Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a laptop. I have one harddrive in it, and I want to encrypt all data here. I want to encrypt it with a certificate which should be placed on an USB-key. And that USB-key should be encrypted with a password.
with DM-CRYPT.
dm-crypt is a kernel module.. see if dm-crypt is compiled in your system by attempting to "modprobe dm-crypt" if it fails, then you will need to re-compile your kernel with dm-crypt support. (its in the RAID and LMV section, althought you dont need to enable RAID or LMV to use dm-crypt).
also, i would recomend againsed encrypting the whole system, this is pointless... instead, just encrypt your home parttion and swap space.
to encrypt your swap space, just add 2 lines in the boot script before the line that enables swap, make it first setup an encrypted device map using /dev/urandom as the encryption key, then reformat the device map as swap (this takes less than a second)
then mount the home directory in the same way, but use the USB thumb drive as the key instead of /dev/urandom.
Hm, ok. I uses 2.6-kernel so dm-crypt should be easy to use.
But can I get a reason why I should not encrypt more then just the swap and home-dir? If I have only one harddrive maby I should make a couple of partitions and encrypt all but the one that is the boot-partition?
Encryption is used to keep your data secret....
whats the point in encrypting all your prpgrams like The Linux kernel and kde and xmms media player ?
whats the point in encrypting programs that are freely available on the internet... encrypting your /usr/ /lib/ /opt and other binary folders is absolutly pointless, it will just make installing linux extremely complicated, slow booting times, and generally.. its useless...
you only need to encrypt your home directory (to keep your own files safe)
you need to encrypt the swap space to keep application data safew after a shutdown (although this is a little paranoid)
you MAY also want to encrypt the /tmp and /var partiton...if you want to keeps your system logs secret.. but again, its a bit paranoid.
look for loopback crypto, I believe there was a program that was losetup tha came with a CryptoAPI patch. I think it was for 2.4 and than was integrated into the kernel source. Anyway I saw it in Gentoo sources.
look for loopback crypto, I believe there was a program that was losetup tha came with a CryptoAPI patch. I think it was for 2.4 and than was integrated into the kernel source. Anyway I saw it in Gentoo sources.
i would recomend againsed this strongly.
for reasons documented in the dm-crypt kernel documentation.
crypto-loop is based on buggy loopback driver code.
its genratlly a sloppy, messy way of doing drive encryption, and requires you to patch many system ptograms like losetup, and mount.
dm-crypt is the replacement to crypto-loop.
its many times easyer to use, and far more functional.
crypto-loop does not allow you to use USB thunmbdrives or floppy disks as encryption keys.. but dm-crypt does.
Linux 2.6 also introduces dm-crypt, an encryption layer for the Device-mapper which looks quite elegant. Unfortunately, it's not safe! Hopefully someday it will be fixed, but in the mean time the best course is to stick with loop-AES.
My recommendation is plain and simple: Do not use cryptoloop, dm-crypt (kernel < 2.6.10), or loop-AES in single-key mode - you don't want to commit security malpractice, do you?
current stable linux kernel is 2.6.12.
so the usual advice sticks, keep your kernel up to date, and use dm-crypt instead of the old broken crypto-loop.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.