[gentoo-user] Guidance on encrypting my /home

[gentoo-user] Guidance on encrypting my /home

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

Hi,

I've been playing with encrypting my home directory using cfs and
following the instructions at

http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS

I guess it mostly works, although I've had cfsd die randomly a few
times in a couple days. It sorta bothers me that app-crypt/cfs is
almost 2 years old and is still testing (~x86). This is one of those
apps I'd prefer stable.

So, before I get to settled on using this, a few questions.

Do you encrypt your home directory?

What apps and/or combination of apps do you use, and why?

Which ciphers do you prefer? Why?

Is it well supported?

What apps and/or files don't play well with encrytion?

I'm sure I'll have more questions after I've read some more.

Thanks,
festus
-- 
In all the millions of years dinosaurs roamed this planet, did any of
them feel the need to invent, say, nuclear weapons?           Mickeyz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[Ryan Tandy]

John J. Foster wrote:
> Do you encrypt your home directory?
> 
Not on my desktop.  On my laptop, however, everything except /boot is 
encrypted (/, /home, swap).

> What apps and/or combination of apps do you use, and why?
> 
sys-apps/util-linux with USE=crypt, and app-crypt/loop-aes.

> Which ciphers do you prefer? Why?
> 
AES256, because that's what the HOWTO used. :P

> Is it well supported?
> 
It has a README... :P

Actually, I've never had a problem with it. :)  It's ~arch only, though, 
and it's been that way for as long as I've used it.

> What apps and/or files don't play well with encrytion?

None that I've found.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Jerry McBride]

On Saturday 12 August 2006 20:22, John J. Foster wrote:
> Hi,
>
> I've been playing with encrypting my home directory using cfs and
> following the instructions at
>
> http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS
>
> I guess it mostly works, although I've had cfsd die randomly a few
> times in a couple days. It sorta bothers me that app-crypt/cfs is
> almost 2 years old and is still testing (~x86). This is one of those
> apps I'd prefer stable.
>
> So, before I get to settled on using this, a few questions.
>
> Do you encrypt your home directory?
>

Yes and others as well.

> What apps and/or combination of apps do you use, and why?
>

We use dmcrypt, which is used to encrypt loop devices as well as complete 
partitions.

> Which ciphers do you prefer? Why?
>

aes-i586 keeps prying eyes out of sensitive data.

> Is it well supported?
>

Most of it is in the kernel... so it's pretty well supported "right out of the 
box"...

> What apps and/or files don't play well with encrytion?
>

None that we run.

> I'm sure I'll have more questions after I've read some more.
>

Feel free to post here or email me directly.

Cheers, Jerry.

P.S. is your name foster or festus?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Richard Fish]

On 8/12/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> Do you encrypt your home directory?

I encrypt everything except /boot.

> What apps and/or combination of apps do you use, and why?

dm-crypt with cryptsetup using the LUKS format.

> Which ciphers do you prefer? Why?

aes-cbc-essiv:sha256, 128bit, because it is fast.

> Is it well supported?

In the kernel, about as well supported as you can get.

> What apps and/or files don't play well with encrytion?

The only real impact this has is that backups use a lot more CPU time,
since I have to decrypt the data from one drive, compress it, and then
re-encrypt it to write to another drive.  Then again, multi-core
processors are cheap!

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote:

> > Do you encrypt your home directory?
> 
> I encrypt everything except /boot.

Is there any benefit in encrypting the likes of /usr and /opt? Unless you
don't want anyone to know which software you have installed :)

> > What apps and/or combination of apps do you use, and why?
> 
> dm-crypt with cryptsetup using the LUKS format.

Same here, but only for /home and my backup directory. I really should
encrypt swap too.

> > Which ciphers do you prefer? Why?
> 
> aes-cbc-essiv:sha256, 128bit, because it is fast.

Ditto.


-- 
Neil Bothwick

Top Oxymorons Number 10: Computer security

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[Ryan Sims]

On 8/13/06, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote:

[snip]

> > > What apps and/or combination of apps do you use, and why?
> >
> > dm-crypt with cryptsetup using the LUKS format.
>
> Same here, but only for /home and my backup directory. I really should
> encrypt swap too.

This thread piqued my interest; I found this:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS/loopback_devices

Is that how you do your home dir?  Where do you put the open/close
commands?  Is fstab smart enough to do this natively?

-- 
Ryan W Sims

()  ascii ribbon
/\  campaign
- against html mail
- against proprietary attachments
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

On Sun, 13 Aug 2006 13:42:50 -0400, Ryan Sims wrote:

> This thread piqued my interest; I found this:
> http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS/loopback_devices
> 
> Is that how you do your home dir?

No, I use a full partition, not a loop device.

> Where do you put the open/close
> commands?  Is fstab smart enough to do this natively?

baselayout handles this, just edit /etc/conf.d/cryptfs.


-- 
Neil Bothwick

To whom the gods destroy, they first teach Windows...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[Richard Fish]

On 8/13/06, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Sat, 12 Aug 2006 18:32:49 -0700, Richard Fish wrote:
> Is there any benefit in encrypting the likes of /usr and /opt? Unless you
> don't want anyone to know which software you have installed :)

Not really :-P  It was just easy to do since I use LVM and just
encrypt the partition that all the LVM volumes live on.  The hard part
was that I needed a custom-built initramfs to prompt me for the
decryption password at boot.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 1080 bytes --]

On Sat, Aug 12, 2006 at 06:32:49PM -0700, Richard Fish wrote:
> On 8/12/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> >Do you encrypt your home directory?
> 
> I encrypt everything except /boot.
> 
> >What apps and/or combination of apps do you use, and why?
> 
> dm-crypt with cryptsetup using the LUKS format.
> 
> >Which ciphers do you prefer? Why?
> 
> aes-cbc-essiv:sha256, 128bit, because it is fast.
> 
> >Is it well supported?
> 
> In the kernel, about as well supported as you can get.
> 
Ok, this looks like a setup I'd be pleased with. Right now I have 

/
/boot
swap

How much of a pain will it be to implement now? Or will I be better off
waiting about 6 months till I get a laptop, and then following the guide
at

http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS

and in the meantime continue using cfs? Is that guide pretty accurate?

Thanks,
festus
-- 
In all the millions of years dinosaurs roamed this planet, did any of
them feel the need to invent, say, nuclear weapons?           Mickeyz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[Richard Fish]

On 8/13/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> Ok, this looks like a setup I'd be pleased with. Right now I have
>
> /
> /boot
> swap
>
> How much of a pain will it be to implement now? Or will I be better off
> waiting about 6 months till I get a laptop, and then following the guide
> at
>
> http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS

This guide seems reasonable.  I think the current live CD includes the
version of cryptsetup that understands LUKS though, so it shouldn't be
necessary to download that.  And I prefer to randomize the disk by
encrypting with a random password before I setup the actual mapping.

If you want to get started on this before your new laptop arrives, I
suggest starting with the initramfs and encrypting swap only.  You
should be able to create an initramfs that will setup the mapping and
do the swapon before your root filesystem mounts.  Once you have that
working, and are comfortable with how the initramfs works, you can
move on to your root filesystem.

Cheers,
-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

Am Montag, 14. August 2006 08:59 schrieb ext Richard Fish:

> If you want to get started on this before your new laptop arrives, I
> suggest starting with the initramfs and encrypting swap only.  You
> should be able to create an initramfs that will setup the mapping and
> do the swapon before your root filesystem mounts.  Once you have that
> working, and are comfortable with how the initramfs works, you can
> move on to your root filesystem.

I can offer a script to create an initramfs for an "all on LUKS-encrypted 
EVMS-managed logical volumes" machine (all but /boot, of course).

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Hambornerstraße 55      | Web:  http://www.capgemini.com
D-40472 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

On Sun, Aug 13, 2006 at 11:59:48PM -0700, Richard Fish wrote:
> 
> If you want to get started on this before your new laptop arrives, I
> suggest starting with the initramfs and encrypting swap only.  You
> should be able to create an initramfs that will setup the mapping and
> do the swapon before your root filesystem mounts.  Once you have that
> working, and are comfortable with how the initramfs works, you can
> move on to your root filesystem.
> 
Thanks Richard, that sounds like sound advice. Creating the initramfs at
first glance seems difficult. But after a little more reading, maybe not
to bad. By working with only swap to begin with, I _should_ be limited
to minimal damage.

festus
-- 
In all the millions of years dinosaurs roamed this planet, did any of
them feel the need to invent, say, nuclear weapons?           Mickeyz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Guidance on encrypting my /home

[Stefan G. Weichinger]

Richard Fish wrote:

>> http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS
> 
> This guide seems reasonable.  I think the current live CD includes the
> version of cryptsetup that understands LUKS though, so it shouldn't be
> necessary to download that.  And I prefer to randomize the disk by
> encrypting with a random password before I setup the actual mapping.
> 
> If you want to get started on this before your new laptop arrives, I
> suggest starting with the initramfs and encrypting swap only.  You
> should be able to create an initramfs that will setup the mapping and
> do the swapon before your root filesystem mounts.  Once you have that
> working, and are comfortable with how the initramfs works, you can
> move on to your root filesystem.

I followed that guide and have now managed to boot from my encrypted
root-fs, using the current genkernel, which provides LUKS-support via
--luks. Doing it this way I skipped the init-script on that page completely.

But this only works for /root, not for swap.

As my goal is to encrypt root and swap *and* use suspend2, I had to go
slightly different paths than the mentioned howto says.

There are various HOWTOs out there, but no one that exactly meets my
requirements. (For example I also tried genkernel-luks 3.1.0, but AFAI
can see, this is already merged into the current genkernel 3.4.0)

Would you recommend to use the initramfs from the HOWTO, or might there
be another way of doing it, staying closer at the genkernel-way of doing it?

-

I also didn't fully understand that note about having two
swap-partitions, one for swap and one for suspend: Wouldn't the
suspended image be unencrypted?

-

Are there any comparisons between the speed of using
aes-cbc-essiv:sha256, 128bit and
aes-cbc-essiv:sha256, 256bit ?

I write this on my P4-M 1.8GHz, using this root-partition:

/dev/mapper/root is active:
  cipher:  serpent-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/hda6
  offset:  2056 sectors
  size:    20111261 sectors
  mode:    read/write


and the performance seems OK to me. But it could always be better ;)
I will have a look through the docs to see the security-implications of
using "only" 128bit.

Greetings, Stefan.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Stefan G. Weichinger]

Stefan G. Weichinger wrote:

> As my goal is to encrypt root and swap *and* use suspend2, I had to
> go slightly different paths than the mentioned howto says.

---

> Would you recommend to use the initramfs from the HOWTO, or might
> there be another way of doing it, staying closer at the genkernel-way
> of doing it?
> 
> -

Update on this:

curiosity pushed me further, now I implemented that init-script as
provided and write this mail from a freshly resumed suspend2-session,
running fully on luks-encrypted /root and swap.

:-)   nice ....

It wasn't *that* hard to do, now I am gonna testdrive this setup for
some days/hours, then I plan to remove the original unencrypted
partitions and move the encrypted partitions into their place, thereby
getting more space for /root etc.

Thanks for the HOWTO, I'd like to discuss things a bit further
nonetheless ...

Greetings, Stefan.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Richard Fish]

On 8/19/06, Stefan G. Weichinger <lists@xunil.at> wrote:
> Would you recommend to use the initramfs from the HOWTO, or might there
> be another way of doing it, staying closer at the genkernel-way of doing it?

Well genkernel also allows you to specify a custom linuxrc
(--linuxrc=).  This is probably the route I would take with genkernel.
 The default is in /usr/share/genkernel/generic/linuxrc, which you can
use for inspiration.  Generally that script does everything that you
will want to do, just not in the order you want to do it in.

You have a few options for this setup.  If you don't mind typing your
password twice, you can just use cryptsetup twice in your linuxrc to
decrypt swap and root.  Actually, with suspend2 usage, you would
probably have something like:

cryptsetup ... crypt_swap
if test -f /proc/suspend2/resume2; then
    devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/crypt_swap`
    echo $devnum >/proc/suspend2/resume2
fi
if test -f /proc/suspend2/do_resume; then
    echo > /proc/suspend2/do_resume
fi
# didn't resume, so continue booting
cryptsetup ... crypt_root
...

An option to allow typing your password once duing bootup is to
suspend to a file on the root filesystem, and encrypt your swap
partition randomly.  I've never tried this, but I expect the resume
part would be something like:

cryptsetup ... crypt_root
mount -o ro /dev/mapper/crypt_root /mnt/newroot
if test -f /proc/suspend2/resume2; then
    echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2
fi
if test -f /proc/suspend2/do_resume; then
    echo > /proc/suspend2/do_resume
fi

Another option if you want to keep a single combined swap/suspend2
'partition' is to use LVM.  In this case, you would combine your swap
and root partitions, and setup a dm-crypt mapping.  On the encrypted
volume, you make an LVM physical volume, create a volume group on the
pv, and then create logical volumes within the volume group.  It
sounds complex, but it really isn't too hard.  The bootup sequence
there looks like:

cryptsetup ... crypt_pv
vgchange -a y
if test -f /proc/suspend2/resume2; then
    devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/vg0-swap`
    echo $devnum >/proc/suspend2/resume2
fi
if test -f /proc/suspend2/resume2; then
    echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2
fi
# didn't resume, so continue booting
mount -o ro /dev/mapper/vg0-root /mnt/newroot
...

You do have to remember to update your lvm configuration to scan
encrypted device-mapper volumes:

filter = [ "a|/dev/mapper/crypt_*|", "r|/dev/mapper/*|" ]

> Are there any comparisons between the speed of using
> aes-cbc-essiv:sha256, 128bit and
> aes-cbc-essiv:sha256, 256bit ?

I don't have any comparisons, but it should be easy enough for you to
create.  Just setup a bare (not luks) mapping and do:

dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152

This will read 3G of 'encrypted' data from the drive.  You can do this
without affecting any data on the disk, as long as you do *not*
luksFormat it.  Remember to keep an eye on the CPU usage of this with
vmstat or top as well.

> /dev/mapper/root is active:
>   cipher:  serpent-cbc-essiv:sha256

Generally I've found AES to be slightly faster...

> and the performance seems OK to me. But it could always be better ;)
> I will have a look through the docs to see the security-implications of
> using "only" 128bit.

Just be sure to keep in mind the type of data you have and who you are
trying to defend against.  Researching encryption on the net is a
quick way to get irrationally paranoid.  The bottom line is that
everything can be broken given enough time and money.

So if you work for the CIA and keep the secret identies of all spies
and informants on your laptop, well, then dm-crypt is not sufficient
to begin with.  If you work for my investment brokerage and have all
your customers' financial records on your disk, I want you to use
256-bit encryption.  If it is just your bank records and personal
emails, use whatever you want.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Stefan G. Weichinger]

Richard Fish wrote:
> On 8/19/06, Stefan G. Weichinger <lists@xunil.at> wrote:
>> Would you recommend to use the initramfs from the HOWTO, or might there
>> be another way of doing it, staying closer at the genkernel-way of
>> doing it?
> 
> Well genkernel also allows you to specify a custom linuxrc
> (--linuxrc=).  This is probably the route I would take with genkernel.
> The default is in /usr/share/genkernel/generic/linuxrc, which you can
> use for inspiration.  Generally that script does everything that you
> will want to do, just not in the order you want to do it in.
> 
> You have a few options for this setup.  If you don't mind typing your

[...] Great infos, thank you. I will look through them in more detail as
soon as I have recovered from getting my current setup done.

My main concern in this context is the question:

How to maintain the encrypted partitions over time?
What do I have to do/remind when I want to use a newer kernel?

The maintenance-steps should be clear, as I for sure don't want to go
through all of this everytime a new kernel is released. Or even worse,
lose data ... (backups are done regularly, *yes*)

So this was the/one reason to ask for the genkernel-way.

>> Are there any comparisons between the speed of using
>> aes-cbc-essiv:sha256, 128bit and
>> aes-cbc-essiv:sha256, 256bit ?
> 
> I don't have any comparisons, but it should be easy enough for you to
> create.  Just setup a bare (not luks) mapping and do:
> 
> dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152
> 
> This will read 3G of 'encrypted' data from the drive.  You can do this
> without affecting any data on the disk, as long as you do *not*
> luksFormat it.  Remember to keep an eye on the CPU usage of this with
> vmstat or top as well.

Maybe I give this a try after writing this ...

>> /dev/mapper/root is active:
>>   cipher:  serpent-cbc-essiv:sha256
> 
> Generally I've found AES to be slightly faster...

I found this link at the end of the used HOWTO:

http://www.saout.de/tikiwiki/tiki-index.php?page=UserPageChonhulio

It also shows that AES is faster than Serpent, and additionally that,
contrary to the Serpent-Algo, AES with 128 bits is faster than AES with
a 256bit key.

I will think about this a bit more before I move my data into place.

>> and the performance seems OK to me. But it could always be better ;)
>> I will have a look through the docs to see the security-implications of
>> using "only" 128bit.
> 
> Just be sure to keep in mind the type of data you have and who you are
> trying to defend against.  Researching encryption on the net is a
> quick way to get irrationally paranoid.  The bottom line is that
> everything can be broken given enough time and money.
> 
> So if you work for the CIA and keep the secret identies of all spies
> and informants on your laptop, well, then dm-crypt is not sufficient
> to begin with.  If you work for my investment brokerage and have all
> your customers' financial records on your disk, I want you to use
> 256-bit encryption.  If it is just your bank records and personal
> emails, use whatever you want.

No CIA, no. IT-consultant, trying to keep customer-related data
protected. As well as my own business-related data.

Sounds like AES-256 then.

Thanks a lot for your infos,
greets,
Stefan
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Guidance on encrypting my /home

[Eray Aslan]

On Sun, August 13, 2006 3:22 am, John J. Foster wrote:
[snip]
> So, before I get to settled on using this, a few questions.
>
> Do you encrypt your home directory?

/home and swap

> What apps and/or combination of apps do you use, and why?

cryptsetupLUKS

> Which ciphers do you prefer? Why?

AES and Serpent are popular choices AFAIK.

> Is it well supported?
>
> What apps and/or files don't play well with encrytion?

DRBD.  But then again it might work.  I didnot spend too much time trying
to make them play nice together.
-- 
Eray

-- 
gentoo-user@gentoo.org mailing list