LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Linux disk encryption (http://www.linuxquestions.org/questions/linux-security-4/linux-disk-encryption-696493/)

<Ol>Origy 01-11-2009 10:29 AM

Linux disk encryption
 
Hello!

I am looking for a way to setup a laptop with a single linux OS installed that uses disk encryption to protect the data on the HDD. This is the first time I'm working on a project like this and I'd like to ask for some guidelines. I'm not sure to what degree a disk can be encrypted in linux, but I am talking about at least encrypted root partition and encrypted swap, both with pre-boot authentication (meaning you need the correct password to decrypt them at boot).

What are the possibilities and suggestions?
Regards, Ol

Simon Bridge 01-11-2009 11:53 AM

Many main-stream distros support whole disk encryption out of the box - though you should realise that, unlike other OSs, linux does not write sensitive or user information to any old place on the drive. So it is very common to leave a separate boot (and other) partitions unencrypted.

Ubuntu, in particular, supports double encryption - you can install to an encrypted HDD, putting the keys on a removable drive, and also have an encrypted directory off your home directory (called ~/Private) for stuff so sensitive, you don't want people getting to it when you leave your laptop for a bit.

You can also create plausible deniability by dual booting so the unencrypted (dummy) linux boots when a key drive is not plugged in.

There are many articles online on this subject too.

<Ol>Origy 01-11-2009 01:44 PM

I see that you offer many good ideas.

Basically, I am looking for something to encrypt the contents of the operating system (root partition) and the swap. The user has to provide the correct password before the OS partition can be decrypted and the system boots normally (pre-boot authentication).

I am not as paranoid to put the boot files onto a removable media. I'm fine with the idea that the files remain on the hard disk (likely the /boot partition, which will probably have to remain unencrypted) as long as a passphrase is needed at boot-time to decrypt and boot the OS.

The linux image I'm working with doesn't offer any encryption at installation and I'm talking about having to set up the encryption manually. This is where I require some advice as I am not sure what solution to use.

I was thinking about using dm-crypt/cryptsetup/LUKS.

Simon Bridge 01-12-2009 09:33 AM

Quote:

I was thinking about using dm-crypt/cryptsetup/LUKS.
That's the standard setup for most linuxes. There are plenty of howtos.

Ubuntu uses LVM to help.

Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.

Why do you want to encrypt /boot?

Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.

<Ol>Origy 01-12-2009 11:31 AM

Ah, thank you. This last post of yours has a good amount of answers.

Quote:

Originally Posted by Simon Bridge (Post 3405708)
That's the standard setup for most linuxes. There are plenty of howtos.

Excellent. I assume this is also the proper way of doing it on linux. ;)

Quote:

Originally Posted by Simon Bridge (Post 3405708)
Ubuntu uses LVM to help.

I'm not quite sure what LVM is, but I'll do some googling and reading.

Quote:

Originally Posted by Simon Bridge (Post 3405708)
Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.

That is correct. Most users would suggest putting the needed boot files onto some removable media, but for my setup, I would much rather have all neccessary files on the HDD itself. I am aware this approach may require some unencrypted space.

Quote:

Originally Posted by Simon Bridge (Post 3405708)
Why do you want to encrypt /boot?

Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.

I'm not sure if it's even possible to have an encrypted /boot partition and have the system boot without relying on any external files located on some removable media. Perhaps there is a linux boot loader that can decrypt the /boot partition and boot the system normally. I wonder if grub2 supports this feature, I really don't know. In windows I know that TrueCrypt has a boot loader of its own that decrypts the rest of the file system. Anyway, I was thinking about setting up a system that does have an unencrypted boot partition, but if there is a way to encrypt that as well (no external dependencies) then so much the better.

Why encrypt the boot partition, you ask? Ask yourself how secure really the other approach is. An adversary could easily access the /boot partition and replace or modify some files to insert a malicious keylogger that in terms logs down the pass phrase upon entering it and hides it somewhere within the unencrypted space without my knowledge. All that is left to do is to read it while I'm not paying attention.

internetSurfer 01-12-2009 09:14 PM

Extra Info:

_

JulianTosh 01-24-2009 05:18 AM

Fedora 10 allows you to check a box ("Encrypt Drive") during drive configuration that will create a single encrypted partition that holds / and swap inside it. /boot is left unencrypted, but should never contain any sensitive data from a general user.

slimm609 01-25-2009 02:25 PM

as internetsurfer has posted a link to. True crypt is a great way to go. It encrypts the entire drive and installs a pre-boot auth into the MBR.

its supports aes, blowfish, twofish, etc.

You can also mix encryption so that you would have a blowfish encryption inside an aes encryption if your really paranoid

tkibugu 12-15-2011 04:33 AM

Re: Linux disk encryption
 
In debian lenny with encrypted root and swap partitions, when booting, one is asked for root and swap passphrases. To avoid the swap passphrase, a working setup is found here: [LINK REMOVED BY MODERATOR]

win32sux 12-16-2011 09:15 PM

tkibugu, please stop using LQ posts to promote your site. If you continue this sort of behavior, there will be consequences which may include your temporary or even permanent loss of LQ privileges. TIA.


All times are GMT -5. The time now is 07:28 AM.