Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is there any viable encrypted filesystem? (tried a few)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
afabbro
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2003
Posts: 92
Location: Portland, OR

PostPosted: Sun Feb 29, 2004 7:25 pm    Post subject: Is there any viable encrypted filesystem? (tried a few) Reply with quote

I really need an encrypted filesystem so I can store my external drive off-site for backup/DR (it's connected via USB2). I have tried:

(*) cryptoloop/cryptoAPI. Total sludge. Locks up my 2.6.3 kernel constantly, often with no output, often in the middle of mkfs. Of course, it's barely documented, but I'm following the kerneli.org docs as best as I can. I'm pretty sure I'm doing things right and it works in "toy" setups (10M), but try it with a 120GB filesystem and bork bork bork. It also bothers me that the kerneli guys don't care much about continuity, as 2.4.x-era filesystems are not compatible with 2.6.x, so I assume someday when we get to 2.8.x I'll have to go through some hellish conversion.

(Forgot to mention: losetup only prompts you ONCE for a password! What the hell is that? I'm typing in a long passphrase and losetup doesn't ask me to type it again!? Suppose I typo it and then work with it for a week...when I try to remount it, I don't know the password and I'm out of luck. Bad programming...)

(*) BestCrypt. Nice package, well-documented. Unfortunately, raw block devices are hopelessly borked. I constantly get strange dmesg errors about "bogus i_modes" and such when it's under load and it has repeatedly broken the filesystem in my experiments. I guess I'll try setting up a big container next...blech.

(*) Haven't tried loop-AES yet. Replacing my loop device makes me nervous (who knows, I might need it for something else someday).

This seems to be one area where Linux really is behind the ball compared to other OSes. *BSD (at least OpenBSD) has excellent encrypted filesystems. Even Windows has this :-(
Back to top
View user's profile Send private message
afabbro
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2003
Posts: 92
Location: Portland, OR

PostPosted: Sun Feb 29, 2004 10:13 pm    Post subject: loop-AES Reply with quote

Ah, well, loop-aes didn't pan out...have to manually patch util-linux and I'd rather not do that unless it's the only option. The util-linux in the portage tree doesn't understand loop-aes. So be it.

Guess I'm left with the one remaining option: BestCrypt, using a big container (instead of a block device). And in another 5 hours, when it's done setting up a 100Gb container, I'll see how that works...
Back to top
View user's profile Send private message
grimshaw
Tux's lil' helper
Tux's lil' helper


Joined: 07 Aug 2003
Posts: 101
Location: Greensboro, NC 27403, USA, Earth

PostPosted: Mon Mar 01, 2004 2:45 am    Post subject: Reply with quote

Please post your results. I am interested in how you fare.

I rebuilt my home samba box last November and I did some looking for encrypted filesystems. I wanted to encrypt both swap and my data partitions (the patriot act and other anti-privacy legislation scares me).

I read about a number of projects, but there was very little development on most of them and they were not being maintained. I wound up tabling the idea for a rainy day, but I am interested in reading about your findings.

Cheers.

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)
Back to top
View user's profile Send private message
lord
n00b
n00b


Joined: 16 Oct 2002
Posts: 73
Location: Linköping, Sweden

PostPosted: Mon Mar 01, 2004 3:01 am    Post subject: Reply with quote

There are already a few good posts on full encrypted systems (swap, boot, etc etc)...

Read this article for instance =)
Back to top
View user's profile Send private message
dogshu
Apprentice
Apprentice


Joined: 22 Jun 2003
Posts: 163
Location: New Haven, CT, USA

PostPosted: Mon Mar 01, 2004 3:34 am    Post subject: Reply with quote

looks like dm-crypt is going to be the future of encrypted filesystems in linux 2.6:

http://kerneltrap.org/node/view/2433

Its also very easy to set up too, if you're using the -mm sources.
Back to top
View user's profile Send private message
afabbro
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2003
Posts: 92
Location: Portland, OR

PostPosted: Mon Mar 01, 2004 3:53 am    Post subject: Reply with quote

OK, I'm going off to look at dm-crypt. Is that the same stuff that's in 2.6.4? rc1 is out and there's lots of mentions of dmcrypt in the changelog.

BestCrypt with a big container failed - locked up the system while I was mkfsing.

I don't need/want an encrypted root. 99.9% of it is system binaries that are publicly available. Anything unique to the system is either (a) off on separate storage (/home is linked off, as is /var/www, /usr/local, etc.), or (b) in /etc...login passwords and config files are sensitive from a break-in-over-the-net point of view, but not in a "someone stole your box and you need to keep it secret" scenario.

I can see encrypted swap but haven't got that far yet.

I just want crypto for backups to a removable disk I can take off-site. Seems like a simple, reasonable need...I'm guessing it's the size of data (120Gb) I'm using but hey, that's what I need ;)
Back to top
View user's profile Send private message
afabbro
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2003
Posts: 92
Location: Portland, OR

PostPosted: Mon Mar 01, 2004 5:31 am    Post subject: Followup... Reply with quote

I finally got something going...you can read my conclusions here:

http://forums.gentoo.org/viewtopic.php?p=912788#912788
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum