Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Sun, Apr 24, 2005 at 02:41:43AM -0400, David Kramer wrote: > Who has had positive experience with one of these? I periodically want to encrypt all hell out of everything (boot partitions, data partitions, swap space, suspend-to-disk data, etc.), I then investigate my options, and don't like what I find. You have me looking again, at least at this smaller problem. This seems to work for me to have a single encrypted file-based partition: $ dd if=/dev/urandom of=file bs=1024k count=10 # losetup -e aes-256 /dev/loop0 file Password: # mkfs -t ext3 /dev/loop0 # losetup -d /dev/loop0 # mount -o encryption=aes-256 file /mnt/loop/ Password: But it likely requires the kernel compile you want to avoid. > I'm looking into this for two reasons. I would like to have > encrypted content on my server, Why? If you want to protect against someone with physical or root access to your server, an encrypted partition will help you the first time the bad guy gets in, but if the bad guy starts logging what you do s/he can get your passphrase the next time you type it. Or access your data next time you mount it. > and I would like to have encrypted content on my USB pen drive > (Sandisk 1GB). Handy if you only type your passphrase on a keyboard and computer you trust isn't spying on you. Encrypting data on a notebook or thumb drive will keep the guy who steals it from getting at the data--assuming you don't sleep your notebook with the encrypted partition mounted. If someone sneaks some spyware onto your notebook while you aren't looking the same keystroke logging will bust you then. (Or, the root kit can just quietly grab contents next time you mount it.) If the bad guy gets a copy of your encrypted data (and is motivated and skilled), will you have a strong enough passphrase? These days a passphrase with fewer than 90-bits worth of entropy in it is not good enough against a motivated foe with resources (say, if the Feds think you know where Bin Laden is). In my above example I did a passphrase with about 74-bits of entropy in it and it is long (4 randomly chosen english words plus 8 randomly chosen hex characters), I don't have it memorized yet, and once I do remember it, if I don't use it often, I will forget it. And what happens the day you are pulled aside at customs or airport security and are ordered to type in your passphrase? What do you do? Do you care if they see your data? (How much do you care?) Finally, worry about corruption. Munge a few bytes in your encrypted file, the unencrypted changes will spray all over the place, and fsck will not be able to help you. That said, go for it. If you are entrusted with the personal data of others, definitely encrypt it. -kb, the Kent who can frequently point out the dark side.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |