* [gentoo-security] Encrypting a user home folder on a laptop
@ 2008-02-15 23:09 Randy Barlow
2008-02-16 9:04 ` Florian Philipp
` (3 more replies)
0 siblings, 4 replies; 18+ messages in thread
From: Randy Barlow @ 2008-02-15 23:09 UTC (permalink / raw
To: gentoo-security
I am probably being paranoid, but I'd like to encrypt my /home/username
folder on my laptop. I tried EncFS using [1], but KDE didn't seem to
work under that setup because of the restriction that the filesystem
doesn't support hardlinks. So now I am playing around with [2]. The
only problem I have here is that it seems like I have to know in advance
what size I want to use for my home folder (I am using a file as a
loopback device rather than a partition, mostly because I already have a
system up and don't want to mess with resizing partitions). Is there
any way to resize the loopback device on the fly, or do you just have to
create a new one and copy the files into it every time you need to resize?
Another question I have: I am pretty new to ciphers. One thing I have
learned is that the avalanche effect is desirable, meaning that one bit
flipped in the plaintext should cause about half of the ciphertext bits
to flip. Does the dm-crypt setup have much correlation between
encryption blocks to where this avalanche effect would change the whole
file, or just a few encryption blocks? To illustrate, I'm looking to
encrypt probably something like 40 GB of data. If I change 1 bit
somewhere in my plaintext, how many bytes of that 40 GB of total data on
my loopback device should I expect that bit flip to have an effect on?
Thanks for any enlightenment you can offer!
[1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
[2] http://gentoo-wiki.com/SECURITY_dmcrypt
--
Randy Barlow
http://electronsweatshop.com
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
@ 2008-02-15 23:45 bmicek
2008-02-16 0:08 ` Randy Barlow
0 siblings, 1 reply; 18+ messages in thread
From: bmicek @ 2008-02-15 23:45 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/html, Size: 3505 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-15 23:45 bmicek
@ 2008-02-16 0:08 ` Randy Barlow
2008-02-16 0:15 ` William Kenworthy
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: Randy Barlow @ 2008-02-16 0:08 UTC (permalink / raw
To: gentoo-security
bmicek@speakeasy.net wrote:
> I spent time about a year ago looking into good encryption. At that
> time, cryptsetup was the best bet. Its really easy to use. With
> cryptsetup, your best off encrypting an entire filesystem/partition so
> there are no restrictions regarding size.
>
> As far as ciphers, there are three popular ones that are 256 bits in the
> Linux kernel. You'll have to pick the one(s) you like best. Generally,
> everyone agrees Serpent is the strongest, followed by AES then followed
> by TwoFish. From my tests, performance of the algorithms is in reverse
> order (meaning TwoFish is the fastest). Linux is a bit behind last I
> checked regarding encription modes of operation and seems to only offer
> ECB or CBC. CBC is Chain Block Cipher and is based on an IV which is
> like an index into your media. The IV is used to encript a block of
> data so a previous identical block wont be identically encrypted. As
> far as your question regarding one-bit changes, a one bit change will
> have the effect you mentioned but only for one encrypted block.
>
> I'd recommend reading up on the ciphers to see what you like. There has
> been some talk about TwoFish being broken however I find it hard to
> believe. There has been a lot of talk about TrueCrypt on Linux. From
> what I can tell, it seems a bit more advanced and supports different
> (more modern?) modes of encryption.
Thanks for the reply Brian! In a course I am taking this semester, we
have learned the nitty gritty of AES, and I think I am pretty happy with
that one given a long enough key (256 is way plenty!) I have been
playing around with the creation of the file for the loopback block
device for dm-crypt, and I have learned some surprising things about
filesystems. Can anybody explain the following to me?
If I create a file like this:
dd if=/dev/zero bs=1000000000 of=/path/to/crytped/file
it makes a file that takes up 1 GB of hard drive space. It takes a
while to write to disk, and you will notice that the file is 1 GB with
ls -l and you will also notice a change in the space for the partition
using df.
If I create a file like this:
dd bs=1 seek=1GB if=/dev/null of=/path/to/crypted/file
it makes a file that reports itself to be 1 GB long by ls -l, but
doesn't seem to write 1 GB to the disk. Also, df doesn't report 1 GB
less than before you run the command.
What's happening here? I had assumed before I did this that the output
of ls -l is the actual number of bits consumed by a file, but that
doesn't seem to be the case anymore.
I created a file using the second command, and now as I copy files into
it I can see the disk space going down bit by bit. This is really what
I wanted in the first place, but I am just confused as to what is really
going on. Could anybody explain, please?
--
Randy Barlow
http://electronsweatshop.com
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 0:08 ` Randy Barlow
@ 2008-02-16 0:15 ` William Kenworthy
2008-02-16 3:06 ` Samuel Halicke
2008-02-16 7:47 ` Christian Spoo
2 siblings, 0 replies; 18+ messages in thread
From: William Kenworthy @ 2008-02-16 0:15 UTC (permalink / raw
To: gentoo-security
http://en.wikipedia.org/wiki/Sparse_file
On Fri, 2008-02-15 at 19:08 -0500, Randy Barlow wrote:
> bmicek@speakeasy.net wrote:
> > I spent time about a year ago looking into good encryption. At that
> >...
....
> it makes a file that reports itself to be 1 GB long by ls -l, but
> doesn't seem to write 1 GB to the disk. Also, df doesn't report 1 GB
> less than before you run the command.
>
> What's happening here? I had assumed before I did this that the output
> of ls -l is the actual number of bits consumed by a file, but that
> doesn't seem to be the case anymore.
>
> I created a file using the second command, and now as I copy files into
> it I can see the disk space going down bit by bit. This is really what
> I wanted in the first place, but I am just confused as to what is really
> going on. Could anybody explain, please?
>
> --
> Randy Barlow
> http://electronsweatshop.com
--
William Kenworthy <billk@iinet.net.au>
Home in Perth!
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 0:08 ` Randy Barlow
2008-02-16 0:15 ` William Kenworthy
@ 2008-02-16 3:06 ` Samuel Halicke
2008-02-16 7:47 ` Christian Spoo
2 siblings, 0 replies; 18+ messages in thread
From: Samuel Halicke @ 2008-02-16 3:06 UTC (permalink / raw
To: gentoo-security
Read Introduction To Algorithms and get the MIT open courseware for
the book from their site or iTunes Univ.
At least you get a start that way
Sam
On Feb 15, 2008, at 6:08 PM, Randy Barlow wrote:
> bmicek@speakeasy.net wrote:
>> I spent time about a year ago looking into good encryption. At that
>> time, cryptsetup was the best bet. Its really easy to use. With
>> cryptsetup, your best off encrypting an entire filesystem/partition
>> so
>> there are no restrictions regarding size.
>>
>> As far as ciphers, there are three popular ones that are 256 bits
>> in the
>> Linux kernel. You'll have to pick the one(s) you like best.
>> Generally,
>> everyone agrees Serpent is the strongest, followed by AES then
>> followed
>> by TwoFish. From my tests, performance of the algorithms is in
>> reverse
>> order (meaning TwoFish is the fastest). Linux is a bit behind last I
>> checked regarding encription modes of operation and seems to only
>> offer
>> ECB or CBC. CBC is Chain Block Cipher and is based on an IV which is
>> like an index into your media. The IV is used to encript a block of
>> data so a previous identical block wont be identically encrypted. As
>> far as your question regarding one-bit changes, a one bit change will
>> have the effect you mentioned but only for one encrypted block.
>>
>> I'd recommend reading up on the ciphers to see what you like.
>> There has
>> been some talk about TwoFish being broken however I find it hard to
>> believe. There has been a lot of talk about TrueCrypt on Linux.
>> From
>> what I can tell, it seems a bit more advanced and supports different
>> (more modern?) modes of encryption.
>
> Thanks for the reply Brian! In a course I am taking this semester, we
> have learned the nitty gritty of AES, and I think I am pretty happy
> with
> that one given a long enough key (256 is way plenty!) I have been
> playing around with the creation of the file for the loopback block
> device for dm-crypt, and I have learned some surprising things about
> filesystems. Can anybody explain the following to me?
>
> If I create a file like this:
>
> dd if=/dev/zero bs=1000000000 of=/path/to/crytped/file
>
> it makes a file that takes up 1 GB of hard drive space. It takes a
> while to write to disk, and you will notice that the file is 1 GB with
> ls -l and you will also notice a change in the space for the partition
> using df.
>
> If I create a file like this:
>
> dd bs=1 seek=1GB if=/dev/null of=/path/to/crypted/file
>
> it makes a file that reports itself to be 1 GB long by ls -l, but
> doesn't seem to write 1 GB to the disk. Also, df doesn't report 1 GB
> less than before you run the command.
>
> What's happening here? I had assumed before I did this that the
> output
> of ls -l is the actual number of bits consumed by a file, but that
> doesn't seem to be the case anymore.
>
> I created a file using the second command, and now as I copy files
> into
> it I can see the disk space going down bit by bit. This is really
> what
> I wanted in the first place, but I am just confused as to what is
> really
> going on. Could anybody explain, please?
>
> --
> Randy Barlow
> http://electronsweatshop.com
> --
> gentoo-security@lists.gentoo.org mailing list
>
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
@ 2008-02-16 6:46 bmicek
0 siblings, 0 replies; 18+ messages in thread
From: bmicek @ 2008-02-16 6:46 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/html, Size: 5558 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 0:08 ` Randy Barlow
2008-02-16 0:15 ` William Kenworthy
2008-02-16 3:06 ` Samuel Halicke
@ 2008-02-16 7:47 ` Christian Spoo
2 siblings, 0 replies; 18+ messages in thread
From: Christian Spoo @ 2008-02-16 7:47 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1.1: Type: text/plain, Size: 4431 bytes --]
Hi,
if you use dd like this:
dd if=/dev/null bs=1 seek=1GB of=/whatever
you're creating a so-called sparse file. Because of the seek-
parameter, the kernel knows that the file actually doesn't contain any
information between the first byte and the byte after the first GB in
the file. In this case the kernel doesn't allocate the whole space for
the file on your filesystem. But if you tell dd to explicitly write
zeroes into the file the kernel must allocate all the space for the
zeroes because it can't know that the zeroes are only placeholders.
For speed reasons it's thus far better to create loopback images from /
dev/null than /dev/zero.
You will notice that the amount of used disk space will increase each
time when you fill a byte in your sparse file. The kernel tries to
optimize the sparse blocks so that the actual space consumption of the
file is minimized. Note, that the same sparse file consumes different
amounts of disk space when stored on different file system. Reiser3 is
IMHO not best for storing such files. Ext3 and Reiser4 do better (the
usually need less that 50 KB for storing such a file assuming it's
really empty, Reiser3 could eat several MBytes because its algorithms
for handling sparse files are not that good).
Regards,
Christian Spoo
Am 16.02.2008 um 01:08 schrieb Randy Barlow:
> bmicek@speakeasy.net wrote:
>> I spent time about a year ago looking into good encryption. At that
>> time, cryptsetup was the best bet. Its really easy to use. With
>> cryptsetup, your best off encrypting an entire filesystem/partition
>> so
>> there are no restrictions regarding size.
>>
>> As far as ciphers, there are three popular ones that are 256 bits
>> in the
>> Linux kernel. You'll have to pick the one(s) you like best.
>> Generally,
>> everyone agrees Serpent is the strongest, followed by AES then
>> followed
>> by TwoFish. From my tests, performance of the algorithms is in
>> reverse
>> order (meaning TwoFish is the fastest). Linux is a bit behind last I
>> checked regarding encription modes of operation and seems to only
>> offer
>> ECB or CBC. CBC is Chain Block Cipher and is based on an IV which is
>> like an index into your media. The IV is used to encript a block of
>> data so a previous identical block wont be identically encrypted. As
>> far as your question regarding one-bit changes, a one bit change will
>> have the effect you mentioned but only for one encrypted block.
>>
>> I'd recommend reading up on the ciphers to see what you like.
>> There has
>> been some talk about TwoFish being broken however I find it hard to
>> believe. There has been a lot of talk about TrueCrypt on Linux.
>> From
>> what I can tell, it seems a bit more advanced and supports different
>> (more modern?) modes of encryption.
>
> Thanks for the reply Brian! In a course I am taking this semester, we
> have learned the nitty gritty of AES, and I think I am pretty happy
> with
> that one given a long enough key (256 is way plenty!) I have been
> playing around with the creation of the file for the loopback block
> device for dm-crypt, and I have learned some surprising things about
> filesystems. Can anybody explain the following to me?
>
> If I create a file like this:
>
> dd if=/dev/zero bs=1000000000 of=/path/to/crytped/file
>
> it makes a file that takes up 1 GB of hard drive space. It takes a
> while to write to disk, and you will notice that the file is 1 GB with
> ls -l and you will also notice a change in the space for the partition
> using df.
>
> If I create a file like this:
>
> dd bs=1 seek=1GB if=/dev/null of=/path/to/crypted/file
>
> it makes a file that reports itself to be 1 GB long by ls -l, but
> doesn't seem to write 1 GB to the disk. Also, df doesn't report 1 GB
> less than before you run the command.
>
> What's happening here? I had assumed before I did this that the
> output
> of ls -l is the actual number of bits consumed by a file, but that
> doesn't seem to be the case anymore.
>
> I created a file using the second command, and now as I copy files
> into
> it I can see the disk space going down bit by bit. This is really
> what
> I wanted in the first place, but I am just confused as to what is
> really
> going on. Could anybody explain, please?
>
> --
> Randy Barlow
> http://electronsweatshop.com
> --
> gentoo-security@lists.gentoo.org mailing list
>
[-- Attachment #1.2: Type: text/html, Size: 6134 bytes --]
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 194 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-15 23:09 Randy Barlow
@ 2008-02-16 9:04 ` Florian Philipp
2008-02-16 20:34 ` Naga Toro
2008-02-16 21:12 ` Mansour Moufid
2008-02-16 12:14 ` Sune Kloppenborg Jeppesen
` (2 subsequent siblings)
3 siblings, 2 replies; 18+ messages in thread
From: Florian Philipp @ 2008-02-16 9:04 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 2524 bytes --]
On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop. I tried EncFS using [1], but KDE didn't seem to
> work under that setup because of the restriction that the filesystem
> doesn't support hardlinks. So now I am playing around with [2]. The
> only problem I have here is that it seems like I have to know in advance
> what size I want to use for my home folder (I am using a file as a
> loopback device rather than a partition, mostly because I already have a
> system up and don't want to mess with resizing partitions). Is there
> any way to resize the loopback device on the fly, or do you just have to
> create a new one and copy the files into it every time you need to resize?
>
> Another question I have: I am pretty new to ciphers. One thing I have
> learned is that the avalanche effect is desirable, meaning that one bit
> flipped in the plaintext should cause about half of the ciphertext bits
> to flip. Does the dm-crypt setup have much correlation between
> encryption blocks to where this avalanche effect would change the whole
> file, or just a few encryption blocks? To illustrate, I'm looking to
> encrypt probably something like 40 GB of data. If I change 1 bit
> somewhere in my plaintext, how many bytes of that 40 GB of total data on
> my loopback device should I expect that bit flip to have an effect on?
>
> Thanks for any enlightenment you can offer!
>
> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
> [2] http://gentoo-wiki.com/SECURITY_dmcrypt
>
1. dmcrypt allows online resizing. If it's a loopback device, just
expand it with dmcrypt, then the FS on top of it. If it's a partition/
logical volume, you have to expand this at first.
2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384)
dmcrypt should be fine. But you have to understand that it's encrypted
block by block. If you change one bit, only the block it's within is
changed. dmcrypt doesn't know about files and filesystems, it just knows
blocks. However, this doesn't mean that two blocks identical in
plaintext look exactly the same when encrypted. The encryption changes
after every block.
By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
home-partition with my login password on the fly. If you want a short
howto and my configuration, just ask, I can answer again in 10 hours
(Sat Feb 16 19:00:00 UTC).
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-15 23:09 Randy Barlow
2008-02-16 9:04 ` Florian Philipp
@ 2008-02-16 12:14 ` Sune Kloppenborg Jeppesen
2008-02-16 22:27 ` Wojciech Ziniewicz
2008-02-17 10:53 ` Florian Sowade
3 siblings, 0 replies; 18+ messages in thread
From: Sune Kloppenborg Jeppesen @ 2008-02-16 12:14 UTC (permalink / raw
To: gentoo-security
On Saturday 16 February 2008, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop. I tried EncFS using [1], but KDE didn't seem to
> work under that setup because of the restriction that the filesystem
> doesn't support hardlinks. So now I am playing around with [2]. The
> only problem I have here is that it seems like I have to know in advance
> what size I want to use for my home folder (I am using a file as a
> loopback device rather than a partition, mostly because I already have a
> system up and don't want to mess with resizing partitions). Is there
> any way to resize the loopback device on the fly, or do you just have to
> create a new one and copy the files into it every time you need to resize?
I have some old notes lying around about this.
If you're working without partitions and using ext something like the
following should work. Note it is not on the fly, but OTOH you don't have to
start from scratch either.
Unmount loopback device.
Enlarge protected_file
dd if=/dev/urandom bs=1024k count=10 >> protected_file
Setup loopdevice
losetup /dev/loop6 protected_file
Setup the crypto device
cryptsetup -y create testcrypt /dev/loop6
Now enlarge the filesystem
fsck.ext2 -f /dev/mapper/testcrypt
Though you should test it before running it on your home dir (and report back
here)!
HTH.
--
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 9:04 ` Florian Philipp
@ 2008-02-16 20:34 ` Naga Toro
2008-02-16 22:09 ` Florian Philipp
2008-02-16 21:12 ` Mansour Moufid
1 sibling, 1 reply; 18+ messages in thread
From: Naga Toro @ 2008-02-16 20:34 UTC (permalink / raw
To: gentoo-security
On Saturday 16 February 2008 10.04.30 Florian Philipp wrote:
[...]
> By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
> home-partition with my login password on the fly. If you want a short
> howto and my configuration, just ask, I can answer again in 10 hours
> (Sat Feb 16 19:00:00 UTC).
Please do, atleast I'm curious.
/BR
Naga
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 9:04 ` Florian Philipp
2008-02-16 20:34 ` Naga Toro
@ 2008-02-16 21:12 ` Mansour Moufid
1 sibling, 0 replies; 18+ messages in thread
From: Mansour Moufid @ 2008-02-16 21:12 UTC (permalink / raw
To: gentoo-security
Hello everyone,
I've been using dm-crypt with twofish-lrw-benbi:ripemd160 for (swap
and /tmp) because, if I understand correctly, Twofish is more
optimized in the Linux kernel than AES (and therefore faster). I've
been thinking of using AES on /home.
One thing I don't understand is the term "benbi". Does this have
something to do with IV generation?
One last thing. I've heard that LRW will be replaced with XTS. [1]
IIRC correctly, the XTS cipher mode isn't in the Linux kernel yet?
Also, from what I've read, the problems with LRW boil down to a
"traitor tracing" problem, that repeated physical access to a drive is
needed, and even then one could theoretically only confirm the
presence of a known plaintext. Am I getting this right?
[1] http://en.wikipedia.org/wiki/IEEE_P1619#LRW_issue
Sincerely,
Mansour Moufid
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 20:34 ` Naga Toro
@ 2008-02-16 22:09 ` Florian Philipp
2008-02-17 19:30 ` Naga Toro
0 siblings, 1 reply; 18+ messages in thread
From: Florian Philipp @ 2008-02-16 22:09 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1.1: Type: text/plain, Size: 2489 bytes --]
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote:
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote:
> [...]
> > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
> > home-partition with my login password on the fly. If you want a short
> > howto and my configuration, just ask, I can answer again in 10 hours
> > (Sat Feb 16 19:00:00 UTC).
>
> Please do, atleast I'm curious.
>
> /BR
> Naga
Okay,
I think I can skip the creation of a cryptsetup-luks partition (or
whatever). It should be clear that you need to use your login password.
The next step would be to emerge pam_mount.
Then edit /etc/security/pam_mount.conf.xml
The relevant part to add is:
<volume
user="dsl"
fstype="crypt"
path="/dev/vg/home_dsl"
mountpoint="/home/dsl"
options="async,noatime,exec"
/>
<volume
user="dsl"
fstype="reiserfs"
path="/dev/mapper/_dev_mapper_vg-home_dsl"
mountpoint="/home/dsl"
options="defaults,async,noatime,exec"
/>
above </pam_mount>
As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted
home volume. In case I've missed something in this file, I've attached
it gzip-compressed.
Then you need to edit /etc/pam.d/system-auth:
#%PAM-1.0
auth required pam_env.so
auth optional pam_mount.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so use_first_pass
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so
(or something similar)
I think the relevant parts are "use_first_pass" and "pam_mount" in
"auth" and "session".
I don't say that my setup is perfect. It was a huge trial and error
phase to get it working.
Of course, you need to use pam for it to work but that's the default
setting on Gentoo. Please check your USE-flags for pam and your
sshd_config for usage of pam.
If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should
work). pam should write some debug information. Then search /dev/mapper
for something that looks like your home-partition's mapping.
[-- Attachment #1.2: pam_mount.conf.xml.gz --]
[-- Type: application/x-gzip, Size: 5105 bytes --]
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-15 23:09 Randy Barlow
2008-02-16 9:04 ` Florian Philipp
2008-02-16 12:14 ` Sune Kloppenborg Jeppesen
@ 2008-02-16 22:27 ` Wojciech Ziniewicz
2008-02-17 8:05 ` Randy Barlow
2008-02-17 10:53 ` Florian Sowade
3 siblings, 1 reply; 18+ messages in thread
From: Wojciech Ziniewicz @ 2008-02-16 22:27 UTC (permalink / raw
To: gentoo-security
2008/2/16, Randy Barlow <randy@electronsweatshop.com>:
> Thanks for any enlightenment you can offer!
>
> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
> [2] http://gentoo-wiki.com/SECURITY_dmcrypt
>
Just being curious - what prevents You from using encrypted LVM
parition for home ?
--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;fl
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!;)}
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 22:27 ` Wojciech Ziniewicz
@ 2008-02-17 8:05 ` Randy Barlow
0 siblings, 0 replies; 18+ messages in thread
From: Randy Barlow @ 2008-02-17 8:05 UTC (permalink / raw
To: gentoo-security
Wojciech Ziniewicz wrote:
> 2008/2/16, Randy Barlow <randy@electronsweatshop.com>:
>
>> Thanks for any enlightenment you can offer!
>>
>> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
>> [2] http://gentoo-wiki.com/SECURITY_dmcrypt
>>
>
> Just being curious - what prevents You from using encrypted LVM
> parition for home ?
Nothing prevents me per se - this is just an existing system that I'd
rather not repartition if I can get away with it. Right now /home is
part of / so I'm trying to avoid changing that. So far it seems like I
might need to change it anyway though...
--
Randy Barlow
http://electronsweatshop.com
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-15 23:09 Randy Barlow
` (2 preceding siblings ...)
2008-02-16 22:27 ` Wojciech Ziniewicz
@ 2008-02-17 10:53 ` Florian Sowade
2008-02-17 11:25 ` Florian Philipp
3 siblings, 1 reply; 18+ messages in thread
From: Florian Sowade @ 2008-02-17 10:53 UTC (permalink / raw
To: gentoo-security
Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop.
just another point: you should think about encrypting at least /tmp and swap
too, because temporary data will be stored there and if your home dir is
encrypted but those two are not one could simply read your data from there.
Have a look at this forum thread for the setup. because it uses random keys
you don't have to enter a passphrase at bootup:
http://forums.gentoo.org/viewtopic-t-298001-highlight-encrypt+ramdisk.html
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-17 10:53 ` Florian Sowade
@ 2008-02-17 11:25 ` Florian Philipp
0 siblings, 0 replies; 18+ messages in thread
From: Florian Philipp @ 2008-02-17 11:25 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]
On Sun, 2008-02-17 at 11:53 +0100, Florian Sowade wrote:
> Randy Barlow wrote:
> > I am probably being paranoid, but I'd like to encrypt my /home/username
> > folder on my laptop.
>
> just another point: you should think about encrypting at least /tmp and swap
> too, because temporary data will be stored there and if your home dir is
> encrypted but those two are not one could simply read your data from there.
> Have a look at this forum thread for the setup. because it uses random keys
> you don't have to enter a passphrase at bootup:
> http://forums.gentoo.org/viewtopic-t-298001-highlight-encrypt+ramdisk.html
It's even worse when you hibernate because your whole RAM-content
(including disk caches from your encrypted home-partition) is written to
disk and encryption is not so easy because you have to ask for the
pass-phrase on resuming in early userspace. Look here for how to solve
it:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS
I fear I'll have to spend my Easter holidays converting my system with
that guide.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-16 22:09 ` Florian Philipp
@ 2008-02-17 19:30 ` Naga Toro
2008-02-18 14:44 ` Luiz Otavio Duarte
0 siblings, 1 reply; 18+ messages in thread
From: Naga Toro @ 2008-02-17 19:30 UTC (permalink / raw
To: gentoo-security
On Saturday 16 February 2008 23.09.05 Florian Philipp wrote:
> On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote:
> > Please do, atleast I'm curious.
> Okay,
[...]
Thanks!
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-security] Encrypting a user home folder on a laptop
2008-02-17 19:30 ` Naga Toro
@ 2008-02-18 14:44 ` Luiz Otavio Duarte
0 siblings, 0 replies; 18+ messages in thread
From: Luiz Otavio Duarte @ 2008-02-18 14:44 UTC (permalink / raw
To: gentoo-security
Hi
Here, I'm using loop-AES to crypt all my filesystem. It's really
great and fast. (Actually I run some VMs in my machine...)
Some links:
http://www-curri.u-strasbg.fr/documentation/calcul/doc/ProPack/3SP1/docs/HOWTO/html/Encrypted-Root-Filesystem-HOWTO.html
Basically, you just need a partition or a file that you map using
loopsetup and then mount. ( But you need the kernel support and a new
Util-linux distribution. Nothing hard for a gentoo user)
[]'s
--
##
#Luiz Otavio Duarte
##
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2008-02-18 14:45 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-16 6:46 [gentoo-security] Encrypting a user home folder on a laptop bmicek
-- strict thread matches above, loose matches on Subject: below --
2008-02-15 23:45 bmicek
2008-02-16 0:08 ` Randy Barlow
2008-02-16 0:15 ` William Kenworthy
2008-02-16 3:06 ` Samuel Halicke
2008-02-16 7:47 ` Christian Spoo
2008-02-15 23:09 Randy Barlow
2008-02-16 9:04 ` Florian Philipp
2008-02-16 20:34 ` Naga Toro
2008-02-16 22:09 ` Florian Philipp
2008-02-17 19:30 ` Naga Toro
2008-02-18 14:44 ` Luiz Otavio Duarte
2008-02-16 21:12 ` Mansour Moufid
2008-02-16 12:14 ` Sune Kloppenborg Jeppesen
2008-02-16 22:27 ` Wojciech Ziniewicz
2008-02-17 8:05 ` Randy Barlow
2008-02-17 10:53 ` Florian Sowade
2008-02-17 11:25 ` Florian Philipp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox