LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-14-2012, 11:04 AM   #1
dezza
Member
 
Registered: Nov 2004
Location: Denmark
Distribution: ArchLinux, Debian
Posts: 129

Rep: Reputation: 18
Lightbulb Is a soft-encrypted USB w/ Linux/BSD possible to make ?


Like a cheaper software IronKey / Defender from iMation:
http://www.imation.com/en-US/Mob...
^ See link, check IronKey / Defender.
or LOK-IT
http://www.lok-it.net/

The IronKey doesn't have USB3.0 with much disappointment, and neither does LOK-IT or any other hardware-encrypted USB I've come across.

What security issues is addressed by using a hardware-encryption instead of just software-encrypting the USB?

Is it even possible to boot from a software-encrypted USB?

How will it compare to a hardware-encrypted USB (If it's possible)?
 
Old 06-14-2012, 05:10 PM   #2
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
What security issues is addressed by using a hardware-encryption instead of just software-encrypting the USB?
This is a very extensive topic. Hardware encryption is supposed to provide some protection against "cold boot attacks" (use a search engine if needed). However, some software solutions reduce the impact of such attacks anyway...

I guess the most important advantage of Hardware encryption over software encryption is efficiency. As cryptography is done in the hardware's chipset, and not in the CPU, it does not waste your resources.

Security? I have seen some high-degree hardware encryption solutions bring dangerous encryption flaws which needed a full device replacement. With software encryption, if a flaw is discovered you can just upgrade the software. This does not mean hardware based cryptography is insecure, I only say it is not as convenient as it seems.

And it is too expensive. Most users are far better served by a low cost software based system. Unless you are a big company or something like that, dm-crypt, loop-aes or a replacement are more convenient.

Quote:
Is it even possible to boot from a software-encrypted USB?
If you keep an small partition in the clear as booting platform, and encrypt the rest of the info in other partition, you can go that way. A cheap, fast and dirty option is to install a Knoppix CD in your USB, boot it and let Knoppix automatically create an encrypted filesystem. The encrypted filesystem acts as a "container" which you can mount either from any Linux or booting the Knoppix through the USB.
 
1 members found this post helpful.
Old 06-14-2012, 07:29 PM   #3
jefro
Guru
 
Registered: Mar 2008
Posts: 11,539

Rep: Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404
And the ironkey has suffered a major hole in it.


It is getting to be a trivial matter to create any live usb. The same ways you secure a normal hard drive install are the tools that you use.

There are some elements to a mechanical or hardware type encryption that have some sales pitch.

In a real world only the most advanced computers could hack into a 256 bit encryption. Some of the tools they use are not brute force but some educated guesses. This is where some features of hardware make it difficult to get those cheats.
 
Old 06-14-2012, 08:19 PM   #4
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 139Reputation: 139
Quote:
And the ironkey has suffered a major hole in it.
What hole is this?
 
Old 06-15-2012, 06:08 AM   #5
dezza
Member
 
Registered: Nov 2004
Location: Denmark
Distribution: ArchLinux, Debian
Posts: 129

Original Poster
Rep: Reputation: 18
Thanks so far everyone; BlackRider, jefro, NyteOwl !

BlackRider: How do you create a software-encrypted USB then ? I've not done a live USB before .. I would like to move OpenBSD to a USB-system. Some installers can install directly to USB- others need a bit of tweaking (ex w/ fstab) and such.

I would like to do this the most secure way possible.
 
Old 06-15-2012, 08:23 AM   #6
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
How do you create a software-encrypted USB then ? I've not done a live USB before .. I would like to move OpenBSD to a USB-system.
FOR BEGGINERS:

First: choose a Live distribution or operating system. I find Knoppix and Porteus to be good options.

Second: Read the distribution documentation. Each distribution has it's own way of doing things. Install it to the USB by the methods the documentation provide, it is not that mysterious... if you are having trouble, you can order a Knoppix USB drive from a store.

Third: Set up the encrypted filesystem. Every distribution has it's own way.

IN KNOPPIX, THE METHOD IS:

Get a Knoppix CD/DVD and boot it in a computer.

Plug an USB device and search for the Live USB creator tool. Launch it as root and follow the instructions until the installation is over. It can take a lot of time, so don't despair.

Shut everything down. Boot the Live USB. It will ask you if you want to create a file for persistent data: say you do. Then it will ask you if you want to set up AES encryption. Say YES and you are done.

The encrypted filesystem will be loaded every time you boot the USB. You can access the encrypted data from outside also, as the encrypted filesystem is really an ext2 inside of a regular cryptoloop (in /KNOPPIX/knoppix-data.aes).

And you are done. More complex approaches (for better results) are possible, involving Knoppix remastering and such. Cryptoloop is not a perfect solution and it's not considered really great, because it can suffer filesystem errors or be attacked by watermarking. However, if you use a really good password, it should prevent your attackers from retrieving your data easily. I wouldn't bet for a short password in cryptoloop against a Craig super computer, keep that in mind.

Having a Live OpenBSD is just a matter of performing a regular install on a USB, just don't think their encryption schemes are mature. They work but are still a task in progress.

Last edited by BlackRider; 06-15-2012 at 08:27 AM.
 
Old 06-15-2012, 12:40 PM   #7
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 139Reputation: 139
You're welcome, though I've not helped much other than ask about the hole in the Ik mentioned above that to my knowledge doesn't exist.

I've not tried doing this with OpenBSD but it isn't hard to do with Linux. The above is a good place to get started.

There is a bootable equivalent of the Ironkey called the Ironclad made in partnership with Lockheed-Martin but sadly it's only available to corporate and government customers.

The biggest advantage to hardware encryption is speed and (depending on design) the security of the encryption keys. For most folks wanting to secure some personal info from non-pro or non-data thieves, a software solution is usually sufficient and more flexible, as well as less expensive.
 
  


Reply

Tags
boot, encrypt, encryption, usb


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Truecrypt encrypted USB drive on Linux irairaira Linux - Newbie 9 01-09-2009 01:09 AM
linux/bsd,,, usb stick pimpwiser Linux - General 3 07-16-2008 07:24 AM
LXer: Running Debian GNU/Linux from an encrypted USB drive LXer Syndicated Linux News 0 02-19-2008 11:11 AM
MacOsX, Darwin, *Nix BSD: Can we make linux and Mac compatible for programs ? frenchn00b Linux - General 1 02-17-2008 01:00 PM
want to make tri boot system with windows,Linux and BSD anupamcbr *BSD 11 05-26-2006 07:54 AM


All times are GMT -5. The time now is 11:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration