 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Sun, Apr 24, 2005 at 02:41:43AM -0400, David Kramer wrote: > Who has had positive experience with one of these? When searching > for info about encrypted filesystems, 95% of them seem to be either > mostly working but abandoned, or partly started then mostly > abandoned. Many also require a kernel recompile, which I would > rather not do. There's a lot of outdated documentation out there... I've personally had a lot of success with stuff like this: http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html These days the kernel has all the required encryption code already included, so you shouldn't need to patch your kernel to get this working. You may require a recompile though. Note that I haven't actually set one of these up since before the kernel included encryption code, so I'm not sure how much the instructions would need to be modified... > I'm looking into this for two reasons. I would like to have encrypted > content on my server, and I would like to have encrypted content on my USB > pen drive (Sandisk 1GB). I've been meaning to get around to doing this too. Most of the data on my pen drive isn't sensitive, but there are a few things that are... > But it did work. I created a file-based filesystem: > dd if=/dev/zero bs=1MB count=200 of=testfs > mke2fs -v testfs > mount -o loop testfs /mnt/uni You really should use /dev/random instead of /dev/zero... Encryption experts can explain why better than I can, but basically I think it has to do with entropy. All the zeros make your filesystem easier to crack. > Then I put stuff on it. It worked just like a regular filesystem on a > partition. Then I unmounted it. > > I tried gpg --encrypt-files -r david at thekramers.net testfs > That worked at acceptable speed. The big downside is that I would have to > carry around by secret keyring. Is that a safe thing to do? Well, it's encrypted, and requires your passphrase to decrypt, so it's reasonably secure. You've just announce to us all publicly that you're carrying it around though, so if unsavory characters had any reason to believe that you had sensitive data of value to them, you might be risking this sort of attack on your person: http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm I think, though, that you have nothing to worry about, pragmatically speaking. ;-) However, if I understand correctly what you're doing, this filesystem is apparently only encrypted while you're not using it. Thus an attacker who could gain access to your machine may be able to gain access to the files very easily while you *are* using it. A truly encrypted filesystem requires going through the kernel to decrypt it, which means you also have to go through all of the kernel's access mechanisms (i.e. Unix permissions, etc.) to get at the files. One could arge that it's no different, but I still feel like having the filesystem encrypted while it's in use is a little safer. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.blu.org/pipermail/discuss/attachments/20050424/666d4fe7/attachment.sig>
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
