/share/doc/loop-aes-*/README.gz -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Encripting /home
Pupeno wrote: I use the dm-crypt from the kernel I've read that it is unsecure and I also read that it is not yet vory well suported. Dm-crypt is fairly well supported, since it is in the kernel, but I find it to be harder to setup and less 'flexible' than loop-AES (the changing passphrase thing, for example). It provides rougly the equivalent security as loop-AES in single-key mode (where a single key is used to encrypt every block). loop-AES also supports multi-key mode, where 64 different keys are used to encrypt the blocks. Multi-key makes certain kinds of attacks (specifically, watermark) more difficult, but is slower. However, I seem to recall reading somewhere in the last couple of weeks that dm-crypt was also getting multi-key support...maybe in the mm-kernel, or for 2.6.13... Now, I doubt that most people actually _need_ the extra security of multi-key encryption. Personally I run loop-AES in single-key mode because it is faster than multi-key. Plus someone willing to go through the effort of cracking multi-key encryption would find it much easier to simply make a credible physical threat, and I will happily give them my password!! :-) I know I don't need a key, but I do want a key (stored in a remobable modia) encripted with a passphrase I will be able to change, or best, my wife can have the key protected with a different passphrase than I do. Beyond that, encripting with a key is much better than doing that with a passphrase because the passphrase can be cracked (dictionary attack) while the key-encripted that can't. Well, technically, anything can be cracked given enough time and computing power. For using different passwords, this is possible. You would need to encrypt the same key file with gpg to two different .gpg filesyour wife can use one, and you can use the other. If the key files are stored on separate pieces of removable media, then you each have your own keys to the system. -Richard -- gentoo-user@gentoo.org mailing list
