encrypted filesystem or files, which is best? - Security

This is a discussion on encrypted filesystem or files, which is best? - Security ; I want to secure my data beyond firewalling. What are the advantages or disadvantages to creating entire encrypted disk file systems/partitions, compared to just encrypting individual data files? Realistically I only need to encrypt my GnuCash folder (banking info), my ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: encrypted filesystem or files, which is best?

  1. encrypted filesystem or files, which is best?

    I want to secure my data beyond firewalling. What are the advantages or
    disadvantages to creating entire encrypted disk file systems/partitions,
    compared to just encrypting individual data files? Realistically I only
    need to encrypt my GnuCash folder (banking info), my spreadsheet files
    (student gradebooks--I am a teacher), and perhaps a file containing my
    accounts and passwords (which does not yet exist, perhaps should not--
    right now I keep that info on 3x5 cards in a box in my home so hackers can
    not get it off my hard drive.

    The thought of encrypting an entire partition or file system worries me a
    little, perhaps because it seems like a black box to me and I worry I
    might lose everything doing that if it goes wrong, etc.

    Any info, advice greatly appreciated.
    Beowulf
    Ubuntu 6.10, also Mandriva 2006 on a PC



  2. Re: encrypted filesystem or files, which is best?

    Beowulf (06-11-14 17:22:30):

    > I want to secure my data beyond firewalling. What are the advantages
    > or disadvantages to creating entire encrypted disk file
    > systems/partitions, compared to just encrypting individual data files?
    > Realistically I only need to encrypt my GnuCash folder (banking info),
    > my spreadsheet files (student gradebooks--I am a teacher), and perhaps
    > a file containing my accounts and passwords (which does not yet exist,
    > perhaps should not-- right now I keep that info on 3x5 cards in a box
    > in my home so hackers can not get it off my hard drive.


    In general, filesystem encryption is better, because you achieve full
    secrecy, while individual file encryption only provides partial secrecy:
    Your directory hierarchy is in clear-text, but more importantly the file
    system journal (if any) might disclose a lot of information about a
    file.

    In all cases, encrypting the whole file-systems (and all other places,
    where the data might end up - like swap and /tmp) is always more secure.
    The drawback is a small performance impact. However, my Pentium 1 with
    233 MHz was suitable, and on my current Duron with 1.6 GHz, I don't even
    notice a difference. I'm using dm-crypt for my filesystems.


    > The thought of encrypting an entire partition or file system worries
    > me a little, perhaps because it seems like a black box to me [...]


    Filesystem encryption is essentially very easy. Imagine that you don't
    write data onto your hard-drives directly, but instead send it to a
    machine (a loop device in case of Cryptoloop or Loop-AES [1], or a
    device mapper in case of dm-crypt). This machine takes the data,
    encrypts it and writes it to the disk. It's like an intermediate layer
    between the filesystem driver and the hard-disk.

    Setting this up is pretty straightforward, but you have to take it into
    account while planning your partitioning scheme (except Loop-AES, where
    you can encrypt a clear-text partition).


    > [...] and I worry I might lose everything doing that if it goes wrong,
    > etc.


    Remember that you're going to lose data anyway, if anything goes wrong.
    In case of filesystem encryption, you would obviously lose an entire
    partition, while with file encryption only the particular file is lost.
    However, the only case where this happens (or should happen) is loss of
    the key or passphrase, or filesystem damage.

    Encryption would necessarily be worthless, if data could be recovered
    without the key.


    Regards,
    E.S.


    References:

  3. Re: encrypted filesystem or files, which is best?

    On Wed, 15 Nov 2006 23:30:16 +0100, Ertugrul Soeylemez inscribed to the
    world:
    ...
    > Filesystem encryption is essentially very easy. ...


    Can filesystem encryption be done on an existing linux filesystem, or must
    it be done intitially when installing? I guess I am asking how would a
    person set up filesystem encryption on an existing linux PC, so that /home
    in the least became an encrypted filesystem, and even "/" if possible?


  4. Re: encrypted filesystem or files, which is best?

    Beowulf (06-11-16 12:21:35):

    > > Filesystem encryption is essentially very easy. ...

    >
    > Can filesystem encryption be done on an existing linux filesystem, or
    > must it be done intitially when installing? I guess I am asking how
    > would a person set up filesystem encryption on an existing linux PC,
    > so that /home in the least became an encrypted filesystem, and even
    > "/" if possible?


    With Loop-AES this is possible. For the filesystem of /home, you can do
    this more or less easily, but for / this is rather difficult, because
    you have to reconfigure a few things. Have a look at [1], the README of
    Loop-AES. It fully describes how to do both of this.

    If you really want to encrypt your root filesystem, then have a closer
    look at example 5 in that README. There it's fully described, how to
    build a kernel with an initial RAM-disk, which is necessary for root
    filesystem encryption, and/or for /etc encryption, and how to encrypt an
    existing partition. You will need some kind of Live-CD to encrypt your
    root or /etc (or both).

    However, usually you don't have to encrypt your whole system. This will
    only make your system slower, because binaries take longer to load,
    configurations take longer to be read; basically everything, in which
    the hard-disk is involved, takes longer.

    One more thing: To be fully secure, you will need to boot from
    something, which you carry with you (so nobody can manipulate it), like
    a little floppy disk or USB stick, or similar. Otherwise, someone could
    remove your disk and trojan it. You wouldn't notice. This is also
    described in the README mentioned above. Don't worry, it's not too
    difficult to set up (just follow the instructions), but you will have to
    spend some freetime, possibly a few hours. This is the price to pay for
    security.

    Encrypting the following should render you cryptographically secure:

    * /etc (important, but a bit problematic)
    * /home
    * /opt (possibly)
    * /var
    * your swap space

    Also create a RAM-disk for /tmp, because sometimes sensitive data gets
    there. Use the 'tmpfs' filesystem for it. The following line in your
    /etc/fstab should suffice:

    none /tmp tmpfs defaults,uid=0,gid=0,mode=1777 0 0

    If you don't encrypt /var, remember to configure 'locate' (or 'slocate')
    properly, because otherwise your filesystem structure could be
    revealed. Remove the default cronjob for it (if any), and replace it by
    something like this:

    0 8 * * 7 /usr/bin/updatedb -e /dev,/etc,/home,/mnt,/proc,/root,/sys,/var/lib,/tmp

    With this configuration, you will give up a bit of comfort (if you use
    'locate' regularly), because it won't help you find files in your home
    directory anymore. But you certainly know that comfort is the worst
    enemy of security. =)


    Regards,
    E.S.


    References:
    [1] http://loop-aes.sourceforge.net/loop-AES.README

  5. Re: encrypted filesystem or files, which is best?


    "Beowulf" wrote in message
    newsan.2006.11.14.23.22.29.887168@wayoftheancients.tra il...
    > I want to secure my data beyond firewalling. What are the advantages or
    > disadvantages to creating entire encrypted disk file systems/partitions,
    > compared to just encrypting individual data files? Realistically I only
    > need to encrypt my GnuCash folder (banking info), my spreadsheet files
    > (student gradebooks--I am a teacher), and perhaps a file containing my
    > accounts and passwords (which does not yet exist, perhaps should not--
    > right now I keep that info on 3x5 cards in a box in my home so hackers can
    > not get it off my hard drive.
    >
    > The thought of encrypting an entire partition or file system worries me a
    > little, perhaps because it seems like a black box to me and I worry I
    > might lose everything doing that if it goes wrong, etc.
    >
    > Any info, advice greatly appreciated.
    > Beowulf
    > Ubuntu 6.10, also Mandriva 2006 on a PC


    Beowulf,

    From what I can make out from your post, disk encryption is NOT for you. If
    I have read correctly, you want to keep your information safe from hackers.
    With disk encryption, when you have booted the workstation, you have
    supplied the password to the encryption routine and the drive or partition
    appears unencrypted, ready for use.

    The solutions available to you are:

    1. Partition encryption. Use 'disk' encryption to encrypt a partition that
    is only mounted when you need it.

    2. File encryption. Encrypt only those files that you want to secure and
    decrypt them when you want to use them.

    3. Use removable media and remove it when you no longer need access to it
    (this could and should be an encrypted device for added protection)

    Disk encryption has it's place. It is intended to protect the disk if it is
    stolen or to prevent it being mounted without the password.

    HTH,

    Bogwitch



  6. Re: encrypted filesystem or files, which is best?

    On Sat, 18 Nov 2006 22:37:17 +0000, Bogwitch inscribed to the world:
    ...
    > From what I can make out from your post, disk encryption is NOT for you. If
    > I have read correctly, you want to keep your information safe from hackers.
    > With disk encryption, when you have booted the workstation, you have
    > supplied the password to the encryption routine and the drive or partition
    > appears unencrypted, ready for use.
    >
    > The solutions available to you are:
    >
    > 1. Partition encryption. Use 'disk' encryption to encrypt a partition that
    > is only mounted when you need it.
    >
    > 2. File encryption. Encrypt only those files that you want to secure and
    > decrypt them when you want to use them.
    >
    > 3. Use removable media and remove it when you no longer need access to it
    > (this could and should be an encrypted device for added protection)
    >
    > Disk encryption has it's place. It is intended to protect the disk if it is
    > stolen or to prevent it being mounted without the password.


    I feel I am getting a better handle now on what I need, should do. Sounds
    like an external USB drive or flashdrive would work, and I could make it
    an external encrypted filesystem/partition-- meaning no monkeying around
    with my internal drives. I like that strategy.



+ Reply to Thread