Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
I after search into internet find cryptsetup , ecryptfs , loop-ASE and Truecrypt .
I want a software on linux(ubuntu 12.04)for building full encrypted disk with pre-authentication in time booting system.
but i have one question .
which one is better for me ?
I tankyou for eny answer.
Last edited by saeedsssss; 09-26-2012 at 04:22 PM.
Distribution: Fedora (typically latest release or development release)
Posts: 372
Rep:
Based on my preferences, I would suggest that you use (LUKS using) cryptsetup. What you described can be achieved easily with cryptsetup. I have encrypted /, swap and /home and have to enter passphrase during boot for the system to boot.
There are probably some online guides to enable one to do this (if needed). Archwiki also has pages that would be useful. Hope this helps.
Last edited by Janus_Hyperion; 09-27-2012 at 12:24 PM.
Reason: edited for clarification.
I can tell you a little bit about LUKS through cryptsetup, since that's what I use. I'm pretty sure with cryptsetup you can't encrypt the full disk; you would need to leave /boot unencrypted (putting it on a different partition). But you can encrypt everything else including the swap space. I actually have two partitions, one with boot, and one large encrypted partition holding two LV's (Logical Volumes), one for root and one for swap. Doing it this way, you only need one password to decrypt the rest of your computer. You can also even set up a key file on a usb stick or something, so that, when the computer starts, it will first look for the key file and decrypt the disk if it finds it, but if it doesn't it will ask for the password. This has worked fine for me. Here's a howto for ubuntu: http://ubuntuforums.org/showthread.php?t=1205372
If you are really serious about that kind of security, I would invest in a disk-controller, a drive, or an external SAN unit that provides hardware encryption of drive content. The key (or certificate as the case may be) is literally installed into the unit via hardware or software, and every I/O operation against the drive is encrypted or decrypted in real time.
One of the all-around handiest of these are USB sticks that have encryption capability. I once saw a sort of dongle that you could plug into a USB port, then plug any ol' stick into it, and everything on that stick would be encrypted with no loss of throughput.
Last edited by sundialsvcs; 09-27-2012 at 12:15 PM.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I'm not sure about the OS support of USB sticks, I know some are Windows only, so last time I sawsomething like this discussed I found there are USB hard drives with built in keypads for entering the unlock code.
Well if you're looking for an encrypted USB key I can recommend Ironkey. One caution - the unlocker is 32-bit only so you will need a multi-lib setup if you're running 64-bit.
Seagate and Stonewood both make hardware level encrypted hard drives. The Stonewood is self-contained. Last I checked the Seagate required the system have a TPM but I'm not sure if this is still the case.
LUKS works well for encrypting a Linux system on a block level. You can encrypt everything but a small /boot partition and unlock using a keyfile, password or both. The disadvantage to LUKS is that once unlocked te data isaccessible by the entire system (subject to other access controls and permissions).
TrueCrypt only works with containers on Linux and cannot be sued for full disk encryption like it can on Windows.
loop-AES has been deprecated in many distros for a while now in favour of the cryptsetup option.
ecrtpyfs is a filesystem level encryption scheme that can be used on a directory or file level (similar to Truecrypt). It has the advantage of remaining encrypted until the user who owns the "container" mounts it. Itis not useful however for full disk encryption.
These various systems can be combined depending on your needs (eg encryptfs in user directory on a LUKS encrypted partition on a hardware encrypted drive).
I tankyou form four persan answer to this question .
I read these four thread. now I try find about types of attack to full encryption disk .
for example if I building full encrypted disk ,and I loss my hard with which kind of attack can pass from this encryption .
AND which one from cryptsetup and loop-ASE ,... can slove this problem ?
Another. about watermaking attack and dictionary attack and other attack that you konw,what?
which future on cryptsetup can prevent from attack ?
I waite for every book and document , website , thread about attack ,
Last edited by saeedsssss; 09-28-2012 at 03:08 AM.
Regardless of the system chosen be it truecrypt, LUKS, etc. there are two weaknesses: the implementation of the algorithm, and the keys. Unless you are good at both math and programming checking on the robustness of the algorithm is beyond most people's abilities. Choose the one you prefer Blowfish, Twofish, Serpent and AES are good choices. Also chose an appropriate mode (eg XTS, CBC) for your need.
The primary attack vector is the keys and passphrases. Choosing a strong passphrase is the first step. There are numerous articles, tutorials and books on the subject so reiterating it here is wasteful. Once you have a strong passphrase you choose a strong hash when creating the encrypted container/partition (eg SHA-256, SHA-512, WHirlpool, peraps Skein). Be sure to salt the hash as well.
If you take the above technical precautions, it remain to manage any keyfles or password/passphrases you create in a secure manner. If you do all the above the remaining attack vector is cryptanalysis which, for the example algorithms above is a major undertaking and your data should remain safe.
Note in choosing a commercial hardware solution such as Ironkey or Stonewood, your options as to hash and encryption algorithm are more limited. For example both use AES-256 for their products.
(PS - Stoenwood drives are now sold under the name Eclypte)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.