Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Appropriate encrypted disk setup for my usage
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tsftd
n00b
n00b


Joined: 21 May 2011
Posts: 20
Location: Here
PostPosted: Fri Oct 17, 2014 3:27 am    Post subject: Appropriate encrypted disk setup for my usage Reply with quote
Hi all, I've been using gentoo forever but I'm finally starting to get serious about data security. My usage situation is:

gentoo server used as a SAN (and router and server) --> SAMBA --> Windows 8.1 client mounts shared drive

gentoo server uses a small dedicated disk for /, and a large raid 10 array for /storage.

Assume that my security is configured appropriately, such that intrusion into the server and/or network is not a concern (eg, data in transit need not be encrypted). Further assume that both server and client are locked when I am absent. I wish to guard against the case of intrusion and/or seizure while I am absent. Also assume that I will be manually entering the password to decrypt and mount the /storage drive.

What is my best method for encrypting my storage array? Most tutorials/articles that I have seen are on encrypting the boot drive. Unless there is a need to, I don't see any reason for me to encrypt / -- just /storage. Which means that I don't have to boot from an encrypted drive, and thus the setup should be vastly easier. Unless not encrypting the / drive somehow makes me vulnerable to having my /storage compromised (again, keeping in mind that I won't be storing the password, but entering it manually).

Also, is there anything particularly tricky that I need to watch out for, moving into encrypted data?

Cheers!
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
PostPosted: Fri Oct 17, 2014 10:22 am    Post subject: Reply with quote
The keywords are lvm and Luks. There should be for sure an article on the gentoo wiki.

i use it myself for over 4 years successfully.

in short:

512mb ext2 /boot with kernel with initramfs from genkernel using luks / lvm
lvm container with luks inside, and luks for everything except /boot

you still have security issues with mainboard components including hard and software and any other hardware with hidden backdoors in hardware or software. this is very hard to fix because you buy hardware from certain sourrces and you will never know if there are backdoors in it / security holes / ... it is an endless topic, just a small summary of my understanding
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Fri Oct 17, 2014 11:18 am    Post subject: Re: Appropriate encrypted disk setup for my usage Reply with quote
tsftd wrote:
I wish to guard against the case of intrusion and/or seizure while I am absent.
Unless there is a need to, I don't see any reason for me to encrypt / -- just /storage.


If you don't encrypt everything, you have to watch out for leaks. If you have for example pictures in /storage, and some picture viewer creates thumbnails for them in /home/you/.config/pictures/. Also the filenames of encrypted storage could be leaked by locate/updatedb kind of services. It's a headache.

That might still be fine if all you worry about is a common burglar who enters your home and takes your precious hardware... however, it doesn't hold water against a tech savvy person who somehow manages to change your unencrypted /boot or / in your absence without you knowing. They can just copy your encrypted data, add in a backdoor/keylogger and have your passphrase the next time you type it in. It's very hard to prevent an intruder who has physical access to your hardware.

Personally, I encrypt everything; and my /boot is a USB stick with encrypted keyfiles on it, so an attacker would need both the keyfile and the passphrase for it. The USB stick goes into your pocket and stays with you wherever you go, so it can't be modified in your absence... it's not much better, but it's something.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy