Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Which encrypted filesystem to use?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Klavs
Guru
Guru


Joined: 22 May 2002
Posts: 536
Location: Denmark

PostPosted: Tue Sep 17, 2002 8:55 pm    Post subject: Which encrypted filesystem to use? Reply with quote

Hi guys,

I'm looking for a encryption filesystem for my Gentoo.

I've found the following (but none of them has an ebuild it seems? no Gentoo user uses any of these?):

www.rubberhose.org

Would be the coolest one (because of the feature where you can use several passwords on a filesystem, and depending on which password you use, you'll see different data - on the same file-system - look mom, it's only recipe's I have there :-)

If it weren't because it seems abandoned and only works with the 2.2.x kernel :-(

http://linux01.gwdg.de/~alatham/ppdd.html

seems fairly good and stable - no plausable deniability feature though.

http://www.mcdonald.org.uk/StegFS/

Much like rubberhose, except that it clearly states - INSTABLE - and I really need my data to be safe.

What experiences do you guys have?

My idea was to put up a lwm partition and use it with the encrypted filesystem, for better performance than what you get with a loop-backed encrypted file ?

What about dynamic resizing of a encrypted filesystem/file - which supports this? I'm thinking of using it to hold approx. 60gb of data :-)
_________________
Best regards,

Klavs Klavsen
Denmark

Working with Unix is like wrestling a worthy opponent.
Working with windows is like attacking a small whining child
who is carrying a .38.
Back to top
View user's profile Send private message
mglauche
Retired Dev
Retired Dev


Joined: 25 Apr 2002
Posts: 564
Location: Germany

PostPosted: Wed Sep 18, 2002 1:39 am    Post subject: Reply with quote

look at the cryptoapi stuff in the lates (-r9) gentoo kernel. you can mount encrypted loopback devices with that ;)

Its quite cool, althougl a bit of a performance drop (but performance is not top priority for encrypted fs anyway ...) You have to provide a password for the cipher in order to mount the cyrpted loopback device, so its one pw for all ..
Back to top
View user's profile Send private message
Xor
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jul 2002
Posts: 144

PostPosted: Wed Sep 18, 2002 1:29 pm    Post subject: Reply with quote

I do have a cryptofile... but read that the inpact on a crypted fs is rather big... (I use blowfish... but aes might be stronger but not as fast)

I can also imagine taht there are some mounting/unmounting issues at boot/shutdown....
Back to top
View user's profile Send private message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Wed Sep 18, 2002 4:25 pm    Post subject: Reply with quote

@cryptoapi and cryptofs

They are just mounted as loopback-devices with an aditional option (as I can remember). As long as you don't try to encrypt your "/"... ;)

When I used SuSE I also tried out the crypto-fs for my home-partition. It simply asked for a PW while booting and if it was not entered within a given timespan it just booted without this fs mounted. Then, of course I had to login as root and mount it before I could login as normal user. (If gentoo is not offering such an init-script I could search through the SuSE-partition here and post that script (as long as it is GPL)).

I don't know anything about the speedimpact since it was my day-to-day-work home and not my development-computer where I'm heavily playing around with many files. But it seemed to be stable, there was no datacorruption or crash in the whole time.

Short: it is already quite usable ;)
Back to top
View user's profile Send private message
Klavs
Guru
Guru


Joined: 22 May 2002
Posts: 536
Location: Denmark

PostPosted: Wed Sep 18, 2002 7:56 pm    Post subject: Reply with quote

So I just emerge cryptoapi - and it will work with my default gentoo-kernel?
or would I have to emerge crypto-sources and compile a new kernel?

Which utilities do I use for making such an encrypted partition/filesystem?

Do you have any experiences with using a seperate partition for it vs. using a file (that I would mount via loopback)?

How about the ability to resize it - on the fly? I was thinking of putting it on a lvm partition - would that be possible?

Thankyou for all your help so far.
_________________
Best regards,

Klavs Klavsen
Denmark

Working with Unix is like wrestling a worthy opponent.
Working with windows is like attacking a small whining child
who is carrying a .38.
Back to top
View user's profile Send private message
dingo
n00b
n00b


Joined: 18 Aug 2002
Posts: 58

PostPosted: Sun Dec 22, 2002 3:04 pm    Post subject: Reply with quote

When I first made a cryptographic filesystem I decided to do it with a loopback device with the kernel, this meant emerging a kernel that supports it. At that time emerging 'crypto-sources' was the thing to do, but it now looks like 'gentoo-sources' also provides it (or did and I never noticed.) I don't think 'cryptoapi' is needed., they look like maybe pre-made modules. Not sure. Make your own anyway. I used the modules 'serpent', 'cryptoloop', and 'loop'

http://www.ibiblio.org/pub/Linux/docs/HOWTO/Loopback-Encrypted-Filesystem-HOWTO
should explain everything.

> Which utilities do I use for making such an encrypted partition/filesystem?
The sweet thing about encrypted filesystems at the kernel level is that you dont need any utilities other than your average filesystem utilities.

> Do you have any experiences with using a seperate partition for it vs. using a file (that I would mount via loopback)?
> How about the ability to resize it - on the fly? I was thinking of putting it on a lvm partition - would that be possible?
I dont think that would be possible with a loopback. For resizing on the fly I think you'll want to get into the cfs package (not in gentoo portage systems, and its web page service is down, can't seem to find it)
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: where the hell is Tesuque, New Mexico?

PostPosted: Mon Jan 13, 2003 4:55 am    Post subject: encrypted root partition script Reply with quote

I have been using crypto-sources, with an encrypted root partition, since this past summer.

I created a tiny Minix ramdisk image, populated it with a BusyBox/uClibc linux, just enough to run the following script:

Code:

#!/bin/sh
PATH=/sbin:/bin:/usr/bin:/usr/sbin

# Mount filesystems in /etc/fstab
/bin/mount -n -t proc none /proc

echo "Mounting encrypted filesystem..."
losetup -e twofish -k 256 /dev/loop/5 /dev/ide/host0/bus0/target0/lun0/part4

echo "0x705" > /proc/sys/kernel/real-root-dev


Then I added this entry to my GRUB menu:

Code:

title=Gentoo 2.4.19
root (hd0,0)
kernel /boot/bzImage
initrd /boot/ramdisks/tiny-linux.gz


I have been trying to use pivot_root, as the Gentoo LiveCDs do, but absolutely no success so far. This is cause for slight concern, as the real-root-dev trick will presumably go away with 2.5 and 2.6 kernels.

1) Has anyone else had success in using encrypted root partitions? What script did you use?

2) If folks are interested, my tiny-linux.gz ramdisk image (320K) is at
http://www.aoc.nrao.edu/~bwaters/projects/gentoo/tiny-linux.gz
Back to top
View user's profile Send private message
revo
n00b
n00b


Joined: 02 Feb 2003
Posts: 57

PostPosted: Sun Feb 02, 2003 10:04 pm    Post subject: Reply with quote

meyerm wrote:
@cryptoapi and cryptofs


When I used SuSE I also tried out the crypto-fs for my home-partition. It simply asked for a PW while booting and if it was not entered within a given timespan it just booted without this fs mounted. Then, of course I had to login as root and mount it before I could login as normal user. (If gentoo is not offering such an init-script I could search through the SuSE-partition here and post that script (as long as it is GPL)).


hi!
great idea. will you do this?
or, is there anybody developing cfs for gentoo?
i used to use it with debian, where it was provided as a deb, but i couldn't make it compile it in gentoo.
revo
_________________
3 wang-tan soup, 3 garlic chicken and 3 orders of fortune cookies, that's it. - and then?
Back to top
View user's profile Send private message
taskara
Advocate
Advocate


Joined: 10 Apr 2002
Posts: 3763
Location: Australia

PostPosted: Mon Feb 03, 2003 2:58 am    Post subject: Reply with quote

I have been using etx3 for ages, but recently decided to go reiserfs because it's supposed to be faster.. and it IS :)

reiser rocks
_________________
Kororaa install method - have Gentoo up and running quickly and easily, fully automated with an installer!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum