LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-27-2014, 07:43 AM   #1
rdx
Member
 
Registered: Apr 2007
Location: Dallas
Distribution: Slackware64 14.2
Posts: 283

Rep: Reputation: 25
to encrypt or not to encrypt a secondary disk


I am running Slackware64 14.1 and I have a secondary 500GB hard disk on my desktop system. I am considering options to add encryption, such as encrypt that whole disk or maybe instead put MariaDB files on that drive and storing sensitive data in the DB, encrypting just those entries. Does anyone have experience with encryption on Slackware? Can you give me some pros and cons of encrypting a drive versus maybe putting private data on a thumb drive or other options?
 
Old 10-27-2014, 11:15 AM   #2
BCarey
Senior Member
 
Registered: Oct 2005
Location: New Mexico
Distribution: Slackware
Posts: 1,639

Rep: Reputation: Disabled
The easiest thing is to encrypt the whole drive. I can't think of any disadvantage to encryption and it is so easy to set up. If you put your data on a thumb drive then encryption is more important.

Brian
 
1 members found this post helpful.
Old 10-27-2014, 11:52 AM   #3
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Full disk encryption is safer, that way there is no chance of unencrypted files hitting the disk.

There are disadvantages to encryption. You could lose the key. It is somewhat harder to recover data in case of failure. If you don't also apply some steganography it will also raise suspicion.

I cannot recommend using a USB stick as a sole backup method, they fail quickly and unexpectedly.
 
1 members found this post helpful.
Old 10-27-2014, 03:10 PM   #4
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: McKinney, Texas
Distribution: Slackware64 15.0
Posts: 3,858

Rep: Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225
And USB sticks can be hacked at the firmware level.
 
1 members found this post helpful.
Old 10-28-2014, 09:31 PM   #5
rdx
Member
 
Registered: Apr 2007
Location: Dallas
Distribution: Slackware64 14.2
Posts: 283

Original Poster
Rep: Reputation: 25
I sounds good but I have some questions. First, can you point me to docs that will explain how to set up the drive, please. And what is steganography? Who is going to be suspicious, unless there are where they don't belong anyway? Thanks.
 
Old 10-28-2014, 10:30 PM   #6
TracyTiger
Member
 
Registered: Apr 2011
Location: California, USA
Distribution: Slackware
Posts: 528

Rep: Reputation: 273Reputation: 273Reputation: 273
man cryptsetup

EDIT:

Use the LUKS extension.

You may also look at the README_CRYPT.TXT on the boot disk. Although it's about encrypting disks during installation, I believe it gives some examples of using the cryptsetup command that you may find helpful.

And of course check at docs.slackware.com. There is probably a tutorial there.

Last edited by TracyTiger; 10-28-2014 at 10:44 PM. Reason: Added more info
 
1 members found this post helpful.
Old 10-29-2014, 08:52 AM   #7
rdx
Member
 
Registered: Apr 2007
Location: Dallas
Distribution: Slackware64 14.2
Posts: 283

Original Poster
Rep: Reputation: 25
Okay, I have had a chance to scan the man entry. One thing that is not clear is what state should the disk be in? In other words, should I do a quick format on the disk? Currently there is stuff on the dev, it was the root disk when I was trying out 14.0 so it has all the stuff for a system but I replaced it with another device for 14.1. If I install the LUKS stuff, does it overwrite the drive automatically?

This issue seems complicated. That might just be because I am ignorant but I feel the need to learn more about it before I attempt it. I am particularly concerned about how the loss of the LUKS header can render all data lost.
 
Old 10-29-2014, 10:59 AM   #8
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
See:
http://www.cyberciti.biz/hardware/ho...setup-command/

Data recovery of encrypted partitions is more difficult. LUKS does have a header and thus it is even more difficult.
http://blog.miketoscano.com/?tag=luks-recovery

If you want, you don't have to use LUKS, you can use cryptsetup to make an encrypted area on the disk without a header.
 
Old 10-29-2014, 11:58 AM   #9
mlslk31
Member
 
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210

Rep: Reputation: 76
Quote:
Originally Posted by rdx View Post
I sounds good but I have some questions. First, can you point me to docs that will explain how to set up the drive, please. And what is steganography? Who is going to be suspicious, unless there are where they don't belong anyway? Thanks.
`man cryptsetup`. Or at https://code.google.com/p/cryptsetup...AskedQuestions, checking around that cryptsetup site to see if there are any related docs that you like.

Steganography is hiding one message inside another message. For computers, it means doing things like having the main key write to one part of the crypt, but you have a different key to writes to a different part of the crypt. That way, parties can ask for your key, you hand over the primary, and they might not know that there is a hidden section in there. I don't think that vanilla cryptsetup deals with steganography. There are other tools to accomplish this (TrueCrypt? or its successor?). Google turns up proposals for steganography support for cryptsetup, but I haven't tried any of them.

As for the question of who is going to be suspicious, I try my best not to ask a crypto user for what purpose that the crypto is going to be used. It's bad form. If you're protecting sensitive documents, you might be better off to increase your network and physical security. When the crypt is open, it is just as available or unavailable to remote hackers as an unencrypted partition. If the data is so sensitive that you want a password to open each file one at a time, a weak-but-fast crypt combined with gpg is a nice solution. The crypt will obscure the file system layout and the data to some degree, and gpg will obscure the data really well.

But if you're asking newbie questions, you might get your newbie lessons in as well. All crypto takes extra care. At least I've lost one set of data while learning new crypto methods, whether it's zeroing out what I thought was junk partition but turned out to be the first MB of a crypt (data gone), or whether it's simply losing my only PGP key for a dataset. By the time you've learned your first bad lesson, you should have a decent feel for the cryptsetup man page. It's not the most accessible man page by any means.

As for formatting, it's up to you. I zero the partition(s) first, then make the crypt, then open the crypt, then zero the crypt. It leaves a nice trail of junk on the bare platters. You could also do the same thing but overwrite the file with /dev/urandom instead of /dev/zero. After all of this, I put a file system on the crypt and set up how I'm going to open the crypt and mount the filesystem.

Agreeing with the others here, stay away from the USB stick idea. If your LUKS header gets mangled, then your data is most likely lost. All it takes is a poor write in that header area. I've had that happen with FreeBSD geli on an old USB stick, and the conclusion was, "Oh well...good thing it was the backup of my backup and not the backup itself...because the data is gone!"
 
1 members found this post helpful.
Old 10-29-2014, 12:33 PM   #10
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Steganography requires some imagination on the part of the user Don't think too many people will tell you how they do it, because that would ruin it. However, if you put your mind to it you can come up with something good.
 
1 members found this post helpful.
Old 10-30-2014, 11:45 AM   #11
rdx
Member
 
Registered: Apr 2007
Location: Dallas
Distribution: Slackware64 14.2
Posts: 283

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by metaschima View Post
Steganography requires some imagination on the part of the user Don't think too many people will tell you how they do it, because that would ruin it. However, if you put your mind to it you can come up with something good.
Let's just suppose that I am interested in encryption for it's own sake, to know how to do it more than to actually do it. Besides, I can't think of any reason I should need to hide the fact that I am encrypting stuff. It is enough that I might have trade secrets or intellectual property to protect. Don't you agree?
 
Old 10-30-2014, 12:31 PM   #12
rdx
Member
 
Registered: Apr 2007
Location: Dallas
Distribution: Slackware64 14.2
Posts: 283

Original Poster
Rep: Reputation: 25
[QUOTE=mlslk31;5261435]`man cryptsetup`. Or at https://code.google.com/p/cryptsetup...AskedQuestions, checking around that cryptsetup site to see if there are any related docs that you like.

That site appears to be uber helpful. It will take me some time to digest it but I think it answers all my questions. Thanks very much.
 
Old 10-30-2014, 01:16 PM   #13
mlslk31
Member
 
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210

Rep: Reputation: 76
Quote:
Originally Posted by rdx View Post
Let's just suppose that I am interested in encryption for it's own sake, to know how to do it more than to actually do it. Besides, I can't think of any reason I should need to hide the fact that I am encrypting stuff. It is enough that I might have trade secrets or intellectual property to protect. Don't you agree?
That is fine. There is no bad use, really, and my primary use is to transport backups offsite. I don't want to have to worry about backup media being lost or stolen. But there are some folks out there who, if you ask them to justify their use of crypto, they'll simply not respond. So I tell you my story and hope you can adapt my viewpoint to your situation.

And yes, there is a little bit of tin foil hat to my approach. I used to play with crypto to see what it was like. Then after 9/11 and before the Patriot Act, plenty of news organizations were reporting the various proposals for the government to snoop on Americans while trying to get the terrorists. At that point, my thoughts were this: I am a law-abiding citizen; if you need information from me, get a formal warrant and present it to me, I will comply; but don't go snooping on my everyday activities without permission. As it turns out, the popular ideas were brought into the Patriot Act, and the unpopular ideas were farmed out to the NSA.

FWIW, I use very little crypto online, only for sensitive information. Instead, I write about the kind of things that I'm willing to talk about in a public place. It's way easier to deliver messages in person or by phone than it is to teach a second party how to use cryptography. This was especially true before this year, when a prevailing attitude was "if you're innocent then you have nothing to hide." This year may prove that you indeed have something to hide, that sensitive information can be used to help steal your identity, that if corporations don't take care of your credit card information, you'll be watching your credit reports and credit card bills for a long time to come.
 
Old 10-30-2014, 01:38 PM   #14
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
@ mlslk31
That's also the reason why steganography is invaluable today. No court can force you to decrypt something that they don't know even exists and cannot prove that it exists.

Last edited by metaschima; 10-30-2014 at 01:39 PM.
 
Old 10-30-2014, 01:51 PM   #15
Soderlund
Member
 
Registered: Aug 2012
Posts: 185

Rep: Reputation: 81
I don't use full disk encryption because it's apparently very sensitive to corruption. Then again my main concern is keeping my data safe; the secondary concern for me is to encrypt it.

So I use EncFS to create an encrypted directory. You mount it and put files in it, and those files are automatically encrypted.

But as metaschima says, it is useless if those files are ever written to the disk. You can retrieve them with PhotoRec or extundelete. As you know files are not really deleted when you "rm" them -- the memory on the disk is just flagged as writable, so it may (or may not) be overwritten at some point in the future. "shred" can be used to delete files from the disk and overwrite the memory, but ideally the files should never be anywhere except in the encrypted directory.

Some programs helpfully leak data. For example, you may expect /encrypted/whatever.txt to only exist in your encrypted directory, but a text editor may put the buffer in /tmp.

When the computer runs out of RAM, it will also write things to your swap partition, so the swap must be encrypted as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Encrypt Early, Encrypt Often! LXer Syndicated Linux News 0 08-10-2011 02:30 AM
crypt() perl function to encrypt Password in shell scripts or How Encrypt passwords ? balakrishnay Linux - General 13 01-14-2010 09:35 AM
encrypt and decrypt using encrypt(char block[64], int edflag) rockwell_001 Linux - Security 3 08-30-2009 09:16 AM
How to Encrypt file tulsi Linux - Software 7 08-25-2009 06:25 PM
Encrypt vivekind Linux - General 1 01-16-2002 03:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration