Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a standard algorithm for encryption? I am thinking more in terms of data storage rather than data transmission, although I'm not sure this distinction is important. Is it better to encrypt entire folders rather than individual files?
Distribution: Mepis and Fedora, also Mandrake and SuSE PC-BSD Mint Solaris 11 express
Posts: 385
Rep:
standard
Quote:
Originally Posted by halfpower
Is there a standard algorithm for encryption? I am thinking more in terms of data storage rather than data transmission, although I'm not sure this distinction is important. Is it better to encrypt entire folders rather than individual files?
Yes, crypto-luks with 256 bit AES encryption is used by Fedora. The best way to store data is on an entire encrypted partition or physical drive, not by file or folder. You can also use GPG to encrypt an individual item if additional protection is needed.
Other distros can also use encryption not just Fedora.
There are several options for "at-rest" encryption.
If you want to encrypt individual files, GnuPG (an implementation of the OpenPGP Standard) is a good option. If you want to encrypt an entire filesystem (even the root filesystem, provided you have a /boot and an initramfs/initrd), then LUKS-DMCrypt is the gold standard on Linux. Finally, if you want to encrypt whole directories (such a user home directory) then eCryptFS is a good choice.
All of these tools offer you a choice of algorithms and key lengths for your encryption needs. AES is the "standard" from the US NIST, but Blowfish/Twofish is another good choice. Anything over 128 bits of key length would offer you "strong" encryption. (Where "strong" is defined as resistant to brute force attack.)
Consider this: the German Enigma cipher algorithm was, for its day, essentially impregnable; yet the Poles cracked it using pencil-and-paper by exploiting weaknesses of the German keying system. The choice of algorithm matters relatively little, esp. for civilian-grade crypto. How the algorithm is applied, though, matters much.
Use an existing crypto system of known provenance, and learn how to use it correctly and strongly. Good examples include:
GnuGPG / PGP
VPN
SSL
SSH
The OpenSSL crypto library
These technologies are used all over the world. They are well-understood, professionally designed, and well maintained. They are also shared by people with whom you will wish to communicate, most of whom you may never have met and will never meet.
There are well-understood best practices, and these are the most vital aspect of ensuring that your information is both secure, trustworthy, and intact.
Last edited by sundialsvcs; 11-19-2012 at 06:50 AM.
Is there a standard algorithm for encryption? I am thinking more in terms of data storage rather than data transmission, although I'm not sure this distinction is important. Is it better to encrypt entire folders rather than individual files?
That actually depends on context. The Rijandael cipher became the AES, Advanced Encryption Standard by the US NIST as in a standard for US government use. Other governments have their own standards. Business set standards for internal sue etc. In the general populace, or even in most businesses there is no standard, though most follow along and use AES, as they probably used DES before it.
While choosing an appropriate algorithm is important, key management and good practices (as mentioned by sundialvcs) are even more important. Also consider whether you are trying to protect data in use or data at rest.
If you need some files visible to only some users and not others then you encrypt on file level. If all files in a directory can be viewed by a user then you can encrypt at the directory level, likewise for an entire partition or drive.
Choice of algorithm will depend on needs, risk assessment and available tools.
The type of data is also a factor. Some compression works much better on some data while other works better on some other data.
There is also on the fly software and hardware solutions.
Just depends on what you want to secure as to file by file or folder by folder or even full disk encryption.
I don't usually encrypt more than home on most systems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.