Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've browsed the forum a bit but have yet to see a solution that can offer to linux, the level of security that i have on my windows laptop.
i use a product called drivecrypt (www/drivecrypt/com), and it offers me the benefits below.
if anyone can show me a linux solution that can beat or come close to the benefits below, i'd be grateful; as this is the only issue preventing me from switching.
i've seen some encryption support on linux, but nothing to this high level below.
1. data partition encrypted with 1344 bit triple blowfish. password entry after os booted up. cannot catch keystrokes with key logger.
2. os partition encrypted with 256 bit aea. password entry at mbr stage. screen message is of a disk error, so user will think that there is no os installed at all.
3. data input is via 4 line password + fingerprint scan + hardware key mixture possible.
4. plausable deniability is offered, as encrypted partitions can contain other hidden encrypted partitions, and impossible to prove the hidden parition exists. it just appears when correct password is entered.
5. if required, can place encrypted drive into a music file rather than partition, with stenography. Impossible to prove that file contains encrypted data.
i look forward to your response, and hope that you can tempt me, into the world of linux.
thanks.
lawmaker
ps. newbie question: just tell me which distro to use. mandrake/gentoo or something else?
The Linux Security folk have a How-To on Encryption that tells you how you can go about encrypting disks. There may be other options out there as well.
I have seen people use thumb scanners under linux, but I'm not sure where they got the drivers for them. I'm sure a google search could locate that. So long as you don't let anyone have root access you can avoid key loggers pretty well... unless you go and install one yourself. Administrators can do evil things... that is why I like being the admin
i'll do masses of reading if there isn't a simply answer like in windows.
but at the end of the day, is there a package/way to do all of the features i've outlined above.
i've read of linux solutions that can do a few of the features, but not with such high encryption 1344 bit triple blowfish, or 4 line entry, or password at mbr stage, ie. before os is even booted.
as drivecrypt doesn't have a standard header in the os or data partition, it's impossible to tell that any data exists there at all; so on boot it looks like a faulty disk.
Blowfish has been added to the mainline Linux kernel, starting with v2.5.47
so my guess is that if you are running linux 2.6 getting blowfish set-up should be a snap after reading a few howtos and stuff...
of course maybe you prefer a commercial solution that does most of the work for you in which case you might like something like BestCrypt... it does 448-bit blowfish (448 * 3 = 1344):
Quote:
BestCrypt creates and supports encrypted virtual volumes for Linux. BestCrypt volume is accessible as a regular filesystem on a correspondent mount point. The data stored on a BestCrypt volume are stored in the container file. A container is a regular file, so it is possible to backup, move or copy it to other disk (CD-ROM or network, for instance) and continue to access encrypted data using BestCrypt. BestCrypt supports the following encryption algorithms: GOST (256-bit key) in Cipher Feedback mode and RIJNDAEL (256-bit key), IDEA (128-bit key), Blowfish (256-bit key), Blowfish-448 (448-bit key), Blowfish (128-bit key) DES (56-bit key), Triple DES (168-bit key), CAST (128-bit key), TWOFISH (256-bit key) in Cipher Block Chaining mode.
i'm sure there several other commercial options also, i'd imagine some even way friendlier with GUIs and stuff... but i have no experience in this area so i can't really say... try googling for blowfish 448 and see what you find:
tell me how all this protect you against buffer overflows (IE), problems with ActiveX, viruses and worms?
FreeBSD has it for free (blowhish hdd protection, steganography and so on) for long time by the way (I don't have to pay for anything, and the rest of the security is way beyond you can do with windows for next several years).
So, I'd say you are not better protected than any other windows user who is on line. And you know what does it mean?
Since he seems to care about security, I assume he never goes online with this laptop, nor transfers any files between this laptop and other computers (except for plain text files, perhaps). Otherwise, all of that encryption is a pretty moot point.
the target of the security is against entry into the laptop, when it is stolen.
I work in the legal industry working in area's where some unscrupulous mib's would like the information present in my machine.
I've had a laptop taken by force by them before, under unscrupulous means, and the laptop was protected by drivecrypt. They were unable to enter the system and obtain what they wanted. don't ask me how i know this.
I'm not concerned about online hacking, trojans or the like as that issue is covered.
My total concern is about having maximum security if the laptop is stolen from me.
As I'm a newbie on linux, i would be scared of implementing a system that does anything less than encrypt the whole hard disk, as i could by accident leave loopholes for entry by somebody that knows linux better than i.
the fact that the intruder would be aware that the os is linux, is too much of a failure compared to what windows/drivecrypt offer already.
I don't understand why the linux system, which is touted for it's security doesn't have a whole system easy to use for a layman, that can compare with drivecrypt for windows.
On the issue of grub/lilo password at mbr, from what i gather it would only be a password stopping further execution of the program, rather than one to decrypt an encrypted drive.
from the replies here, it seems that the only complete commercial system present is the bestcrypt one which has a third of the strength of triple blowfish, and doesn't do whole drive, or multiple password lines/fingerprint entry.
Also, it seems that everybody is giving me rough guides, but hasn't actually done this whole disk encryption thing yet, or the answers would be less vague.
I hate to sound like the devils advocate here, but it's so sad, because i'm sure from what you are saying, that linux is more than capable of beating windows/drivecrypt, but it will take ages before i can find that out for sure.
I'm interested in the freebsd assertions, of how secure that is, and that it can compare with my current requirements. are there any links.
You are only talking about physical theft security by encrypting your data, but 99% of the time, data is stolen by hacking, which is a greater threat because a successful hack will use your built in encryption tools to to decrypt your data before stealing it, meaning a successful robbery. You need to secure your laptop from network access, especially WiFi & Bluetooth, moreso than physical theft, as I'd rather sit outside your office for an hour and hack your network, than mug you for your laptop because it's easier and more importantly, you're blissfully unaware your information has been compromised.
Unlike windows, where you have all singing, all dancing applications, Linux has many task oriented applications, which achieves 2 important security problems. 1) You install what you need and nothing more. 2) Because they only do what it says on the tin, you can be confident that installing it doesn't allow several other problems you weren't anticipating to suddenly undermine everything, like windows applications are a nightmare for. There should be no reason why a web browser visiting a web page can grant full access to your system, or receiving email without attempting to open anything can also do this, but it's the nature of a windows OS, that the integration of applications means that an application written to perform a specific task loads application data from unrelated applications, which can be vulnerable to attack, but the user or administrator is oblivious that a shared .dll being used by a media player has a vulnerability in it because it also used by IE and has specific routines that can be exploited by executing them from an activex control on a web page the media app is trying to load a bogus media driver from. It's crazy how vulnerable a windows desktop is.
Linux machines can have the security you want, but Linux is a more "taylor made" OS, where you install, configure and modify applications to suit your purpose, whereas windows is a "dump everything on" OS, to cater for mass market at the expense of performance, security and efficiency. This is why it is easier on windows. It is not more secure though. You can make Windows seem secure, but not completely. It is an illusion as the majority of the security issues are out of your hands unless you work at Microsoft. With Linux, control is in your hands, right down to editing the source code and recompiling it.
is there a commercial/freeware third party add on(s), that would compete with my current security.
encrypting /home wouldn't compare at all with the specs i gave at the beginning.
1. temporary files could be seen possibly.
2. settings could be seen elsewhere.
3. /home wouldn't be 1344 bit triple blowfish.
4. entry wouldn't be 4 lines + fingerprint
5. the os existence would be revealed
6. plausible deniability would not exist.
7. swap file/virtual memory would reveal masses of info.
so many failings of that way.
please please, there must be a linux solution to beat windows/drivecrypt on this issue of security.
"Please help me, I'm a paedophile that keeps all my kiddie porn encrypted in windows, how can I keep it on a Linux workstation so it can't be accessed if the police raid my house?"
p.s. "I'm a lawyer honest. I have data that I need to deny ever having, because lawyers do that sort of thing and agencies have taken various life threatening measures to get their hands on it!"
Originally posted by lawmaker I'm not concerned about online hacking, trojans or the like as that issue is covered.
My total concern is about having maximum security if the laptop is stolen from me.
If you already have a solution which works and which you are familiar with, why are you wondering about a solution which you are not familiar with? You can gain familiarity with Linux using a LiveCD like Mepis--you don't even have to install anything on the hard drive. You don't even need to have a hard drive at all!
After you're familiar with Linux, then you can think about using it for mission critical data. That's just common sense, even if you didn't have any security concerns at all!
Anyway, if I were in your situation, I'd probably use a liveCD distro straight off of the CD (like Mepis), and remove the hard drive from my laptop entirely. That way, there is no data whatsoever on the laptop for anyone to steal, and nowhere for anyone to secretly install spyware.
The data itself perhaps could be on a keyring thumbdrive, encrypted of course. There's no way to install spyware on that, because by default a thumbdrive partition would be mounted without any execute permissions.
Of course, the keyring could be stolen, but it's at least easier to keep on my person 24/7, and it's convenient for making backups.
Originally posted by antony.booth Plausible Deniability=illegal information.
Oh, I think everyone who has read these posts already assumes that he's doing something shady. Maybe he's a crook. Maybe he's a lawyer for crooks. Maybe he's a terrorist. Maybe he's just a paranoid nutcase. Maybe he's just a Wintroll trying to get kicks out of showing something which Linux can't do or whatever.
I don't care. Everyone has a right to privacy, and how to ensure privacy on a computer is a legitimate goal even if some/most people using the right abuse it for malicious purposes.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
