LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-14-2015, 12:05 PM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Rep: Reputation: 57
Non-system partition encryption versus container-file encryption of equal size


What are some advantages and disadvantages of encrypting a NON-system partition, compared to using a container file that almost fills the partition?

Is the file better protected against disk sectors going bad and therefore easily beats partition encryption?
 
Old 07-14-2015, 03:44 PM   #2
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.2, LFS-current, NetBSD 6.1.3, OpenIndiana
Posts: 319

Rep: Reputation: 112Reputation: 112
Their is no advantage, its just a different way to do it, if your drives have a bad sector and the drive fails to remap that sector, it doesn't matter if its container based or not.

You can't prevent data loss by switching the method of encryption when the files you wish to keep safe are on that same hardware that is failing.
 
1 members found this post helpful.
Old 07-14-2015, 04:07 PM   #3
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Does the encryption software increase the amount of data lost when a single sector goes bad compared to non-encrypted storage?
 
Old 07-15-2015, 06:51 PM   #4
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Either option is bad. People will get around that encryption depending on the IMPORTANCE of those files. Your system has a swap file/partition, has a tmp folder/partition, and thus you can find unencrypted parts of the files you open, in those places. Sometimes you can even find the whole content of the file. So for a better overall encryption FDE is recommended (full disk encryption).

If you're trying to have a little more privacy against regular crackers, go with the encrypted file container. You'll have the ability to increase it's size, deleted, and whatnot.

Quote:
Originally Posted by Ulysses_ View Post
Does the encryption software increase the amount of data lost when a single sector goes bad compared to non-encrypted storage?
If we're talking about just a sector, than probably not. But if the encryption HEADER gets damaged then you'll lost everything that header points to.
 
1 members found this post helpful.
Old 07-16-2015, 05:27 AM   #5
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208

Rep: Reputation: 41
And just to mention that you can backup that header so all is not lost, provided the restore is successful. I store mine on an emergency USB stick along with my other latest backup.
 
Old 07-16-2015, 07:19 AM   #6
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Quote:
Your system has a swap file/partition, has a tmp folder/partition, and thus you can find unencrypted parts of the files you open, in those places.
Is it enough to encrypt the swap partition and put the tmp folder in an encrypted partition?

Last edited by Ulysses_; 07-16-2015 at 10:12 AM.
 
Old 07-16-2015, 05:28 PM   #7
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Quote:
Originally Posted by Ulysses_ View Post
Is it enough to encrypt the swap partition and put the tmp folder in an encrypted partition?
That is overkill.

The easiest way to set up an encrypted system with Full-Disk-Encryption is by using Ubuntu. You'll create what is called an encrypted LVM, or "Live Volume Management". In there, you can create as many partitions as you wish, all of them encrypted, including /, /home, /swap, /tmp.. the only partition that can't be encrypted is /boot.

The best part is that you only type ONE passphrase
 
Old 07-16-2015, 05:32 PM   #8
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
I know FDE is simpler, but my question here really is: "do unencrypted parts of the files you open appear in places other than the swap space and the tmp folder?"

Last edited by Ulysses_; 07-16-2015 at 05:34 PM.
 
Old 07-16-2015, 05:37 PM   #9
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Quote:
Originally Posted by Ulysses_ View Post
I know FDE is simpler, but my question here really is: "do unencrypted parts of the files you open appear in places other than the swap space and the tmp folder?"
That is hard to tell. There is /var, /usr, /usr/local, /swap, /tpm, and a bunch more places where important files can be found. That's why it's overkill to encrypt one by one
 
Old 07-17-2015, 08:49 AM   #10
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,662

Rep: Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158
Quote:
Originally Posted by Amarildo View Post
The best part is that you only type ONE passphrase
Even if there are separately encrypted partitions, you should only have to enter the passphrase once. The bootstrap code is smart enough to try to unlock other containers with the passphrase(s) you've already entered.
 
Old 07-17-2015, 09:20 AM   #11
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Even if there are separately encrypted partitions, you should only have to enter the passphrase once. The bootstrap code is smart enough to try to unlock other containers with the passphrase(s) you've already entered.
Not that I'm aware of. I used to encrypt my drive without LVM and I had to type the passphrase for each encrypted partition. This happaned on Debian, Ubuntu, Arch, Mint, and openSUSE (the distros I tested).
 
Old 07-17-2015, 11:20 AM   #12
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,662

Rep: Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158
Quote:
Originally Posted by Amarildo View Post
Not that I'm aware of. I used to encrypt my drive without LVM and I had to type the passphrase for each encrypted partition. This happaned on Debian, Ubuntu, Arch, Mint, and openSUSE (the distros I tested).
OK. Maybe that's unique to the Red Hat family. I wasn't aware of that.
 
Old 07-17-2015, 06:30 PM   #13
Archy1
Member
 
Registered: Jan 2014
Distribution: Debian
Posts: 95

Rep: Reputation: 2
You could encrypt swap with a random key, and then not have to worry about the swap password. This can even be done post-installation without much hassle.

Quote:
Originally Posted by rknichols View Post
Even if there are separately encrypted partitions, you should only have to enter the passphrase once. The bootstrap code is smart enough to try to unlock other containers with the passphrase(s) you've already entered.
I wonder how Redhat does that. On a Debian VM of mine, I have it set so that I enter the password for the "/" partition and the "/home" partition is automatically unlocked by a root-owned keyfile located within the "/" partition with 0400 permissions. Sounds dangerous but if an attacker becomes root they can also read the key from RAM. Still, encrypted LVM is the way to go.
 
Old 07-17-2015, 07:38 PM   #14
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,662

Rep: Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158Reputation: 2158
Quote:
Originally Posted by Archy1 View Post
I wonder how Redhat does that.
I'd have to dig deeply into the initramfs to find out. There's actually a rather annoying aspect to the implementation. If you are using the "rhgb" graphical boot, it doesn't tell you which container it's currently trying to unlock. You just get a blank entry field with a padlock icon. If you do happen to need different passphrases to unlock everything, you will of course get a second prompt, but with no way of knowing whether it's for another container or because you mistyped the first passphrase.

If you forego the grace and beauty of a graphical boot, the text boot prompts do identify what container the passphrase prompt is for.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question: Partition Encryption versus webserver cyberhydra Linux - Security 1 09-06-2011 10:04 PM
Regarding squashfs file system and encryption ashok kumar reddy Linux - General 0 11-19-2009 11:41 PM
file system encryption on servers Synesthesia Linux - Security 2 06-05-2006 04:03 PM
File System Encryption raja1979 Linux - Security 2 12-23-2005 05:08 PM
Container/Dir/File encryption ofr chroot jail The_JinJ Linux - Security 4 12-17-2005 11:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration