Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi I'm opening this thread as I found out that kerneli.org and other sites with strong encryption were all misteriously closed.... So I'd like everyone to contribute to this thread and finally I'll set up a complete guide on encryption (there's not many on the internet and some dated 2000 kernel 2.0-2.2 !!!)
So here are the questions...
How to setup up 2.6 kernel for encryption?? how with 2.4 kernel?? what's more to do (ie patch losetup etc. etc)
It is no particular secret. The Linux kernel contains a number of modules which implement algorithms such as DES, Blowfish, Rijndael and so-on. These modules are used, for example, in implementing VPN (Virtual Private Networking), aka ipSec. These kernel modules are used to encrypt and decrypt network traffic, and they are also available for uses by things like encrypted filesystems.
User-mode modules exist to do the same thing (see: man crypto, the so-called OpenSSL library). Full source-code is available for all of these.
Various governments around the world continue to treat cryptography more-or-less as they always do, in somewhat of a love/hate relationship. They routinely impose various import/export restrictions, although for what purpose or hope of success I really do not know. But at least there is now no question that civilian uses of cryptography are as "legitimate" as military ones, although the civilian requirements are obviously less stringent and high explosives are usually not raining down by the ton in the immediate vicinity of civilian users...
Anyhow: Linux supports cryptography and does it quite well. You can avail yourself of pretty much any civilian algorithm you name (and some military ones, if you have the right clearance), without writing anything. And what may be even more important is that you have access to a complete and well thought-out infrastructure that considers all of the aspects of practical cryptography: key management, authentication, data integrity, and so-on. All in open source.
Last edited by sundialsvcs; 07-25-2005 at 04:48 PM.
if i recall correctly there were a couple good guides included in /usr/doc/HOW-To's or somewhere around there. I remember reading two different ones on encrypting a hard disk, and at least a couple on encrypting various parts of your networking. otherwise, google linux encryption and you'll get tons of info.
what algorithms exist that only military agencies would have access to? As I understand, using something like rsa or 256bit-aes are secure enough and take millions of years or something to break using supercomputers. Why would there be a need for people to come up with their own if even only the two I just mentioned are secure enough.
Obviously, the existence as well as the details of military-only crypto systems are a military secret. If you don't have the appropriate clearances, you won't hear about (and if you do, you can't divulge) even their names.
Algorithms like RSA and DES are very extensively studied, both by civilian and by military cryptanalysts (yes, they do aid the civilian sector... your tax dollars at work, this time beneficially). Their characteristics are very well-known. And pretty much all of them, properly applied, are more-than-adequate for civilian purposes... and for quite a few military purposes, too. (Not all "military" data requires extreme-security, and an important security principle is that the level of protection afforded to data should not exceed that data's value. Many Enigma messages were cracked during WW2 because the same messages were sent in the much-less-secure Dockyard cipher. Those breaks would not have occurred had the U-boats also had Dockyard, and those messages had been sent only in the weaker system.)
"The trick," of course, is ... properly applied. Ciphers are not broken by brute-forcing their keys, simply because that's not going to be "the weakest link." They are penetrated mostly through human factors, or by exploiting weaknesses in key-management and/or the handling of enciphered (and un-enciphered) data. Many breaks occur through operator or employee carelessness. (For instance, many banks are eating crow because they shipped un-enciphered backup tapes via FedEx.) The whole issue of security-management is also heavily covered by the web-sites of OpenSSL, Counterpane, and others.
As you can read in great length at sites by security experts, such as http://www.counterpane.com, "writing your own algorithm" is frankly a foolish thing to do although many people do it. Your home-grown act of cleverness is very unlikely to be better than the public ones, and even if your algorithm happens to be strong there are very likely to be glaring weaknesses elsewhere. The protections afforded by a comprehensive suite, like OpenSSL, that is subjected to rigorous peer-review every single day, are hard to beat.
The second-most reviled words in security circles, behind "snake oil," are "security through obscurity." There is none. All of the algorithms, and all of their particulars and cryptanalyses, are public knowledge. The opponent is presumed to know all of the details of the program that was used to encrypt the data; to have thousands of megabytes of enciphered data to analyze; to have a good idea of what those messages contain. Many "breaks" that are discussed in literature are theoretical, not practical. Any of these algorithms, properlyapplied, will most certainly achieve their intended purpose: to protect your data from reasonably forseeable threats. And a public library like OpenSSL is your very best bet for doing so.
Last edited by sundialsvcs; 07-25-2005 at 07:38 PM.
Thank you all for the interest but I wanted to hear something more practical, for instance
The kernel 2.4 already has the encryption modules installed and a recent distro like slack 10.1 has by default util-linux-2.12p-i486 installed.. is any patch to the kernel needed? and a new util-linux installation?
If the kernel has a need to do encryption, i.e. for ipSec (VPN) connectivity, then and only then will a kernel-module be used. (AFAIK. Anyone correct me on this?) Otherwise, again afaik, you will be using a user-mode encryption library such as OpenSSL to do your encryption. It will implement the same algorithm, e.g. DES, but a separate piece of code will be doing it.
Crypto import/export restrictions may apply to you, whereever you happen to be on this planet, but also bear in mind that not every crypto module that is available to you might currently be installed on your computer.
As far as I can see, the util-linux package has nothing at all to do with encryption.
Try the openssl command and see if it is recognized. If so, enter the version command (within that subsystem) to see what ciphers are installed.
wait up.. I'm talking about system based DISK encryption for now not user space programs.... util-linux HAS to do with the mounting / unmounting of encrypted partitions... However I read that loopback cryptography is nomore used... should try instead dm-crypt... can help please?
Last edited by rino.caldelli; 07-26-2005 at 05:08 PM.
I do not suppose what so ever to know any great deal about the subject, but if I'm correct in thinking, your looking for an encryption program to encrypt your entire HDD.
If this is so, then people here need to start thinking about an independant program, which would be located in the first sector on the HD.
Upon power up, the program is loaded into active memory, to then get the program to unencrypt your HDD you enter a password, and then the kernel will load up. I just happened to have recently had an interesting "chat" with a maths professor on this very subject of security.
It was once I had been informed that Linux is not as secure as previously believed (and of course subsiquently shown this fact) that we started discussing ways of protecting a system. Firstly came up Don't use ROOT for normal login which of course most of us know well. But shortly after some other ideas, this maths professor started to talk about encrypting your entire HDD. Which is where I have started my search.
One thing, Rinonapo and all and this is a Very Important Lesson:
"At the end of the day, if someone gets infront of your box there is nothing that will stop them from getting into your system"
Hard truth there, but thats why big corporations lock their servers in bullet-proof-6-inch-steel rooms, because if someone can sit infront of it they can get into it.
This truth, by the way, which I learnt the How-To-Do, there is one thing that you all can do to keep all your systems a little safer is to go into BIOS and switch on the BIOS password. This will prevent people less responsible than I am, from coming infront of your box and simply loading Knoppix and then changing your passwords and therefore getting free access!
Now if you encrypted your HDD, then the Knoppix user would see nonsense, however he could still copy your HDD and crack it eventually. BIOS password must be used in conjunction with your encryption.
I'm sorry I haven't got any practicle advice here Rinonapo, but I hope this helps you and others understand what they are trying to do I will keep my eyes and ears open for any information that will help, as ever keep hot on the Googling. You might find this helpful: http://www.tech-faq.com/disk-encrypt.shtml
Originally posted by Stimz This truth, by the way, which I learnt the How-To-Do, there is one thing that you all can do to keep all your systems a little safer is to go into BIOS and switch on the BIOS password. This will prevent people less responsible than I am, from coming infront of your box and simply loading Knoppix and then changing your passwords and therefore getting free access!
If I'm in front of your box, I can disable the BIOS password in a minute or 2... However, it keeps honest people out, and would help more if the box itself was locked in a closet with a remote console though.
It was once I had been informed that Linux is not as secure as previously believed
Windows, Mac OS and any other OS you care to name is just as affected by this. Its not a security issue with the OS but a simple fact of physical reality - if someone can get physical access to the inside of your computer there's nothing to stop them removing your hard drive and reading it in their computer or resetting your BIOS password and booting the computer with a LiveCD like knoppix. This is why you need to encrypt your hard drive or at least the most important data on it.
Quote:
Now if you encrypted your HDD, then the Knoppix user would see nonsense, however he could still copy your HDD and crack it eventually. BIOS password must be used in conjunction with your encryption.
The BIOS password can be 'cracked' in about 30 seconds by levering out the battery with a screwdriver. Anyway BIOS passwords will not stop them removing your HDD and plugging it into their own computer. Assuming you've used a modern, strong encryption algorithm it would take many billions of years for someone to crack your encryption, even if they had all the computers in the world at their disposal.
bios password is the first thing I enable and one of the most banal ways of protecting a computer after that of swithing off the screen when leaving the computer...
thinking that bios password is not secure is a well reasoned thought
The fact that every encrypted disk can be cracked one day is true but not a reasonable fact for not using encryption (sounds more like paranoia).
So a way for encrypting the whole disk before boot of the kernel would be a giant leap forwad on security. Windows which is considered so unsafe (and it is) however has many commercial softwares which do that and longhorn (if t will ver come out) will have on-boot encryption.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.