[Chaos CD]
[Datenschleuder] [68+69]    Encrypting your Disks with Linux
[Gescannte Version] [ -- ] [ ++ ] [Suchen]  

 

Encrypting your Disks with Linux

There are many reasons to encrypt your disks. Encryption can be much more secure than physical security. By using an encrypted disk you can defeat the attacks done by power-cycling your machine, booting from another volume and mounting your partitions. Encryption can keep the person which stole your Laptop from poking around in your files.

There are more than half a dozen approaches towards encrypting your disks with Linux:

  1. Loopback Encryption

  2. Encrypted Home Directorys

  3. CFS - Cryptographic File System

  4. TCFS - Transparent Cryptographic Filesystem

  5. ppdd - Practical Privacy Disc Driver

  6. sfs - Steganographic File System for Linux

  7. StegFS - A Steganographic File System for Linux

  8. Cryptfs

  9. BestCrypt

  10. Virtual Private Disk The Kernel Loopback Encrypting

The Kernel loopback encryption is the classic method of encrypting partitions with Linux. The loopback patch is based on the BSD loopback encryption and was ported by some prominent cypherpunks if I remember correctly. There used to be some Steganographic patches to it which allowed you to mount an audio file as a filesystem and your Data in the lower bits of that audio file. Cool stuff, but this Steganographic part somehow got lost in the 2.2 Upgrade.

To use the encrypting loopback device you have to patch the code into the kernel and then build a patched losetup. Patching the kernel is straight forward because you can use the international kernel patch at http://www.kerneli.org but when building the new losetup you must be careful not to mess with the other tools of util-linux since it can screw up your system badly.

The new loopback encryption patches can use a wide choice of ciphers (DFC, MARS, RC6, Serpent, CAST 128, IDEA, Twofish, Blowfish, but not all ciphers work).

Encrypted Home Directorys Patch

Id Est has patched login so that it enables the user to have multiple encrypted home directorys using the loopback encryption without too much hassle. From his README:

If your home directory begins with "/crypt/", the following happens when you log in:

  • a free loop device is found.

  • you're asked for the size of your home directory (4/8/16/32/64/128/256/512/1024 MB).

  • once you've selected a size, a nMB-sized file named "/crypt/(your-id)" is created (ie. /crypt/101).

  • you are asked for a passphrase and given your choice of encryption algorithm.

  • if this is the first time you've logged in, the password you gave is one-way hashed and put into the file "/crypt/(your uid).x", or

  • compared against the contents of that file otherwise. If the given passphrase(s) don't match, you get bounced out at this point.

  • the loop device is set up using the previously created file and the passphrase you supplied.

  • if this is the first time through, a ext2 filesystem is created on the loop device, otherwise the filesystem is checked for errors.

  • if no errors are found, the filesystem is mounted on the loop device and you can proceed normally.

  • if you're logged in and you log in again from another VT, you're asked for the passphrase, which is compared against the stored - passphrase, and if they match, you can proceed. this is to stop somebody who knows your login password, but not your EHD - passphrase from piggybacking into your directory.

  • when you log out the last time, the filesystem is unmounted and the loop device is freed.

If you use the loopback encryption ehd is a very nice to make encryption easy to use even on a multiuser machine. But you should keep in mind that disk encryption doesn't help if you are using the machine at the same time with different users. So ehd practically only adds security if you use a stand alone machine. Besides security considerations you can't use ehd on a machine with remote-login enabled since ehd doesn't Support ssh and su.

CFS - Cryptographic File System

CFS is the first free UNIX disk encryption program hacked by Matt Blaze. It hooks into nfs so one feature of cfs is the fact that you don't have to fiddle with the kernel to get it running and cfs is more portable among UNIXes than the other solutions. Another nice thing is that you can use cfs over nfs so that your files won't be transmitted in clear text over the wire.You can find more about the working of cfs by reading the Cryptographic File System under Linux HOW-TO or "A Cryptographic File System for Unix" by Matt Blaze.

CFS supports DES which is insecure because the key is to short, 3DES which can be considered secure but is painfully slow, MacGuffin which is broken and SAFER-SK128 which has a unusual design and is designed by some NSA buddys at Cylink - enough reason not to fully trust this algorithm. But darkstar@frop.org was kind enough to hack Blowfish into cfs and Matt Blaze integrated it into cfs 1.3.4.

The main problem of cfs even with blowfish is the lack of speed. This results in the cfs being an user space daemon forcing the data to be copied several times between kernel- and user space. If you want to encrypt large amounts of data expect a significant performance penalty when using cfs.

TCFS - Transparent Cryptographic Filesystem

TCFS which is developed at the University of Salerno, Italy Claims to improve Matt Blaze's CFS by providing deeper integration between the encryption Service and the file System which results in a complete transparency of use to the user applications. But the developers seem to focus much more than Matt Blaze on substituting nfs. A nice feature of TCFS is that it will allow you to securely share files among the members of a group. On big misfeatures of TCFS is the Fact that it needs kernel patches and that the patches are still made for the now obsolete 2.0.x Kernel. Nevertheless TCFS is under active Development. Another problem with TCFS is that it only supports minimal (read: no) key management. There is some Placebo-key management delivered with TCFS but this is next to nothing using only the login passwort to decrypt the key. To learn more about TCFS, read the TCFS-FAQ. Since it is from Italy which is part of the free worid, you can downioad it without any problems, go to the TCFS Homepage.

ppdd - Practical Privacy Disc Driver et al.

Go to http://drt.ailis.de/crypto/linux-disk.html "Doobee R. Tzeck" <doobee@ccc.de>

 

  [Chaos CD]
[Datenschleuder] [68+69]    Encrypting your Disks with Linux
[Gescannte Version] [ -- ] [ ++ ] [Suchen]