| View previous topic :: View next topic |
| Author |
Message |
BeteNoire
Veteran
Joined: 25 Sep 2005
Posts: 1827
|
 Posted: Sun Feb 07, 2010 3:46 pm Post subject: [SOLVED] Encrypting filesystem - what and how? |
 |
|
Better late that never - I've decided to encrypt some partitions on my systems.
The questions is - what filesystem and what encrypting utility should I use?
I need to encrypt 150 GiB large multimedia partition with my private data, that for 95% of time is only for reading. What filesystem should I use? Until now it was xfs formatted partition as some benchmark told me is most stable and efficient for large partitions with big files - from few MiB to few GiB. Now I'm in doubt if xfs will work correctly when encrypted.
I want to encrypt /home partitions too, which all are reiserfs formatted. These are mostly small, few GiB partitions used to store configs, emails, docs and some other private data in tiny files.
And the basic thing - what encrypting utility should I use? Which one is the most stable and efficient? I am not a tester so I need trusty solution.
_________________
powered by power plant
Last edited by BeteNoire on Mon Apr 05, 2010 8:44 am; edited 1 time in total |
|
| Back to top |
|
 |
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Sun Feb 07, 2010 3:53 pm Post subject: |
|
|
I will double check this thread for sure, because I have no idea on how to do that 
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
Rexilion
l33t
Joined: 17 Mar 2009
Posts: 961
|
| Posted: Sun Feb 07, 2010 4:20 pm Post subject: Re: Encrypting filesystem - what and how? |
|
|
| d2_racing wrote: | | I will double check this thread for sure, because I have no idea on how to do that |
???
| BeteNoire wrote: | Better late that never - I've decided to encrypt some partitions on my systems.
The questions is - what filesystem and what encrypting utility should I use?
I need to encrypt 150 GiB large multimedia partition with my private data, that for 95% of time is only for reading. What filesystem should I use? Until now it was xfs formatted partition as some benchmark told me is most stable and efficient for large partitions with big files - from few MiB to few GiB. Now I'm in doubt if xfs will work correctly when encrypted.
I want to encrypt /home partitions too, which all are reiserfs formatted. These are mostly small, few GiB partitions used to store configs, emails, docs and some other private data in tiny files.
And the basic thing - what encrypting utility should I use? Which one is the most stable and efficient? I am not a tester so I need trusty solution. |
I use luks for encryption, why?
- Allows you to use your own filesystem (ext{2,3,4}, xfs etc etc) (seems like a important feature to you)
- Not distro specific (i.e. Ubuntu encrypts home directory's with ecryptfs, I have no idea on how to move that to gentoo)
- Luks however works in every distro without having to remember all sorts of parameters and comparing versions (the format is stable/universal).
- All parameters required for decrypting the partition are stored in the partition header (no need for you to specify any unlike ecryptfs)
- It's stable |
|
| Back to top |
|
|
zyko
l33t
Joined: 01 Jun 2008
Posts: 617
Location: Munich, Germany
|
| Posted: Mon Feb 08, 2010 4:00 pm Post subject: |
|
|
| Definitely dm_crypt with LUKS. The front end utility you need is sys-fs/cryptsetup. Google for some tutorials, there are a lot. |
|
| Back to top |
|
|
pdr
Guru
Joined: 20 Mar 2004
Posts: 548
|
| Posted: Mon Feb 08, 2010 4:16 pm Post subject: |
|
|
Already supported by baselayout. Check out /etc/conf.d/dmcrypt
For example I encrypt my home directory. File contains:
| Code: | target=home
source=/dev/sda5 |
When booting while you are getting the green "OK" at the right, will stop and prompt for luks passphrase - then do a luksOpen to create (in my case) /dev/mapper/home and then mount that to /home. I think can use a key on a thumb drive or something, but I use pass phrase. You can also uncomment a line in there to encrypt your swap (to, for example, make sure a copy of your passphrase doesn't end up in there unencrypted).
Last edited by pdr on Mon Feb 08, 2010 4:16 pm; edited 1 time in total |
|
| Back to top |
|
|
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2277
Location: /home/zach
|
| Posted: Mon Feb 08, 2010 4:16 pm Post subject: |
|
|
Is TrueCrypt not recommended much anymore?
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
|
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Mon Feb 08, 2010 5:45 pm Post subject: |
|
|
Yeah, I don't see it much nowadays.
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
pigeon768
l33t
Joined: 02 Jan 2006
Posts: 617
|
| Posted: Tue Feb 09, 2010 8:11 am Post subject: Re: Encrypting filesystem - what and how? |
|
|
| BeteNoire wrote: | | The questions is - what filesystem and what encrypting utility should I use? |
I use ext4 on top of dm-crypt+luks (I use cryptsetup as a frontend) and it works great.
I don't see why xfs or any other filesystem wouldn't work. dm_crypt uses the same block interface that lvm or mdraid use. It shouldn't be any different than a normal block device.
_________________
My political bias. |
|
| Back to top |
|
|
WastingBody
Tux's lil' helper
Joined: 09 May 2008
Posts: 105
|
| Posted: Tue Feb 09, 2010 4:30 pm Post subject: |
|
|
| If you don't want to enter an extra password to mount an encrypted volume you can use pam_mount. Pam_mount will mount a specified volume when the user logs into via a login manager or a terminal. |
|
| Back to top |
|
|
zyko
l33t
Joined: 01 Jun 2008
Posts: 617
Location: Munich, Germany
|
| Posted: Tue Feb 09, 2010 5:14 pm Post subject: |
|
|
| Quote: | | Is TrueCrypt not recommended much anymore? |
Without going into too much details: There are several peculiarities about the TrueCrypt project. For example, TrueCrypt doesn't seem to have a public bugtracker or viable changelogs, which is strange for such a security-sensitive piece of software. I'd say TrueCrypt is the worst choice among all open-source solutions due to its lack of transparency. |
|
| Back to top |
|
|
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Tue Feb 09, 2010 8:36 pm Post subject: |
|
|
Thanks for the info, I understand a little bit more why we don't see that much on the forum.
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
bobspencer123
Guru
Joined: 19 Dec 2005
Posts: 541
|
|
| Back to top |
|
|
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2277
Location: /home/zach
|
| Posted: Wed Feb 10, 2010 12:15 am Post subject: |
|
|
| zyko wrote: | | Quote: | | Is TrueCrypt not recommended much anymore? |
Without going into too much details: There are several peculiarities about the TrueCrypt project. For example, TrueCrypt doesn't seem to have a public bugtracker or viable changelogs, which is strange for such a security-sensitive piece of software. I'd say TrueCrypt is the worst choice among all open-source solutions due to its lack of transparency. |
Thank you very much for the explanation. I had never even noticed these deficits! I will look into LUKS+dm_crypt and further information.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
|
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Wed Feb 10, 2010 12:56 pm Post subject: |
|
|
@bobspencer123, thanks, I'm gonna read that wiki for sure
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2277
Location: /home/zach
|
| Posted: Wed Feb 10, 2010 8:08 pm Post subject: |
|
|
| d2_racing wrote: | | @bobspencer123, thanks, I'm gonna read that wiki for sure |
Me too!  Thank you bobspencer123.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
|
BeteNoire
Veteran
Joined: 25 Sep 2005
Posts: 1827
|
| Posted: Fri Feb 12, 2010 4:32 pm Post subject: |
|
|
Thx for all replies, I'll give a chance to dm-crypt and luks, and if fs doesn't matter I'll stay with those chosen before (xfs, rfs).
I have one doubt more: can I mount and access encrypted partition without giving additional password on boot?
Some howtos recommend using pam for this and all of my three gentoo boxes are pamless.
_________________
powered by power plant |
|
| Back to top |
|
|
|
Networking & Security
