LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-05-2011, 07:51 PM   #1
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
Exclamation Disk Encryption Questions


Is it better to use:
Code:
-c aes-cbc-essiv -y -s 512
Or:
Code:
-c aes-xts-plain -y -s 512
Is the first one even possible? I've never encrypted a disk before; I'm following the Arch wiki (I'm a newbie, basically). Should I try and encrypt my swap partition (I've got 512 MB RAM, 1 GB swap)? Ideally, I'd like to make it so it's not feasible for someone (even a very skilled someone) to access my files (and system -- I'm encrypting /), but still make it fairly fast and usable for day-to-day operations. If it matters any, I'm using JFS.

Sorry for the barrage of questions. Thanks in advance.

Last edited by lupusarcanus; 04-05-2011 at 07:53 PM.
 
Old 04-06-2011, 01:06 AM   #2
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
Disk Encryption

The aes arguments have to do with what kernel modules you have loaded.

try:

cat /proc/crypto

Be careful to keep track of the cipher used. I made the mistake of forgetting once, then it's good luck guessing.

I've used the Ubuntu full disk encryption on laptops, but never on my servers, because I haven't figured out how to boot software raid and fully encrypted together.

I use two techniques with my servers:

1) Create an encrypted swap loopback and a huge encrypted loopback for the user area. The swap can encrypt itself on the way up with a random password. You don't care if you lose it each boot. For the Data, leave one user outside the encrypted partition so you have a means decrypting the filesystem. All other users should be inside the encrypted filesystem. Also symbolic link the /tmp and /var/tmp into the encrypted system.

Or
2) Create a big loopback area and put a virtual machine on it. That way the whole server can be encrypted without complicating the server.

Folks will say that running software raid, on top of a loopback, on top of encryption, on top of a virtual machine ought to be slow.

All I can say is it's plenty fast for my requirements. I don't produce video or mash huge volumes of graphical data, but my LAMP stuff runs plenty fast enough.

Your mileage may vary.

Here's one way to create an encrypted swap file:

losetup /dev/loop0 /swapfile
cryptsetup -d /dev/urandom create swapc /dev/loop0
mkswap /dev/mapper/swapc
swapon /dev/mapper/swapc
 
Old 04-06-2011, 01:59 PM   #3
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 139Reputation: 139
In simple terms XTS is generally considered a more secure mode than cbc. (The discussion of the various modes is beyond this forum but a web search will yield tons of info). essiv is always desireable as where possible you want to salt the passphrase. essiv can also be used with xts.

I have /home on my system currently LUKS encrypted. I also have swap encrypted (which can be done independently of any other encryption).

You really don't need to use a loopback device.
 
Old 04-06-2011, 02:03 PM   #4
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022

Original Poster
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
Thanks for the info Jerre Cope and NyteOwl.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Whole Disk Encryption Hack??!! richinsc Linux - Security 16 06-17-2009 06:35 PM
dd and disk encryption Feeg Linux - Security 6 12-13-2008 05:55 PM
Disk encryption software TheStupid Linux - Software 13 10-07-2007 10:43 PM
NAS + disk encryption Chris594 Linux - Networking 4 07-11-2006 12:31 PM
disk encryption ankscorek Linux - Security 5 05-03-2006 12:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration