LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-05-2006, 03:27 AM   #1
Synesthesia
Member
 
Registered: Jan 2004
Location: the abyss
Posts: 205

Rep: Reputation: 30
file system encryption on servers


Have any of you used file system encryption on a server? Encrypted file systems, of course, have a higher rate of corruption. what do you do to protect against that? Have you found certain file systems to have better checksumming (e.g. EncFS). Thanks for your imput.
 
Old 06-05-2006, 08:04 AM   #2
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
I've used filesystem encryption but if I were you, I'd think carefully before using it.

Why are you using it? If someone can get in and steal your hard disk, what do you lose in terms of what's useful to them and detrimental to you? If they can get that same data unencrypted (via an intranet, stealing a client machine, searching histories etc.) then you've gained nothing.

Second, a performance hit can be quite large. Are you sure you NEED it to be encrypted and that having it encrypted is worthwhile (i.e. do your workers regularly copy the drive onto a laptop and take it home with them? Then you're wasting your time).

"Encrypted file systems, of course, have a higher rate of corruption."

Er... I don't quite get what you mean. If you mean that a single-bit change (i.e. a hardware failure) is detrimental to the filesystem, then yes. But many modern journalling filesystems are extremely difficult to recover anyway (usually so difficult and expensive that it's easier to just rely on backups... I was quoted 1000/Gb as a standard price for basic recovery from simple filesystems for many years - I don't know if that's changed) so this is a much more general issue.

EFS's don't "corrupt" any more often than a normal JFS, pretty much the same number of writes are done to any sector you care to choose. You will, of course, have tape backup for anything worth preserving anyway. Anything that RELIES on a filesystem checksum to stay intact is not going to hold ANY DATA of mine unless it's got full-recovery (i.e. I know that I can definitely lose X Kb of data and STILL the information is perfect, like PAR archives etc.), and even then the disksspace/time tradeoff buys you *another* decent backup system.

If you are getting filesystem corruption, your hardware is faulty or your filesystem is, itself, faulty. Neither have anything to do with encryption except that to then RECOVER your data is infinitely more difficult.

You will, however, have to be 100% certain that you have stored your keys (TWICE!) and other necessary information (filesystem type and version, for instance) somewhere safe too. If you are doing backups properly, they will be encrypted and require the same information (although storing that information with the backup is just as secure as having no encryption at all).

What, exactly, are you trying to achieve by encrypting your filesystem? Stopping your little brother using Knoppix to browse your files/change your root password? Stopping people who steal the harddrive from EVER discovering what's on it? You have to consider the trade-offs at each point (usually performance and recoverability with EFS's).

Home desktop use? Waste of time, pointless, going to cause you much, much more hassle than it's worth (especially if you don't backup or you have faulty hardware). You might lose your bookmarks, maybe a cookie or two. Cancel your credit card to be safe, then get on with life.

Office use? Possibly worthwhile as part of a much larger security scheme (i.e. making sure people don't copy the data somehow, take it offsite etc.) but it's still going to cause you an awful lot of headaches - unless you are storing credit card numbers or other extremely VITAL data, you have to consider if it's worth it (and then you should be asking yourself WHY are you storing that information and what measures should you also have in place to prevent abuse?).

Cover for something you shouldn't be doing? Some countries will jail you for NOT supplying your private key if they come across an encrypted filesystem. Any EFS can be cracked given enough time and you lose all deniability if you've deliberately hidden things.

Weigh it up before you even consider it. Ask yourself, what if the power goes off and my hard drive isn't completely written to. What would happen and how much hassle would it be to get it all back?
 
Old 06-05-2006, 04:03 PM   #3
Synesthesia
Member
 
Registered: Jan 2004
Location: the abyss
Posts: 205

Original Poster
Rep: Reputation: 30
"You have to consider the trade-offs at each point" -ledow
I, of course, have already done this. The issue of whether or not I should be using encryption at all is not what I want to debate...

I know if a file is not completely written to the EFS, and the (e.g.) power goes out, the file being written will become corrupted. But am I correct to say that only the file being written to will become corrupt, and the rest of the encrypted file system will remain intact? The server will be most like a file server. With that in mind, is there a specific EFS you recommend (loop-aes, encfs)? And what are your thoughts on which file system it should be used in combination with (XFS, reiserfs3, JFS, how about reiserfs4 which supposedly has EFS benefits)? Do you suggest that I need something like raid-1 with an EFS because of the higher chance of data loss?

Thanks for your imput.

P.S. If you have ever used an EFS for server use, I would like to hear your performance comparisons (like EFS vs FS, and server specs, etc).

Last edited by Synesthesia; 06-05-2006 at 04:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
File System Encryption raja1979 Linux - Security 2 12-23-2005 05:08 PM
file encryption application ksgill Linux - Newbie 4 08-03-2003 10:58 PM
File or Directory Encryption potlamurali Linux - Security 4 05-02-2003 10:05 PM
Shared File Encryption mawarsha Linux - Security 6 02-12-2003 01:11 AM


All times are GMT -5. The time now is 07:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration