-   Linux - Security (
-   -   Please help choose the best encryption method (

Akonbobot 02-05-2007 05:15 AM

Please help choose the best encryption method
I'm looking for the best partition/directory encryption.
I've researched...

-Loop AES
-DM Crypt

It seems the 'most' important features are:
1. check function return values
2. checksum feature
3. salt (series of random bits)

All the above 'do not' do this, except possibly Truecrypt.

My objective is to encrypt with the most integrity to the data, more
than likely it will be an external hard drive.

Can someone please advise?

Thank you

stress_junkie 02-05-2007 08:15 AM

I will vote for True Crypt. I've been using it for several months. I've gotten all of my encrypted partitions and files migrated to True Crypt. I had previously been using crypto-loop with twofish encryption.

The reasons that I changed to True Crypt include the following:

It is multiplatform. It will run on Linux and Windows. You can encrypt a disk partition or a file on one platform and use it on the other platform.

It does not depend on a particular distribution of Linux. I found that using crypto-loop on Linux with twofish encryption made it difficult to try new distributions. Many Linux distributions do not support twofish encryption under crypto-loop.

It has all of the latest encryption algorithms and hashes. You can combine encryption algorithms to encrypt a given object (partition or file).

True Crypt is easy to use. It has a simple command line interface in Linux. It has a GUI interface in Windows. I like the command line interface. It is about the same level of difficulty as crypto-loop as far as entering commands to complete a given task.

True Crypt uses the Linux device mapper rather than the loop interface.

True Crypt compiles and installs easily. So far I have installed it on two very different Linux distributions (SuSE and PCLinuxOS). I have not had any problems installing it or making it work.

It is possible to put the True Crypt binary on a portable data device like a USB thumbdrive and then use that portable device on a Linux or Windows machine that does not have True Crypt installed. I have not done this yet but I plan to try it.

True Crypt has made data encryption portable for me. I was tied to OpenSuSE when I used crypto-loop with twofish encryption. Now I can use an encrypted object on any Linux distribution or Windows.

True Crypt does not put any encryption headers in its objects. That means that there is no data in the encrypted object to help hackers to determine how the object was encrypted. In other words, there is no data in the encrypted object to say that it is encrypted, or that it is encrypted using True Crypt, or that a particular encryption algorithm was used to encrypt the object.

You can see a listing of what actual objects are mapped to what True Crypt virtual devices by using the -l parameter to the truecrypt binary.

truecrypt -l
That's handy when you are mounting and unmounting encrypted objects.

True Crypt is an excellent product. And, of course, it's free.

The only downside that I had with True Crypt was the instructions for Linux. The True Crypt man page has a lot of examples so I finally figured out how to do what I needed to do. For example, when you want to encrypt an object your best course of action is to just invoke the True Crypt binary with the -c parameter. It will ask you for all of the information that it requires to find and encrypt the data object. Also, if you want to encrypt a file such as a mountable container file you do NOT create the file first using dd or whatever. True Crypt will create the file. Lastly, when it asks you what file system to use it only offers the choices of FAT or none. I always choose none. After the object is created I map it to a True Crypt virtual device in /dev/mapper, then I use mkfs to create the file system type of my choice.

Example to encrypt any object.

truecrypt -c
After the truecrypt binary starts it will ask you for any information that you did not supply on the command line.

Example to map an existing True Crypt object at /dev/hda4 to a True Crypt virtual device named /dev/mapper/truecrypt4.

truecrypt -N 4 /dev/hda4
You can then either mount the device /dev/mapper/truecrypt4 or you can create a new file system on it by using mkfs.

mount /dev/mapper/truecrypt4 /mnt/hda4

mkfs -t ext3 /dev/mapper/truecrypt4
I recommend NOT using the other forms of the truecrypt command to perform these particular tasks which are shown in the True Crypt man pages. I had some trouble with some of them. For example I recommend NOT mapping an encrypted device and adding the mount point in one line. Do it in two commands; map the device, then mount it. I recommend NOT adding all of the parameters to the line when you are creating a new True Crypt device. Just use the "truecrypt -c" form that I showed above and answer the questions as they are presented.

Akonbobot 02-07-2007 06:26 AM

Truecrypt sounds good.

Regarding Truecrypt:

1. Is it true that only ext2 (non journaled) can 'completely'
offer secure unused space overwritting via dd ? Does truecrpt
impose limitations for secure data erasures?

2. Are there any issues when you wish to rebuild a new kernel?

Thank you.

stress_junkie 02-07-2007 10:50 AM


Originally Posted by Akonbobot
1. Is it true that only ext2 (non journaled) can 'completely'
offer secure unused space overwritting via dd ? Does truecrpt
impose limitations for secure data erasures?

1a) No
1b) No

1a) If you use a container file on an unencrypted device then writes to the journal file are unencrypted.

If the journal file is on an encrypted device, such as the same device, then writes to the journal file will be encrypted. Here are some guidelines.

Encrypt entire disk partitions.
Put encrypted container files on encrypted partitions.
Ensure that file system journal files reside on encrypted disk partitions or inside encrypted container files which reside on encrypted disk partitions.

That should prevent data from an encrypted device from being written in unencrypted form to a journal file in Linux.

These precautions may not work for NTFS when you are running Windows!!! I don't know how NTFS journalizes it's writes to nonroot disk partitions. You may want to use the FAT32 file system for encrypted partitions on Windows.

1b) You can use dd or shred on any True Crypt mapped device, just as you would do with any raw disk partition. For example, if you have already performed "truecrypt -c" on a partition, then mapped it to /dev/mapper/truecrypt0, you could use dd to fill the mapped True Crypt device with random data before you create a file system in that mapped device, as follows:

dd if=/dev/urandom of=/dev/mapper/truecrypt0 <whatever>
You would then have to use mkfs to create a file system.

mkfs -t ext3 /dev/mapper/truecrypt0
So you can fill up a mapped True Crypt device with random data before you create a file system or to destroy data that is already stored in that device. You can also use the shred utility on a True Crypt mapped device or on files in the True Crypt mounted device.

Of course you can just use dd to write to the physical disk partition, such as /dev/hda3, but then you would have to run "truecrypt -c" on /dev/hda3 to use True Crypt on that partition.

There are issues using a Flash memory device with more than one partition. If your Flash memory device has only one partition there are no problems. If your Flash memory device has more than one partition then those devices that try to equalize the writes to the device over all of the Flash memory could cause the partition edge to physically shift, leaving unencrypted data exposed. The obvious answer is to use one partition on Flash memory devices, and that partition must cover all of the available data storage on the Flash memory device.


Originally Posted by Akonbobot
2. Are there any issues when you wish to rebuild a new kernel?

You need to have the Linux device mapper enabled. True Crypt requires version 2.6.5 or higher of the Linux kernel. AFAIK that is all that is required. True Crypt has its own encryption code. The rest is just normal device and file system stuff from the kernel.

There is a note on the True Crypt web page under system requirements stating that the current version of True Crypt (v4.2a) must not be used on Microsoft Vista. There will soon be a version of True Crypt that will work on Vista.

Akonbobot 02-13-2007 02:21 AM

Thank you, your comments are very helpful.

By the way... are SSH encrypted filesystems (sshfs) very different than truecrypt ?


michux 05-07-2007 02:18 PM

The alternative to truecrypt is DM_Crypt with cryptsetup. Here is how to configure it easily (all done automatically afterwards, even no additional passwords needed, integrated with PAM):

Of course TryeCrypt is a viable solution when you need to share your disk with Windows.

All times are GMT -5. The time now is 07:54 AM.