Is a soft-encrypted USB w/ Linux/BSD possible to make ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What security issues is addressed by using a hardware-encryption instead of just software-encrypting the USB?
This is a very extensive topic. Hardware encryption is supposed to provide some protection against "cold boot attacks" (use a search engine if needed). However, some software solutions reduce the impact of such attacks anyway...
I guess the most important advantage of Hardware encryption over software encryption is efficiency. As cryptography is done in the hardware's chipset, and not in the CPU, it does not waste your resources.
Security? I have seen some high-degree hardware encryption solutions bring dangerous encryption flaws which needed a full device replacement. With software encryption, if a flaw is discovered you can just upgrade the software. This does not mean hardware based cryptography is insecure, I only say it is not as convenient as it seems.
And it is too expensive. Most users are far better served by a low cost software based system. Unless you are a big company or something like that, dm-crypt, loop-aes or a replacement are more convenient.
Quote:
Is it even possible to boot from a software-encrypted USB?
If you keep an small partition in the clear as booting platform, and encrypt the rest of the info in other partition, you can go that way. A cheap, fast and dirty option is to install a Knoppix CD in your USB, boot it and let Knoppix automatically create an encrypted filesystem. The encrypted filesystem acts as a "container" which you can mount either from any Linux or booting the Knoppix through the USB.
It is getting to be a trivial matter to create any live usb. The same ways you secure a normal hard drive install are the tools that you use.
There are some elements to a mechanical or hardware type encryption that have some sales pitch.
In a real world only the most advanced computers could hack into a 256 bit encryption. Some of the tools they use are not brute force but some educated guesses. This is where some features of hardware make it difficult to get those cheats.
Thanks so far everyone; BlackRider, jefro, NyteOwl !
BlackRider: How do you create a software-encrypted USB then ? I've not done a live USB before .. I would like to move OpenBSD to a USB-system. Some installers can install directly to USB- others need a bit of tweaking (ex w/ fstab) and such.
I would like to do this the most secure way possible.
How do you create a software-encrypted USB then ? I've not done a live USB before .. I would like to move OpenBSD to a USB-system.
FOR BEGGINERS:
First: choose a Live distribution or operating system. I find Knoppix and Porteus to be good options.
Second: Read the distribution documentation. Each distribution has it's own way of doing things. Install it to the USB by the methods the documentation provide, it is not that mysterious... if you are having trouble, you can order a Knoppix USB drive from a store.
Third: Set up the encrypted filesystem. Every distribution has it's own way.
IN KNOPPIX, THE METHOD IS:
Get a Knoppix CD/DVD and boot it in a computer.
Plug an USB device and search for the Live USB creator tool. Launch it as root and follow the instructions until the installation is over. It can take a lot of time, so don't despair.
Shut everything down. Boot the Live USB. It will ask you if you want to create a file for persistent data: say you do. Then it will ask you if you want to set up AES encryption. Say YES and you are done.
The encrypted filesystem will be loaded every time you boot the USB. You can access the encrypted data from outside also, as the encrypted filesystem is really an ext2 inside of a regular cryptoloop (in /KNOPPIX/knoppix-data.aes).
And you are done. More complex approaches (for better results) are possible, involving Knoppix remastering and such. Cryptoloop is not a perfect solution and it's not considered really great, because it can suffer filesystem errors or be attacked by watermarking. However, if you use a really good password, it should prevent your attackers from retrieving your data easily. I wouldn't bet for a short password in cryptoloop against a Craig super computer, keep that in mind.
Having a Live OpenBSD is just a matter of performing a regular install on a USB, just don't think their encryption schemes are mature. They work but are still a task in progress.
Last edited by BlackRider; 06-15-2012 at 08:27 AM.
You're welcome, though I've not helped much other than ask about the hole in the Ik mentioned above that to my knowledge doesn't exist.
I've not tried doing this with OpenBSD but it isn't hard to do with Linux. The above is a good place to get started.
There is a bootable equivalent of the Ironkey called the Ironclad made in partnership with Lockheed-Martin but sadly it's only available to corporate and government customers.
The biggest advantage to hardware encryption is speed and (depending on design) the security of the encryption keys. For most folks wanting to secure some personal info from non-pro or non-data thieves, a software solution is usually sufficient and more flexible, as well as less expensive.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.