LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-14-2009, 11:24 PM   #1
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Rep: Reputation: 17
Encryption (Filenames/metadata, what to encrypt, resizing)


I've already decided to use an unencrypted root, either loop-aes or LUKS/dm-crypt to encrypt my swap (I will benchmark to decide), loop-aes/EncFS/LUKS to encrypt /tmp (or I will use tmpfs, since I have 6GB of RAM... any opinions?), and either LUKS, loop-aes, or TrueCrypt for my personal /home. /var/tmp will be an EncFS.

First, as mentioned above, any advice from those with experience on making a separate /tmp to encrypt with traditional methods vs. using tmpfs for /tmp (6GB RAM)? What kinds of operations use /tmp the most (I know optical disc writing does) (this will help to benchmark with/without tmpfs), and to what extent? Same questions for /var/tmp? I know tmpfs will automatically move lesser-used stuff to swap instead of main RAM - does it do this well, and does it adjust how much it does that depending on how much free RAM there is?

Second, I know TrueCrypt will encrypt filesystem metadata (the important thing being file names), and EncFS does since late last year. I'm pretty sure LUKS/dm-crypt and loop-aes also do, but I'm not 100% sure. Is anyone certain they do?

Third, any comments on how I've decided to set up my system? Are there any places I'm missing to encrypt?

And fourth, any info on resizing any of the above encryption setups (on block devices on LVM) would be very much appreciated.

Thanks!!

NOTE: I'm also considering just encrypting everything except probably /usr... it would be simpler, that's for sure. We'll have to see what the damage is in terms of speed.

NOTE 2: I will definitely post my results so others can see when I'm done. I will be running the benchmarks on both a quad-core with 7,200rpm hard drives and an elderly ThinkPad with a Pentium M Banias and a 5,400rpm drive. I'll also do a few quick benches to see whether the differences between file system change when encryption is used.... this'll be "fun".


I'm also asking these questions here, for any reading this that are also interested.

Last edited by Ranguvar; 02-14-2009 at 11:26 PM. Reason: Add link to another asked forum
 
Old 02-14-2009, 11:47 PM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
My laptop, with Fedora10, uses full disk encryption using LUKS. Only the boot partition (~200M) is in the clear. The OS, user files, and swap are all encrypted. I have no performance issues, works great!

The initial install make it really easy too.. just check "Encrypt Disk", done.

Last edited by JulianTosh; 02-14-2009 at 11:49 PM. Reason: added some clarification on whats encrypted
 
Old 02-15-2009, 05:42 PM   #3
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Original Poster
Rep: Reputation: 17
Does LUKS encrypt filesystem metadata (filenames)?
 
Old 02-17-2009, 11:13 PM   #4
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Original Poster
Rep: Reputation: 17
Bumper.
 
Old 02-18-2009, 10:26 AM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
not exactly sure what you mean. LUKS is a whole-disk encryption system so everything gets encrypted - filenames, data, etc.
 
Old 02-18-2009, 03:28 PM   #6
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
LUKS is probably your best bet. I've used it for several years, and I've had no data loss issues, other errors. Its also supported in the kernel, so you can boot from it, and you can automatically encrypt your swap using /etc/crypttab. I'm a huge fan, and those fascists at the RIAA can punt. Also, heres a simple benchmark using hdpart:

Unencrypted:
Code:
[wsduvall@Asar ~]$ sudo hdparm -tT /dev/sda
/dev/sda:
 Timing cached reads:   2462 MB in  2.00 seconds = 1231.66 MB/sec
 Timing buffered disk reads:  118 MB in  3.04 seconds =  38.88 MB/sec
Encrypted:
Code:
[wsduvall@Asar ~]$ sudo hdparm -tT /dev/mapper/home
/dev/mapper/home:
 Timing cached reads:   2544 MB in  2.00 seconds = 1273.18 MB/sec
 Timing buffered disk reads:  114 MB in  3.05 seconds =  37.36 MB/sec
Theres almost no difference.

I'm also pretty sure (but not 100%) that you can change your keys in LUKS, even after encryption.

Last edited by wsduvall; 02-18-2009 at 03:40 PM.
 
Old 02-18-2009, 04:32 PM   #7
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Original Poster
Rep: Reputation: 17
Not bad performance there, but I would think the main slowdown would be with sparse file performance / small file performance? I will test soon anyways.

I'm still not 100% sure LUKS encrypts metadata though... or loop-AES for that matter, but loop-AES at least is faster and *potentially* more secure. The advantage LUKS has is that it is in the kernel, and easier to use.
 
Old 02-19-2009, 12:33 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
An encrypted device is a virtual device between the real device and the file system. You mount the virtual device (e.g. /dev/mapper/cr_sdc2) and format that. Everything is encrypted. A linux filesystem doesn't have metadata in the same way that a Mac filesystem does. Directories contain the filename and a pointer to the inode structure. To the kernel a directory is simply a file.
 
Old 02-20-2009, 12:03 AM   #9
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
I don't see why one would be more secure than the other, they both use the same cypher. Also loop-AES is not really being developed anymore, at least thats what I understand.

Last edited by wsduvall; 02-20-2009 at 12:08 AM.
 
Old 03-02-2009, 10:51 AM   #10
Gortex
Member
 
Registered: Nov 2005
Location: Enid Ok
Distribution: ubuntu 64 , debian , fedora core , vista ultimate 64, Winows 7 64 ultimate :p
Posts: 219

Rep: Reputation: 30
Not to hijack this thread or anything, but when you use luks and you are offering shares via samba (smb). How does the windows PC see the shares ? as being encrypted and worthless or is it transparent. This might seem like a stupid question, but I have though about doing this for a while and don't want to make 900 gigs of media worthless to the other PCS.
 
Old 03-02-2009, 12:22 PM   #11
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
The OS will present a decrypted file system to samba.
 
Old 03-02-2009, 12:37 PM   #12
Gortex
Member
 
Registered: Nov 2005
Location: Enid Ok
Distribution: ubuntu 64 , debian , fedora core , vista ultimate 64, Winows 7 64 ultimate :p
Posts: 219

Rep: Reputation: 30
Thanks, I figured as much but its better to ask then to be sorry later for not asking
 
  


Reply

Tags
encrypt, encryption, filenames, partition, resize


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
encrypt and decrypt using encrypt(char block[64], int edflag) rockwell_001 Linux - Security 3 08-30-2009 09:16 AM
What has happened to the metadata ? synapse Slackware 1 08-01-2007 05:50 AM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
metadata information Prasun1 Linux - General 7 06-27-2005 11:32 PM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM


All times are GMT -5. The time now is 03:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration