View previous topic :: View next topic |
Author |
Message |
tweakt Tux's lil' helper
Joined: 16 Sep 2003 Posts: 92 Location: Boston, MA. USA
|
Posted: Sun May 09, 2004 3:06 pm Post subject: |
|
|
Nate_S wrote: | Here's a very dirty hack I'm using to encrypt swapspace on bootup with local.start and local.stop |
This is insecure. If you've got unencrypted swap mounted while an encrypted device is mounted, the possibility exists for cleartext to remain in your swap even after you remount in encrpyted since mkswap does not wipe the partition, it only writes a signature. So ideally, encrypted swap should be mounted before any other encrypted devices. Or do a dd if=/dev/urandom of=/dev/swapdevice before the mkswap. |
|
Back to top |
|
|
Nate_S Guru
Joined: 18 Mar 2004 Posts: 414
|
Posted: Tue May 11, 2004 7:02 pm Post subject: |
|
|
I'm sure you don't mean that it might write the key used for encryption to swap? It shouldn't do that anyways...
Otherwise, I don't think there'd be any information in swap that was not already encrypted. I had it use the swap unencrypted at first, partially because I didn't know if it might speed up boot up, but mostly because I have an old installation of Gentoo on another partition that I still boot in to occasionally, and it uses the swap unencrypted ( I don't need it encrypted when I boot into that install anyways.) So the only thing that should be in swap at bootup is either swap from a previous bootup, encrypted with a random key, lost on shutdown, or unencrypted swap from the other install that I don't care about.
Regardless, from what I've read about people not using swap entirely, even with small amounts of ram, you should be able to not have any swap activated until local.start. Or I suppose you could do a dd if=/dev/(zero,urandom) of=/dev/mapper/swap, but I chose not to because I think it'd really slow down bootup.
Pretty much it's just mirroring the commands I would type when setting it up initally, just having it do so automatically on startup. I've heard that encrypted loopback devices are out, but I have yet to see anyone say they got encrypted swap to work with dm-crypt. So, (hoping there's not good reason for this,) I invented my own method.
So, to amend my previous disclaimer, I can't guarntee that this method will be very secure. Heck, going by what I know about security and encryption, I can go so far as to say it probably won't be. As I said, this is the method I use, so I believe that it offers at least partial security, but use at your own risk.
Tweakt, I do appriciate the criticisim. If I've missed any other big gaping security holes, please do point them out as well. |
|
Back to top |
|
|
Devsforev n00b
Joined: 06 Sep 2003 Posts: 17 Location: New York
|
Posted: Mon May 24, 2004 12:04 am Post subject: |
|
|
Excellent tutorial! I just used it as an outline to create an encrypted partition of my own. Nice little 20gig, reiserfs partition, using the Blowfish algorithm.
An afterthought just occured to me. At no time during the process was I asked for how many 'bits' should be used for my Blowfish algorithm. I know the keys go from 32 -> 448 bits. How do you specify how many bits? What is the default? Thanks a bunch!!
Once again, great guide!!!
-- Devsforev |
|
Back to top |
|
|
martinm1000 Apprentice
Joined: 17 Apr 2003 Posts: 174 Location: Montréal, Canada
|
Posted: Mon May 24, 2004 8:11 am Post subject: Little question ! |
|
|
Hi!
I'm using 2.6.6 and I just recompiled my kernel to be able to use dmcrypt;
I wanted to compile cryptsetup, but it needs libdevmapper.
I suppose that I need to emerge device-mapper ? Well he want to ALSO
install gentoo-sources-2.4.26_pre6... But I'm on 2.6.6 ! I don't want 2.4 !
What did you do to make it work ?
Thanks. |
|
Back to top |
|
|
Q Tux's lil' helper
Joined: 17 Apr 2002 Posts: 149 Location: Oxford, UK
|
Posted: Wed Jun 09, 2004 8:53 am Post subject: |
|
|
What filesystems are you using?
Is there an issue with journaling file systems? _________________ AMD 64 3200
Shuttle SN85G4/NForce 3 Chipset |
|
Back to top |
|
|
Tazok Guru
Joined: 25 Oct 2003 Posts: 310
|
Posted: Thu Jun 10, 2004 11:31 am Post subject: Re: Little question ! |
|
|
martinm1000 wrote: | Hi!
I'm using 2.6.6 and I just recompiled my kernel to be able to use dmcrypt;
I wanted to compile cryptsetup, but it needs libdevmapper.
I suppose that I need to emerge device-mapper ? Well he want to ALSO
install gentoo-sources-2.4.26_pre6... But I'm on 2.6.6 ! I don't want 2.4 !
What did you do to make it work ?
Thanks. |
You should check your virtual/linux-sources inside /var/cache/edb/virtuals.
Btw, has anyone gotten dm-crypt with gpg-encrypted keys to work?
Would be nice to hear which steps are needed for that. |
|
Back to top |
|
|
Petyr Guru
Joined: 08 Jan 2003 Posts: 471 Location: San Diego, CA, USA
|
Posted: Fri Jun 18, 2004 5:00 am Post subject: |
|
|
Much thanks the original author for posting this thread. I've been considering how to go about encrypting at least my home_vlm for a good while now.
dm-crypt has been a great solution.
In answer to the previous two posts, I've had ext3 up and running for a few days now. I'm highly inclined to think that there are no issues with using a journalated file system on dm-crypt. Effectivly dm-crypt just looks like a block device, which is all a HD really is... so *shrug*
I dunno I could be wrong, so don't take just my word for it.
As for GPG keys, I'm using a slightly different solution. I recently bought a usb keychain ($30 for 128 Meg! Gotta love Fry's) and I just store a loopback file on there. Using losetup and dm-crypt in an initrd setup, I'm able to have my real HD key stored on the USB keychain. While this doesn't make use of GPG, it has the same end result. Yes one can argue about how GPG encrypts this way while AES does it another way, but ultimatly one has to ask the question, "If my data secure?"
I figure with the setup I've got I can safely say yes to that.
Both setups have an added benifit (or risk depending...) Without the USB keychain, the laptop the /home dir's are junk. Now if it gets stolen while I'm traveling, and the keychain is not with it, well at least my personal data is safe.
Now I just have to encrypt the whole friggin HD... wonder if the live CD can help me out here...
Petyr Rahl |
|
Back to top |
|
|
Petyr Guru
Joined: 08 Jan 2003 Posts: 471 Location: San Diego, CA, USA
|
Posted: Mon Jun 21, 2004 11:23 pm Post subject: |
|
|
Meebe if I had read a little closer I woulda saved myself some time... oh well. So the LiveCD won't help, however since I spent all this time creating an initrd I decided to take a pretty massive risk.
Since I already had /bin/bash on the initrd I just made it so the initrd just dumped me into a shell. I had copied over the commands that I was going to need, and just encrypted the HD from the initrd (I had 2 of them setup and I had booted from the second one).
Then I just rebooted and had the system boot using the first initrd and *poof* system worked and everything was encrypted, except /boot of course
Damn that was scary doing though... I was convinced that I'd missed something and that all my data on my laptop was hosed.
Guess I had enough coffee this morning or something because it all came out well.
Anyways cheers! Now my laptop is much safer ^^
Petyr Rahl |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|