Security Basics mailing list archives
Re: full-disk-encryption for linux ?
From: Tim Watson <tw () dmu ac uk>
Date: Tue, 14 Nov 2006 22:41:05 +0000
Linux Unified Key Setup (LUKS) would seem to be what you need: http://luks.endorphin.org/ From the website: -----------LUKS is the upcoming standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provide secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.
While LUKS is a standard on-disk format, there is also a reference implementation. LUKS for dm-crypt is implemented in an enhanced version of cryptsetup.
------------'man cryptsetup' on your system will tell you if you have the enhanced version of cryptsetup. The website above gives simple instructions on use and a paper on the specification. You can use it on a partition, or on a container file as follows:
-------------
How to create and use an encrypted container (tested on Fedora Core 6):
# do these once to create the container (must be larger than 1MB)
dd if=/dev/zero of=/path/to/container-file count=20000 # 10MB file
shred -n1 /path/to/container-file # randomise to hide space used
# using dd if=/dev/random ... instead of shred is extremely slow
# as it blocks after it has sucked out all your entropy. Remove
# the -n1 option to make shred overwrite 25 times for greater security
# do these each time you want to access the container
losetup -f # gets name of next free loop device (assume loop0)
losetup /dev/loop0 /path/to/container-file
# do this once to luks format the container
cryptsetup luksFormat /dev/loop0 # prompts for a passphrase
# do these each time you want to access the container
cryptsetup luksOpen /dev/loop0 container-dev # asks for passphrase
ls -l /dev/mapper/container-dev # check it opened OK
# do this once to create the filesystem in the container
mkfs.ext3 /dev/mapper/container-dev
# do this once to create the mountpoint
mkdir /another/path/to/container-dir
# do this each time you want to access the container
mount /dev/mapper/container-dev /another/path/to/container-dir
# ... access the container ...
# do these each time you have finished with the container
umount /another/path/to/container-dir
cryptsetup luksClose container-dev
losetup -d /dev/loop0
-----------------
All the best,
Tim.
Saqib Ali wrote:
Mr. Bakshi, Try Compusec or Pointsec. They both support Pointsec. Or even better Seagate's FDE.2 drives that encrypt everything at the hardware level: http://www.seagate.com/docs/pdf/marketing/po_momentus_5400_fde_bb.pdf saqib On 11/9/06, J.Bakshi <bakshi12 () gmail com> wrote:Hi, I am looking a full-disk-encryption S/W for my Linux based laptop. 1] It should be fast 2] It should use AES (256 bit preferred) Could any one suggest such best tool for Linux ? thanks.---------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- full-disk-encryption for linux ? J.Bakshi (Nov 10)
- Re: full-disk-encryption for linux ? Florian Rommel (Nov 14)
- Re: full-disk-encryption for linux ? Robert Larsen (Nov 14)
- Re: full-disk-encryption for linux ? Matt Moore (Nov 14)
- Re: full-disk-encryption for linux ? Patrick Debois (Nov 14)
- Re: full-disk-encryption for linux ? Saqib Ali (Nov 14)
- Re: full-disk-encryption for linux ? Tim Watson (Nov 15)
- Re: full-disk-encryption for linux ? Rob Thompson (Nov 14)
- Re: full-disk-encryption for linux ? Ansgar -59cobalt- Wiechers (Nov 14)
- Re: full-disk-encryption for linux ? R.E.Willet (Nov 14)
- Re: full-disk-encryption for linux ? Gouki (Nov 15)
- <Possible follow-ups>
- Re: full-disk-encryption for linux ? Paul Kurczaba (Nov 14)
- Re: full-disk-encryption for linux ? Saqib Ali (Nov 15)
- RE: [FDE] full-disk-encryption for linux ? Bryan Glancey (Nov 15)
- RE: [FDE] full-disk-encryption for linux ? evb (Nov 15)
- Re: full-disk-encryption for linux ? Saqib Ali (Nov 15)
- Re: full-disk-encryption for linux ? Jeffrey F. Bloss (Nov 15)
- Re: full-disk-encryption for linux ? Ansgar -59cobalt- Wiechers (Nov 15)