Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Root File System, Swap, etc...
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 9, 10, 11, 12, 13  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
bonsaikitten
Apprentice
Apprentice


Joined: 01 Jan 2003
Posts: 213
Location: Shanghai, China

PostPosted: Fri Aug 15, 2003 2:40 pm    Post subject: How can encryption be secure? Reply with quote

While reading through this thread I noticed a misconception about the Linux CryptoAPI:

It does not encrypt on a per-file basis. There is no way to know which filesystem is used!
Encryption is done below the fs, block by block. Since the fs structures are stored as blocks themselves (!) the whole device is encrypted. No known plaintext-attack can break this.

Encryption by itself does not make secure: If you use an automounter for an encrypted fs don't even bother to encrypt it. An adversary can get your password in plaintext form... D'Oh! :-)
It's better to encrypt only /home since then you can use the system, but you have to explicitly mount /home to get at the important information.

Just my $ 0.02
Back to top
View user's profile Send private message
TheCoop
Veteran
Veteran


Joined: 15 Jun 2002
Posts: 1814
Location: Where you least expect it

PostPosted: Fri Aug 15, 2003 2:48 pm    Post subject: Reply with quote

you basically encrypt it so you cannot mount it (even on another computer) without a password or gpg key file. the system login isnt enough, as someone can just mount the fs on another computer
_________________
95% of all computer errors occur between chair and keyboard (TM)

"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler

Change the world - move a rock
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Fri Aug 15, 2003 3:54 pm    Post subject: Re: How can encryption be secure? Reply with quote

bonsaikitten wrote:

While reading through this thread I noticed a misconception about the Linux CryptoAPI:

It does not encrypt on a per-file basis. There is no way to know which filesystem is used!
Encryption is done below the fs, block by block. Since the fs structures are stored as blocks themselves (!) the whole device is encrypted. No known plaintext-attack can break this.

I think there is some stuff that could be thought about as plain text even though the whole filesystem is encrypted. If they can guess what filesystem is used then they probably can guess what some of the stuff is in some of the directory blocks. So gotta be real careful about that.

bonsaikitten wrote:

Encryption by itself does not make secure: If you use an automounter for an encrypted fs don't even bother to encrypt it. An adversary can get your password in plaintext form... D'Oh! :-)

I don't think anyone can get your passphrase for an automounter if the root file system where the passphrase is stored at is encrypted, unless they break into your computer from the network or use a keyboard sniffer or something like that while /root is already mounted. If they do that then disk encryption is pretty worthless anyways. So D'Oh back :-)

bonsaikitten wrote:

It's better to encrypt only /home since then you can use the system, but you have to explicitly mount /home to get at the important information.

It's better to encrypt everything you can so NOTHING, or at least as little as you can help it, leaks out.

Chad :D
Back to top
View user's profile Send private message
Death Valley Pete
n00b
n00b


Joined: 25 Mar 2003
Posts: 49
Location: The Inland Empire

PostPosted: Fri Aug 15, 2003 5:33 pm    Post subject: Reply with quote

I'd like to try an encrypted fs with the 2.6 kernel. I know that several people have gotten it to work but I'm a bit nervous about trying it (especially since Knoppix is still on a 2.4 kernel). Can someone who knows how to make this work post a step-by-step guide? (maybe like the guide for 2.4 kernels posted at the start of this thread?) I know that the Cryptoloop stuff can be built into the kernel now, but I'm not sure how to do the initrd stuff.
_________________
<instert pithy statement here>
Back to top
View user's profile Send private message
innocentbeats
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2003
Posts: 76

PostPosted: Sat Aug 16, 2003 1:28 pm    Post subject: Reply with quote

Houston, we have a problem!!!

Hello everybody,
I tried to encrypt my root file system (which is reiserfs), I did exactly like in the installation procedure described, but when I booted Knoppix and did the dd command , my computer went off (maybe the power was gone...no, I am not in NYC :lol: ), I rebooted and -of course- a reiserfs fs cannot be found. The system does not boot anymore.

What can I do? Is everything lost?

CU
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Sat Aug 16, 2003 9:50 pm    Post subject: Reply with quote

innocentbeats wrote:
Houston, we have a problem!!!

Hello everybody,
I tried to encrypt my root file system (which is reiserfs), I did exactly like in the installation procedure described, but when I booted Knoppix and did the dd command , my computer went off (maybe the power was gone...no, I am not in NYC :lol: ), I rebooted and -of course- a reiserfs fs cannot be found. The system does not boot anymore.

What can I do? Is everything lost?

CU


Yep. dd has to complete. Might be able to restart it if you know what last block was that it encrypted but I don't know of anyone that ever could find that out.

Chad :(
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque

PostPosted: Sat Aug 16, 2003 10:51 pm    Post subject: Reply with quote

Death Valley Pete wrote:
I'd like to try an encrypted fs with the 2.6 kernel. I know that several people have gotten it to work but I'm a bit nervous about trying it (especially since Knoppix is still on a 2.4 kernel). Can someone who knows how to make this work post a step-by-step guide? (maybe like the guide for 2.4 kernels posted at the start of this thread?) I know that the Cryptoloop stuff can be built into the kernel now, but I'm not sure how to do the initrd stuff.


Working on it, every spare moment!

The initrd stuff is quite difficult for me with a 2.6 kernel.

I hope to have some documentation for using CryptoAPI with initrd and a 2.6 kernel within a month.
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Sun Aug 17, 2003 1:25 am    Post subject: Reply with quote

u mean encrypt root fs so u can brag to ur friends, i know i do :D:
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque

PostPosted: Sun Aug 17, 2003 1:41 am    Post subject: Reply with quote

Oh, f00k:
[url]
http://marc.theaimsgroup.com/?l=linux-kernel&m=106086430703815
[/url]

I am testing this patch.... maybe this will help me get the pivot_root thing resolved on 2.6.

Not holding my breath though...
Back to top
View user's profile Send private message
Death Valley Pete
n00b
n00b


Joined: 25 Mar 2003
Posts: 49
Location: The Inland Empire

PostPosted: Sun Aug 17, 2003 4:29 am    Post subject: Reply with quote

watersb wrote:

Working on it, every spare moment!

The initrd stuff is quite difficult for me with a 2.6 kernel.

I hope to have some documentation for using CryptoAPI with initrd and a 2.6 kernel within a month.


Much obliged. This stuff's pretty much over my head. :)
_________________
<instert pithy statement here>
Back to top
View user's profile Send private message
pharm
n00b
n00b


Joined: 12 May 2003
Posts: 8
Location: columbus, in, usa

PostPosted: Wed Aug 20, 2003 1:34 am    Post subject: Re: Reply with quote

I am going to attempt this encrypted root and various other partitions on my box. My configuration is pretty safe anyways with this it makes it even better!!

I use one two flash cards connected via IDE controller. One contains /boot /root and /home because i am the only one that uses it. The other flash card contains the rest of the system. I also have on harddrive connected incase i wanna back up something. no cd rom or anything.

if u want to use my machine u need the flash cards. If i can encrypt them like this young guy can .. than that makes it even better!

Anyone else here ever tried using a ide lash card as a boot.. it works great.. no card no boot!

=)
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque

PostPosted: Fri Aug 22, 2003 12:21 am    Post subject: Re: Reply with quote

pharm wrote:

if u want to use my machine u need the flash cards. If i can encrypt them like this young guy can .. than that makes it even better!

Anyone else here ever tried using a ide lash card as a boot.. it works great.. no card no boot!

=)


Yep, that sounds good... I am using a USB memory stick in much the same way.

If your IDE "flash cards" are "Secure Digital" format, then there is some simple encryption already, I think, something about a symmetric crypto between the hardware reader/writer and the flash media. Not the same thing as hard disk encryption, and perhaps not a good idea for most uses (since you could only use data on a particular bit of hardware), but interesting even so...
Back to top
View user's profile Send private message
Leen
n00b
n00b


Joined: 07 Jul 2003
Posts: 4

PostPosted: Fri Aug 29, 2003 2:49 pm    Post subject: Reply with quote

watersb wrote:
Oh, f00k:
[url]
http://marc.theaimsgroup.com/?l=linux-kernel&m=106086430703815
[/url]

I am testing this patch.... maybe this will help me get the pivot_root thing resolved on 2.6.

Not holding my breath though...


So....got it working now?

Cannot wait to try 2.6. :>
_________________
There are 10 types of people,
those who understand binary and those who don't
Back to top
View user's profile Send private message
revoohc
Tux's lil' helper
Tux's lil' helper


Joined: 12 Oct 2002
Posts: 128

PostPosted: Mon Sep 01, 2003 4:19 am    Post subject: Reply with quote

Has anyone done this sort of encryption when using lvms? My entire laptop runs off of logical volumes (except /boot). I believe that it should work except for the initrd. Since my system has the root as a lvm, I have to use an initrd to boot. Is it possible to combine initrd's somehow?

Thanks,

Chris
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Mon Sep 01, 2003 9:35 am    Post subject: Reply with quote

initrd is nothgin more than a minux filesystem (in a file) which containts libraries and startup scripts.

Unless u run the framebuffer background u should be able to combine the initrds, just mount them using loopback device, and copy some parts of one into the other and combine the startup scripts.
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Mon Sep 01, 2003 10:47 am    Post subject: Reply with quote

not all initrd's are minix filesystem, i assume that both of the ones he needs to use are though, and sadly the framebuffer initrd's are some form of compressed data and picture so all my attempts at merging the two failed. :cry:
so my dreams of booting up with a progress bar, having a box popup asking for a password, then continue booting if i get it corect have been held back some more. oh well......
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Wed Sep 03, 2003 9:04 am    Post subject: Reply with quote

yeah been tehre.

But it is possible, just load evreything u need for the framebuffer into the initrd and edit the script to reflect that.

I did it, once, kinda worked, the encription didn't go to well considering everthing falls apart and kernel oopsed when the key was wrong. but all in all it worked.

With my lack of time i gave up on the idea, and now use the framebuffer at my runlevel scripts.

And yes the one he needs is a minix filesystem, and most are, framebuffer is the most drastic excuse i've seen for a while.
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
gentooalex
Tux's lil' helper
Tux's lil' helper


Joined: 02 May 2003
Posts: 123
Location: Charlottesville, Virginia

PostPosted: Wed Sep 03, 2003 1:56 pm    Post subject: Ebuild Reply with quote

It would be nice if there were an ebuild for this encryption method. Also, why dont you just emerge loop-AES instead of excracting the files? Is it possible to emerge most of the stuff that you tar in your examples? I am looking forward to trying this out.
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Wed Sep 03, 2003 8:01 pm    Post subject: Reply with quote

AHHHHHHHHHHHHHHHHHHHHHH
i was doing dd like normal and at the end i got loads of errors at the end (liek dma ribon cable errors ish) and then half my filesystem is fucked , i've lost everything FUUUUUCKKKKKKKK
AHHHHHHHHHHH
why did it do it it's worked 4 times in a row perfectly, NOOOOOOOOOOOO FUUUUCCCCCKKKK
AHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHhhh
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Thu Sep 04, 2003 5:22 am    Post subject: Reply with quote

you need the tars becuase they contiain the patches. Correct me if i'm wrong.
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
gentooalex
Tux's lil' helper
Tux's lil' helper


Joined: 02 May 2003
Posts: 123
Location: Charlottesville, Virginia

PostPosted: Thu Sep 04, 2003 5:59 pm    Post subject: I dont know Reply with quote

If the tars had the patches, couldnt there be another ebuild that containted the patches? Ebuilds are not that hard to make. As a matter of fact, there could only be a script that could do the whole thing.
Back to top
View user's profile Send private message
gentooalex
Tux's lil' helper
Tux's lil' helper


Joined: 02 May 2003
Posts: 123
Location: Charlottesville, Virginia

PostPosted: Thu Sep 04, 2003 5:59 pm    Post subject: I dont know Reply with quote

If the tars had the patches, couldnt there be another ebuild that containted the patches? Ebuilds are not that hard to make. As a matter of fact, there could only be a script that could do the whole thing.
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque

PostPosted: Fri Sep 05, 2003 4:56 am    Post subject: Reply with quote

viperlin wrote:
AHHHHHHHHHHHHHHHHHHHHHH
i was doing dd like normal and at the end i got loads of errors at the end (liek dma ribon cable errors ish) and then half my filesystem is fucked , i've lost everything FUUUUUCKKKKKKKK
AHHHHHHHHHHH


Ouch. I feel your pain... similar thing has happened to me, although not with recent encryption stuff. It can happen!

Folks, BACK THIS STUFF UP COMPLETELY and do a RUN-THROUGH of RESTORING it -- convince yourself that you have a safe copy somewhere before trying this!

I have to say that once I got my system set up, it was very stable. The hard part is getting it all set up, you are likely to skip something, or suffer a hardware failure, at a critical time, and f00sh all your data.

And once I did get my system set up, I kept a full backup disk image, a mirror, reasonably up to date. The mirror can be encrypted, too, if you are convinced you can get it back...


Another thing: I see a lot in this forum of people using some sort of streaming thing to encrypt their data in-place or something. I would recommend against this.

Instead, I COPY my unencrypted root to the encrypted one, making a full image like this:

Code:

# cd /
# mount encrypted-loop /mnt/loop
# find bin boot etc home lib opt root sbin usr var -print0 -depth | cpio -pmdv --null /mnt/loop


This operates on TOP of the filesystems; if something dies, the filesystem will catch it, it isn't block-level bit-banging. At most you will fail to copy the data starting from the point where the failure occurred, and a simple repeat of this procedure will work, and will only copy stuff that has changed.

I use this for my disk-mirror, too; also you could use rsync.

Good luck and be careful!
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Fri Sep 05, 2003 7:38 am    Post subject: Reply with quote

yes be VERY carefull, i only de-crypted my system to upgrade some hardware and therefor the kernel. the problem i had was that the knoppix 3.2 disk i was using did not have support from my IDE chipset (i now have the 2.4.21 kernel knopix disk which has support) i have managed to scrape a bit of info back off the drive, and amazingly Gentoo still booted (i did everything by the book no mistakes other than the knoppix cd) it errored everywhere but still got me to CLI login. i used a new knoppix CD to copy as much as possible over to a second harddrive, i'm starting a complete new Gentoo install today and once all set up i wil only use the second harddrive encrypted having an fstab setup that asks me for the password when trying to mount it at boot. i'll put all sensitive info on that drive and use symlinks on the other drive. i must urge everyone MAKE BACKUPS BEFORE DOING ANYTHING SLIGHTY RISKY! if something bad CAN happen, there is a very high chance that it will, and that goes for anything not just on computers.
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Tue Sep 09, 2003 3:49 pm    Post subject: Reply with quote

Everyone should remember to DO NOT HAVE THE FILE SYSTEM MOUNTED at the time that you encrypt the partition!

That is because if you unmount it AFTER IT HAS BEEN ENCRYPTED some meta data stuff is written back to the disk as clear text and then you can't mount it ever again (at least without doing some hard recovery stuff).

Chad :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3 ... 9, 10, 11, 12, 13  Next
Page 10 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum