[Grml] disk partition encryption roadmap

Thomas Köhler jean-luc at picard.franken.de
Wed Jan 26 10:56:51 CET 2011


T o n g wrote:
> Hi,
> 
> I'm thinking to do the disk partition encryptions now.

[...]

> - First very noob question, I don't want whole disk encryption, just want 
> to encrypt some selected already partitioned partitions. If someone mount 
> the encrypted partitions, will it shows up as empty or, there are some 
> hints that the partition have been encrypted? 

It depends. Mounting will just fail, or the mount command will
ask for the passphrase.
Truecrypt has the feature of hidden containers, so it should't be
possible to see if there is encrypted data in that case, but I've
never tried that myself.

> - The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of 
> cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why 
> it is better than others. 

man cryptsetup says:
   cryptsetup - setup cryptographic volumes for dm-crypt
   (including LUKS extension).
So cryptsetup is just a wrapper around dm-crypt which means
technically they're the same.

> - In terms of encryption used, TrueCrypt supports the following 
> encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
> Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these 
> hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]
> 
> 5. http://www.informit.com/articles/article.aspx?p=1276279
> 
> So I need a bit of explanation why the chosen algorithm is better than 
> others. 

I use the grml-crypt's defaults because I trust they are OK.

It's a hard task to say "that algorithm is better than that other
one" if you're not a specialist in the crypto area. The
mathematics behind the different algorithms is hard, the
implementation details are even harder. :)
A rule of thumb: Use default algorithms (someone with (hopefully)
more knowledge than you trusts in them).

> - Is your choice as cross-platform as TrueCrypt?

My choice is grml-crypt, because I only use debian-based systems
anyway. In case grml-crypt is not there yet, a simple

   git clone git://git.grml.org/grml-crypt.git

will do for me.

> - Since I need to encrypt more than one selected partitions, is there any 
> alternative to typing in passphrase for each one of them when mounting 
> them?

You can setup /etc/crypttab to contain a key file that contains
the passphrase. But then you should make sure that key file
resides on an encrypted partition itself and only root can read
it :-)

> - how passphrase are cached? Do I have to repeately typing in passphrase  
> each time I do the mount? I also heard of passphrase-less disk 
> encryptions. Hmm... I don't want to go there so maybe I can skip that.

See above for /etc/crypttab :)
Passphrase-less disk encryption is useless. Everybody can still
read your data, so it just costs performance. Don't do it.

> BTW, I just need a mini how-to about disk encryption, it does not need to 
> be in-depth or comprehensive but rather short and to the point, to allow 
> anyone with a minimum of linux disk encryption knowledge to create 
> encrypted memory sticks, USB disks, or partitions in minutes.

Linux disk encryption in 4 commands:
# get grml-crypt :)
git clone git://git.grml.org/grml-crypt.git
# create encrypted partition, format it with ext3
grml-crypt -vvv -text3 format /dev/sdaX
# mount encrypted partition
grml-crypt -vvv -F mount /dev/sdaX /mnt/test
# umount encrypted partition
grml-crypt -vvv stop /mnt/test

You can skip the -vvv part if you don't want to see what happens
in every shining detail.

> Thanks a lot. 

Bye,
Thomas

-- 
 Thomas Köhler       Email:       jean-luc at picard.franken.de
     <><             WWW:              http://gott-gehabt.de
                     IRC:                           tkoehler
                     PGP public key available from Homepage!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20110126/fde0729b/attachment-0003.pgp>


More information about the Grml mailing list