LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
LinkBack Search this Thread
Old 01-11-2009, 09:29 AM   #1
<Ol>Origy
Member
 
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Rep: Reputation: 15
Linux disk encryption


Hello!

I am looking for a way to setup a laptop with a single linux OS installed that uses disk encryption to protect the data on the HDD. This is the first time I'm working on a project like this and I'd like to ask for some guidelines. I'm not sure to what degree a disk can be encrypted in linux, but I am talking about at least encrypted root partition and encrypted swap, both with pre-boot authentication (meaning you need the correct password to decrypt them at boot).

What are the possibilities and suggestions?
Regards, Ol

Last edited by <Ol>Origy; 01-11-2009 at 10:11 AM.
 
Old 01-11-2009, 10:53 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Many main-stream distros support whole disk encryption out of the box - though you should realise that, unlike other OSs, linux does not write sensitive or user information to any old place on the drive. So it is very common to leave a separate boot (and other) partitions unencrypted.

Ubuntu, in particular, supports double encryption - you can install to an encrypted HDD, putting the keys on a removable drive, and also have an encrypted directory off your home directory (called ~/Private) for stuff so sensitive, you don't want people getting to it when you leave your laptop for a bit.

You can also create plausible deniability by dual booting so the unencrypted (dummy) linux boots when a key drive is not plugged in.

There are many articles online on this subject too.
 
Old 01-11-2009, 12:44 PM   #3
<Ol>Origy
Member
 
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Original Poster
Rep: Reputation: 15
I see that you offer many good ideas.

Basically, I am looking for something to encrypt the contents of the operating system (root partition) and the swap. The user has to provide the correct password before the OS partition can be decrypted and the system boots normally (pre-boot authentication).

I am not as paranoid to put the boot files onto a removable media. I'm fine with the idea that the files remain on the hard disk (likely the /boot partition, which will probably have to remain unencrypted) as long as a passphrase is needed at boot-time to decrypt and boot the OS.

The linux image I'm working with doesn't offer any encryption at installation and I'm talking about having to set up the encryption manually. This is where I require some advice as I am not sure what solution to use.

I was thinking about using dm-crypt/cryptsetup/LUKS.

Last edited by <Ol>Origy; 01-11-2009 at 12:47 PM.
 
Old 01-12-2009, 08:33 AM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
I was thinking about using dm-crypt/cryptsetup/LUKS.
That's the standard setup for most linuxes. There are plenty of howtos.

Ubuntu uses LVM to help.

Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.

Why do you want to encrypt /boot?

Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.
 
Old 01-12-2009, 10:31 AM   #5
<Ol>Origy
Member
 
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Original Poster
Rep: Reputation: 15
Ah, thank you. This last post of yours has a good amount of answers.

Quote:
Originally Posted by Simon Bridge View Post
That's the standard setup for most linuxes. There are plenty of howtos.
Excellent. I assume this is also the proper way of doing it on linux.

Quote:
Originally Posted by Simon Bridge View Post
Ubuntu uses LVM to help.
I'm not quite sure what LVM is, but I'll do some googling and reading.

Quote:
Originally Posted by Simon Bridge View Post
Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.
That is correct. Most users would suggest putting the needed boot files onto some removable media, but for my setup, I would much rather have all neccessary files on the HDD itself. I am aware this approach may require some unencrypted space.

Quote:
Originally Posted by Simon Bridge View Post
Why do you want to encrypt /boot?

Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.
I'm not sure if it's even possible to have an encrypted /boot partition and have the system boot without relying on any external files located on some removable media. Perhaps there is a linux boot loader that can decrypt the /boot partition and boot the system normally. I wonder if grub2 supports this feature, I really don't know. In windows I know that TrueCrypt has a boot loader of its own that decrypts the rest of the file system. Anyway, I was thinking about setting up a system that does have an unencrypted boot partition, but if there is a way to encrypt that as well (no external dependencies) then so much the better.

Why encrypt the boot partition, you ask? Ask yourself how secure really the other approach is. An adversary could easily access the /boot partition and replace or modify some files to insert a malicious keylogger that in terms logs down the pass phrase upon entering it and hides it somewhere within the unencrypted space without my knowledge. All that is left to do is to read it while I'm not paying attention.
 
Old 01-12-2009, 08:14 PM   #6
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Extra Info:

_
 
1 members found this post helpful.
Old 01-24-2009, 04:18 AM   #7
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Fedora 10 allows you to check a box ("Encrypt Drive") during drive configuration that will create a single encrypted partition that holds / and swap inside it. /boot is left unencrypted, but should never contain any sensitive data from a general user.
 
Old 01-25-2009, 01:25 PM   #8
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
as internetsurfer has posted a link to. True crypt is a great way to go. It encrypts the entire drive and installs a pre-boot auth into the MBR.

its supports aes, blowfish, twofish, etc.

You can also mix encryption so that you would have a blowfish encryption inside an aes encryption if your really paranoid
 
1 members found this post helpful.
Old 12-15-2011, 03:33 AM   #9
tkibugu
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
Re: Linux disk encryption

In debian lenny with encrypted root and swap partitions, when booting, one is asked for root and swap passphrases. To avoid the swap passphrase, a working setup is found here: [LINK REMOVED BY MODERATOR]

Last edited by win32sux; 12-16-2011 at 08:16 PM.
 
Old 12-16-2011, 08:15 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
tkibugu, please stop using LQ posts to promote your site. If you continue this sort of behavior, there will be consequences which may include your temporary or even permanent loss of LQ privileges. TIA.
 
  


Closed Thread

Tags
authentication, drive, encryption, hard, linux, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dd and disk encryption Feeg Linux - Security 6 12-13-2008 05:55 PM
Disk encryption software TheStupid Linux - Software 13 10-07-2007 10:43 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
disk encryption ankscorek Linux - Security 5 05-03-2006 12:59 PM
Disk encryption solution for both Windows and Linux ddaas Linux - Security 4 03-15-2006 06:53 AM


All times are GMT -5. The time now is 08:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration