Encrypted partitions - file systems - Setup

This is a discussion on Encrypted partitions - file systems - Setup ; I am currently looking into encrypting the root and /home filesystems on my Arch linux install. I am going to use dm_crypt and LUKS. The information that I have been able to find states that I should use only a ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Encrypted partitions - file systems

  1. Encrypted partitions - file systems

    I am currently looking into encrypting the root and /home filesystems on my
    Arch linux install.

    I am going to use dm_crypt and LUKS.

    The information that I have been able to find states that I should use only
    a non-journaled file system.

    Has anyone here used ext3 or JFS with encryption on the root file system?

    Or should I use ext2 only?

  2. Re: Encrypted partitions - file systems

    On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:

    > I am currently looking into encrypting the root and /home filesystems on my
    > Arch linux install.
    > I am going to use dm_crypt and LUKS.
    > The information that I have been able to find states that I should use only
    > a non-journaled file system.
    > Has anyone here used ext3 or JFS with encryption on the root file system?
    > Or should I use ext2 only?


    I'm using the xfs filesystem on a luks encrypted lvm logical volume, however
    I haven't encrypted the root filesystem.

    Encrypting the root filesystem will require using an initrd, or compiling all
    of the needed modules into the kernel, and the distro must include support
    for getting the passphrase/key, to mount the encrypted volume(s), during boot.
    Note that /boot must be on a seperate filesytem, that is not encrypted, so
    that lilo/grub can read the kernel, and initrd.

    I haven't used Arch (I'm using Mandriva), but take a look at ...
    http://wiki.archlinux.org/index.php/...S_for_dm-crypt

    For creating the filesystem, I used ...
    BaseDevice=/dev/mapper/90-data
    MapperName=luks90
    MountPoint=/var/mnt/90data
    fsType=xfs
    Label="-L 90-data"
    /sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat $BaseDevice
    /sbin/cryptsetup luksOpen $BaseDevice $MapperName
    /sbin/mkfs.$fsType $Label /dev/mapper/$MapperName
    /sbin/cryptsetup luksClose $MapperName

    The base device can be a regular partition, rather then a logical volume.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  3. Re: Encrypted partitions - file systems

    On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:

    > I am currently looking into encrypting the root and /home filesystems on my
    > Arch linux install.
    >
    > I am going to use dm_crypt and LUKS.
    >
    > The information that I have been able to find states that I should use only
    > a non-journaled file system.
    >
    > Has anyone here used ext3 or JFS with encryption on the root file system?
    >
    > Or should I use ext2 only?
    >

    I have used xfs with dm_crypt on Slackware. I have used encrypted root,
    swap, and other partitions. I haven't noticed any problems with any of
    them, YMMV.

    The only trick is setting up to use an encrypted root filesystem from
    boot. Shutdown is handled via the standard rc.6 script, which works fine-
    at least for Slackware 12.0+

    --
    Douglas Mayne


  4. Re: Encrypted partitions - file systems

    David W. Hodgins wrote:

    > On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot
    > wrote:
    >
    >> I am currently looking into encrypting the root and /home filesystems on
    >> my Arch linux install.
    >> I am going to use dm_crypt and LUKS.
    >> The information that I have been able to find states that I should use
    >> only a non-journaled file system.
    >> Has anyone here used ext3 or JFS with encryption on the root file system?
    >> Or should I use ext2 only?

    >
    > I'm using the xfs filesystem on a luks encrypted lvm logical volume,
    > however I haven't encrypted the root filesystem.
    >
    > Encrypting the root filesystem will require using an initrd, or compiling
    > all of the needed modules into the kernel, and the distro must include
    > support for getting the passphrase/key, to mount the encrypted volume(s),
    > during boot. Note that /boot must be on a seperate filesytem, that is not
    > encrypted, so that lilo/grub can read the kernel, and initrd.
    >
    > I haven't used Arch (I'm using Mandriva), but take a look at ...
    >

    http://wiki.archlinux.org/index.php/...S_for_dm-crypt
    >
    > For creating the filesystem, I used ...
    > BaseDevice=/dev/mapper/90-data
    > MapperName=luks90
    > MountPoint=/var/mnt/90data
    > fsType=xfs
    > Label="-L 90-data"
    > /sbin/cryptsetup --cipher aes-xts-benbi --key-size 512 luksFormat
    > $BaseDevice /sbin/cryptsetup luksOpen $BaseDevice $MapperName
    > /sbin/mkfs.$fsType $Label /dev/mapper/$MapperName
    > /sbin/cryptsetup luksClose $MapperName
    >
    > The base device can be a regular partition, rather then a logical volume.
    >
    > Regards, Dave Hodgins
    >


    Ok thanks, I am going to use jfs then form the file system and see if I
    have breakage.


  5. Re: Encrypted partitions - file systems

    Douglas Mayne wrote:

    > On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
    >
    >> I am currently looking into encrypting the root and /home filesystems on
    >> my Arch linux install.
    >>
    >> I am going to use dm_crypt and LUKS.
    >>
    >> The information that I have been able to find states that I should use
    >> only a non-journaled file system.
    >>
    >> Has anyone here used ext3 or JFS with encryption on the root file system?
    >>
    >> Or should I use ext2 only?
    >>

    > I have used xfs with dm_crypt on Slackware. I have used encrypted root,
    > swap, and other partitions. I haven't noticed any problems with any of
    > them, YMMV.
    >
    > The only trick is setting up to use an encrypted root filesystem from
    > boot. Shutdown is handled via the standard rc.6 script, which works fine-
    > at least for Slackware 12.0+
    >



    Thanks, I am going to try and set this up this weekend.

    I will be traveling to the US this Dec. and want to secure my notebook.
    Just in case I happen to miss place it or gets stolen on the way.

    ( Not that I have any thing to hide other than Arch linux and all the
    software packages on the notebook, I just don't like someone looking
    through my stuff just because they can. )


  6. Re: Encrypted partitions - file systems

    Baho Utot wrote:

    > Not that I have any thing to hide other than Arch linux and all the
    > software packages on the notebook, I just don't like someone looking
    > through my stuff just because they can.


    You could probably get away with just encrypting your /home, /usr,
    /var and /opt partitions, leaving the root partition unencrypted.

    Mark.

    --
    Mark Hobley
    Linux User: #370818 http://markhobley.yi.org/


  7. Re: Encrypted partitions - file systems

    Mark Hobley wrote:
    > Baho Utot wrote:
    >
    >> Not that I have any thing to hide other than Arch linux and all the
    >> software packages on the notebook, I just don't like someone looking
    >> through my stuff just because they can.

    >
    > You could probably get away with just encrypting your /home, /usr,
    > /var and /opt partitions, leaving the root partition unencrypted.
    >
    > Mark.
    >


    Your / partition has /etc. That includes system configurations and especially
    password information.

  8. Re: Encrypted partitions - file systems

    On Tue, 28 Oct 2008 18:52:53 -0400, Baho Utot wrote:

    > Douglas Mayne wrote:
    >
    >> On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
    >>
    >>> I am currently looking into encrypting the root and /home filesystems on
    >>> my Arch linux install.
    >>>
    >>> I am going to use dm_crypt and LUKS.
    >>>
    >>> The information that I have been able to find states that I should use
    >>> only a non-journaled file system.
    >>>
    >>> Has anyone here used ext3 or JFS with encryption on the root file system?
    >>>
    >>> Or should I use ext2 only?
    >>>

    >> I have used xfs with dm_crypt on Slackware. I have used encrypted root,
    >> swap, and other partitions. I haven't noticed any problems with any of
    >> them, YMMV.
    >>
    >> The only trick is setting up to use an encrypted root filesystem from
    >> boot. Shutdown is handled via the standard rc.6 script, which works fine-
    >> at least for Slackware 12.0+
    >>

    >
    >
    > Thanks, I am going to try and set this up this weekend.
    >
    > I will be traveling to the US this Dec. and want to secure my notebook.
    > Just in case I happen to miss place it or gets stolen on the way.
    >
    > ( Not that I have any thing to hide other than Arch linux and all the
    > software packages on the notebook, I just don't like someone looking
    > through my stuff just because they can. )
    >

    The news is full of cases of data breaches from lost laptops,
    non-encrypted backups, etc. Millions of people have been affected by
    someone else losing their data. This has been a driving force for many
    businesses to require that their mobile equipment be encrypted. The US
    government has similar mandates for their systems, but IIRC their
    execution has been lagging- a lot of their laptops are still not
    encrypted. Using encryption makes good business sense whenever data loss
    would trigger mandatory reporting and and other penalties
    defined by law (HIPAA, and newer laws designed to protect "PII,"
    Personally Identifiable Information). It is better to lock the horse in
    the barn now, rather than deal with him after he's already out.

    I have a project for encrypting the root filesystem, but I haven't updated
    in a while:
    http://www.xmission.com/~ddmayne2/erf-dm/

    One feature which is missing from the project is the potential for "key
    recovery." I hacked that into the version that I use now. The startup
    is similiar, except that there is more than one authorized user
    (username, gpg passphrase). Each user is able to decrypt a message
    which contains the key and other dm_crypt (cryptsetup) parameters for the
    disk partitions. This step is handled by a small startup environment in
    the initrd. It's definitely a good idea because users forget their
    passphrase, leave the company, etc. They are much more likely to be able
    to remember their gpg passphrase, rather than a single "shared secret."
    This allows the key to have complexity beyond a common phrase, etc. A nice
    thing about gpg messages is that they may have multiple recipients. That
    fact accomodates the multiple user requirement very easily.

    The documentation for the project explains that a "two factor" mode is
    possible. For example, you can setup to boot from an optical disc or from
    a USB key. The boot media contains the startup environment which will
    prompt for the user's credentials (simple passphrase, or gpg passphrase to
    decrypt message).

    --
    Douglas Mayne

  9. Re: Encrypted partitions - file systems

    Douglas Mayne wrote:

    > On Tue, 28 Oct 2008 18:52:53 -0400, Baho Utot wrote:
    >
    >> Douglas Mayne wrote:
    >>
    >>> On Mon, 27 Oct 2008 19:23:37 -0400, Baho Utot wrote:
    >>>
    >>>> I am currently looking into encrypting the root and /home filesystems
    >>>> on my Arch linux install.
    >>>>
    >>>> I am going to use dm_crypt and LUKS.
    >>>>
    >>>> The information that I have been able to find states that I should use
    >>>> only a non-journaled file system.
    >>>>
    >>>> Has anyone here used ext3 or JFS with encryption on the root file
    >>>> system?
    >>>>
    >>>> Or should I use ext2 only?
    >>>>
    >>> I have used xfs with dm_crypt on Slackware. I have used encrypted root,
    >>> swap, and other partitions. I haven't noticed any problems with any of
    >>> them, YMMV.
    >>>
    >>> The only trick is setting up to use an encrypted root filesystem from
    >>> boot. Shutdown is handled via the standard rc.6 script, which works
    >>> fine- at least for Slackware 12.0+
    >>>

    >>
    >>
    >> Thanks, I am going to try and set this up this weekend.
    >>
    >> I will be traveling to the US this Dec. and want to secure my notebook.
    >> Just in case I happen to miss place it or gets stolen on the way.
    >>
    >> ( Not that I have any thing to hide other than Arch linux and all the
    >> software packages on the notebook, I just don't like someone looking
    >> through my stuff just because they can. )
    >>

    > The news is full of cases of data breaches from lost laptops,
    > non-encrypted backups, etc. Millions of people have been affected by
    > someone else losing their data. This has been a driving force for many
    > businesses to require that their mobile equipment be encrypted. The US
    > government has similar mandates for their systems, but IIRC their
    > execution has been lagging- a lot of their laptops are still not
    > encrypted. Using encryption makes good business sense whenever data loss
    > would trigger mandatory reporting and and other penalties
    > defined by law (HIPAA, and newer laws designed to protect "PII,"
    > Personally Identifiable Information). It is better to lock the horse in
    > the barn now, rather than deal with him after he's already out.
    >
    > I have a project for encrypting the root filesystem, but I haven't updated
    > in a while:
    > http://www.xmission.com/~ddmayne2/erf-dm/
    >
    > One feature which is missing from the project is the potential for "key
    > recovery." I hacked that into the version that I use now. The startup
    > is similiar, except that there is more than one authorized user
    > (username, gpg passphrase). Each user is able to decrypt a message
    > which contains the key and other dm_crypt (cryptsetup) parameters for the
    > disk partitions. This step is handled by a small startup environment in
    > the initrd. It's definitely a good idea because users forget their
    > passphrase, leave the company, etc. They are much more likely to be able
    > to remember their gpg passphrase, rather than a single "shared secret."
    > This allows the key to have complexity beyond a common phrase, etc. A nice
    > thing about gpg messages is that they may have multiple recipients. That
    > fact accomodates the multiple user requirement very easily.
    >
    > The documentation for the project explains that a "two factor" mode is
    > possible. For example, you can setup to boot from an optical disc or from
    > a USB key. The boot media contains the startup environment which will
    > prompt for the user's credentials (simple passphrase, or gpg passphrase to
    > decrypt message).
    >


    Thanks I'll have a look at it


  10. Re: Encrypted partitions - file systems

    Mark Hobley wrote:

    > Baho Utot wrote:
    >
    >> Not that I have any thing to hide other than Arch linux and all the
    >> software packages on the notebook, I just don't like someone looking
    >> through my stuff just because they can.

    >
    > You could probably get away with just encrypting your /home, /usr,
    > /var and /opt partitions, leaving the root partition unencrypted.
    >
    > Mark.
    >


    What and miss /tmp..... No its going to be all or nothing

  11. Re: Encrypted partitions - file systems

    On 2008-10-29, Baho Utot wrote:
    > Mark Hobley wrote:
    >
    >> Baho Utot wrote:
    >>
    >>> Not that I have any thing to hide other than Arch linux and all the
    >>> software packages on the notebook, I just don't like someone looking
    >>> through my stuff just because they can.

    >>
    >> You could probably get away with just encrypting your /home, /usr,
    >> /var and /opt partitions, leaving the root partition unencrypted.
    >>
    >> Mark.
    >>

    >
    > What and miss /tmp..... No its going to be all or nothing


    Mount /tmp as a tmpfs unless you use programs that put lots of stuff
    there.

    --
    hackerkey://v4sw5hw2ln3pr5ck0ma2u7LwXm4l7Gi2e2t4b7Ken4/7a16s0r1p-5.62/-6.56g5OR

  12. Re: Encrypted partitions - file systems

    Baho Utot writes:

    > I am currently looking into encrypting the root and /home filesystems on my
    > Arch linux install.
    >
    > I am going to use dm_crypt and LUKS.
    >
    > The information that I have been able to find states that I should use only
    > a non-journaled file system.
    >
    > Has anyone here used ext3 or JFS with encryption on the root file system?
    >
    > Or should I use ext2 only?



    No journaling. That's the way I was taught. Journaling aids in data
    recovery - such as someone running forensics on your disk. Of course, if
    you don't care about that, then I guess journaling is OK.

    --
    Freedom? [** America, The Police State **] Rights?
    http://www.hermes-press.com/police_state.htm
    http://www.theregister.co.uk/2008/10...ll_phone_pics/

+ Reply to Thread