[gentoo-user] Loop-AES versus DM-Crypt versus ???

[gentoo-user] Loop-AES versus DM-Crypt versus ???

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sorry if this subject has been hashed and rehashed again, but I was wondering
which Gentoo partition encryption scheme is considered the best, in terms of:

1. Security
2. Ease of setup and use
3. Number and type of ciphers available

This question is inspired by my current use of loop-AES on my home directories,
and my desire to encrypt my whole filesystem - except for a boot loader partition.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIX3pcAAoJEIAhA8M9p9DAC6QQAJpZPiIgt6BgiB5iO+FTGYH9
jmK41+vSNKD7sVK9VLjMlzkXSCeu1gVqZ0ipntnegHLl3mnowqaaqtzSuscKUL7D
Z0yKXpf2ra/1EPay2TXelQd3barCSaccqf8AvL2EHfkqCMGIzH9gPusAZp8EW/ll
zkEOicOo4GILZgE1sFNfCy7pCBC0ccV3dNnD1lGJGtuYYZQFH10P2Jkb8/Uh7ycq
TSTqP0xtka3kcB6R2v8FPuwTUiuUu3toL7ZSlj5rlXp8Bb4w1j8GEIt/xcWhsqfk
hanSGJ+tn7lGdl/4ooJfY3rtbFHYJfDLyUHoYARVPtARINpF+pSxox/lgrXysg08
t0iVuTMgXPX9UQmK0Pk9BbYfHkF2RyqVNXYzdFSAOgevXXLikvuCm4eSu+bUnndO
SgUXyhNNGVEDqm7Vtgdv+xpKYEqfXgrHx4/iodMLCmsQZgwtB5xHGrjasvmQN6Ji
3QYzSAnsnuP60tnHkPSUqR0VIQUneMGsgEL5K/QfD1OZMTT2yOOR6JTU4t6biLei
+sCh81ELsQ/zS4B5esyPInIJobGhC/5H+RXUEnvvDcQtILQsaKqn8u9vdvyL6izj
bXLE3tz9ELq/M9zaHq/7xFsV32hBh8lFJoWDK1lvtKqJwRS+dLvTkP3OsNFkkltf
TGkGWqSqSf5u8/DeETbD
=Cc+m
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Loop-AES versus DM-Crypt versus ???

[Rumen Yotov]

[-- Attachment #1: Type: text/plain, Size: 868 bytes --]

On (23/06/08 06:26) Chris Walters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Sorry if this subject has been hashed and rehashed again, but I was 
> wondering
> which Gentoo partition encryption scheme is considered the best, in terms 
> of:
>
> 1. Security
> 2. Ease of setup and use
> 3. Number and type of ciphers available
>
> This question is inspired by my current use of loop-AES on my home 
> directories,
> and my desire to encrypt my whole filesystem - except for a boot loader 
> partition.
>
> Regards,
> Chris
Hi,

i use loop-aes, read a discussion about it being more secure.
Not using any encrypted partitions but think both will give you the ability
to do this, just select which one to use.
Not much information but count it as a vote :-)
HTH. Rumen
> -- 
> gentoo-user@lists.gentoo.org mailing list
>

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Loop-AES versus DM-Crypt versus ???

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]

Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
> Sorry if this subject has been hashed and rehashed again, but I was
> wondering which Gentoo partition encryption scheme is considered the
> best, in terms of:
>
> 1. Security

Don't know, I'm not a crypto expert.

> 2. Ease of setup and use

dm-crypt with LUKS is IMHO the easier one to setup.

> 3. Number and type of ciphers available

Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS, one can 
use (nearly?) any cipher/hash supported by the kernel.

> This question is inspired by my current use of loop-AES on my home
> directories, and my desire to encrypt my whole filesystem - except for a
> boot loader partition.

Gentoo has support for both. Big plus of LUKS is the ability to assign more 
than one key (so my wife can boot the laptop with her own key).

HTH...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Loop-AES versus DM-Crypt versus ???

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dirk Heinrichs wrote:
| Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
[snip]
|> 3. Number and type of ciphers available
|
| Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS, one can
| use (nearly?) any cipher/hash supported by the kernel.
[snip]
| Gentoo has support for both. Big plus of LUKS is the ability to assign more
| than one key (so my wife can boot the laptop with her own key).
|
| HTH...
|
| 	Dirk

Actually, there are extra ciphers available for use with loop-aes.  Just can't
figure out how to compile them with the loop-aes kernel patch, yet.

I might try LUKS.  Does it have support for multi-key encryption?  How about
random key encryption?

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIX8VMAAoJEIAhA8M9p9DAS6YP/000mZKdzG/KhI3MgQ9SxtIW
jNrk/L16i7h/vzGY7BAb7a0lKnKddh7VgODGtA8XzlMPKgAScLl9r6Uyf74zOAkJ
kb+sbYO7I8iy+lQZRYjAst7DLWJm4KAQ2/Vc4zw2YP4Vtmnw4Q/1n4nHjGEtypOz
LjAgLfhrIfJnK9X41Xv9ot5OZK2HwvVeyWxcXxJuhtZ8HHwqsxGmDqMqNI60+bkH
DwrmDTxaaTZtBRyPb1g5OUEqTKhm3y2L7lj6ffmpwzMvxcc1HLThq88IsvxtURT1
Rf/7qKo2RNOIFeo0pOe3rb+HrpX0bE3MDS5imzchlIu1WisQx40hWJAZAbkR1Qhm
/UcWIvfRO7G7cLCRHuPd8zIXSCMmZXcSBwVa6hroQr8z6zkRB6kzv9FZNpBNraOb
1DlB0ldrsn8A66rwMqno7qoU3mcNoLtIvR1lQ5EY2blRAWpd1rndALPxqPVCQLTS
zA4KXmzIa5jqFhUJhfyRFBtkknk6vCWWELJsrUKSyCrIm9yVC2MRZlkaNbF0ayxw
cQgz4v9ObN7aphi9e+RxS9z2E8nNuZRGHNDG54X4A7fYG+XRZhquxJenR2OGA744
Irt+J3vDIeuvAFfqJA7eSnCRaLi8IZEfltAtoYAzADTQo2t6DMpMJoyaxLnekEeK
ymNM8pUJO8mzpZvFOR9y
=TbGz
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Loop-AES versus DM-Crypt versus ???

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 258 bytes --]

Am Montag, 23. Juni 2008 schrieb Chris Walters:

> I might try LUKS.  Does it have support for multi-key encryption?  How
> about random key encryption?

Hmm, didn't I mention this? Yes to both. See also http://luks.endorphin.org.

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Loop-AES versus DM-Crypt versus ???

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 1410 bytes --]

Chris Walters <cjw2004d@comcast.net> at Monday 23 June 2008, 17:46:23
> Dirk Heinrichs wrote:
> | Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
>
> [snip]
>
> |> 3. Number and type of ciphers available
> |
> | Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS,
> | one can use (nearly?) any cipher/hash supported by the kernel.
>
> [snip]
>
> | Gentoo has support for both. Big plus of LUKS is the ability to assign
> | more than one key (so my wife can boot the laptop with her own key).
> |
> | HTH...
> |
> | 	Dirk
>
> Actually, there are extra ciphers available for use with loop-aes. 

Does it matter?  AES is on of the best algorithms available, there is no 
reason to change to another.

> I might try LUKS.  Does it have support for multi-key encryption?

Yes, it has.

> How about random key encryption?

That's not a matter of the encryption software itself, random keys should be 
possible with any encryption thing out there.  

Actually, multi-key encryption somehow requires random keys.  In such a 
setup, there is a random master key, which itself is ciphered with the 
individual user keys.  When adding or removing user keys, the software 
stores a individually encrypted copy of the random master key (or removes 
it).

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

[gentoo-user] Re: Loop-AES versus DM-Crypt versus ???

[7v5w7go9ub0o]

Chris Walters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Sorry if this subject has been hashed and rehashed again, but I was 
> wondering
> which Gentoo partition encryption scheme is considered the best, in 
> terms of:
> 
> 1. Security

"....Another thing: If I remember correctly, LUKS keeps the actual key 
on the encrypted disk, itself encrypted with a passphrase. Naturally 
this means that an attacker only has to break the passphrase, which gets 
him the key"

FYI; I don't know if the above is correct.

http://blog.pioto.org/2008/05/encrypting-almost-your-entire.html

HTH
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Loop-AES versus DM-Crypt versus ???

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 1243 bytes --]

7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> at Friday 27 June 2008, 05:41:15
> Chris Walters wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Sorry if this subject has been hashed and rehashed again, but I was
> > wondering
> > which Gentoo partition encryption scheme is considered the best, in
> > terms of:
> >
> > 1. Security
>
> "....Another thing: If I remember correctly, LUKS keeps the actual key
> on the encrypted disk, itself encrypted with a passphrase. Naturally
> this means that an attacker only has to break the passphrase, which gets
> him the key"

Naturally ... if the user wants to use passphrases, the key needs to be 
related to the passphrase somehow, whether by it being derived from the 
passphrase through hashing or it being encrypted with a second key, that is 
derived from the passphrase.

But a decent hard disk encrpytion system should be able to store the key 
file on a USB stick or on a smart card.  Beside a increased security, 
because there is weak passphrase, it provides increased comfort:  You don't 
have to enter a silly passphrase on every boot ;)

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

[gentoo-user] Re: Loop-AES versus DM-Crypt versus ???

[7v5w7go9ub0o]

Sebastian Wiesner wrote:
> 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> at Friday 27 June 2008, 05:41:15
>> Chris Walters wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Sorry if this subject has been hashed and rehashed again, but I was
>>> wondering
>>> which Gentoo partition encryption scheme is considered the best, in
>>> terms of:
>>>
>>> 1. Security
>> "....Another thing: If I remember correctly, LUKS keeps the actual key
>> on the encrypted disk, itself encrypted with a passphrase. Naturally
>> this means that an attacker only has to break the passphrase, which gets
>> him the key"
> 
> Naturally ... if the user wants to use passphrases, the key needs to be 
> related to the passphrase somehow, whether by it being derived from the 
> passphrase through hashing or it being encrypted with a second key, that is 
> derived from the passphrase.
> 
> But a decent hard disk encrpytion system should be able to store the key 
> file on a USB stick or on a smart card.  Beside a increased security, 
> because there is weak passphrase, it provides increased comfort:  You don't 
> have to enter a silly passphrase on every boot ;)
> 

Yes.

But If I understand his comment, the LUKS standard requires a copy to be 
stored on the HD  - even if using the more secure dongle - and keeping a 
passphrase-encrypted copy on the HD permanently renders the HD integrity 
compromised.

ISTM the better way to use a passphrase would be to passphrase-encrypt 
the encryption key and store it somewhere on a boot sector. On the boot 
sector - but not within the encrypted disk - as having it on the disk 
weakens the disk integrity. If you later acquire a USB, you simply 
transfer the whole encryption key to the USB and remove the passphrase 
obscuration programs from the boot sector.

So IIUC the question becomes, can one configure LUKS to NOT keep a copy 
of the passphrase-protected encryption key on the HD (or is keeping it 
there part of the LUKS "standard")?

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Loop-AES versus DM-Crypt versus ???

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 517 bytes --]

Am Freitag, 27. Juni 2008 schrieb 7v5w7go9ub0o:

> So IIUC the question becomes, can one configure LUKS to NOT keep a copy
> of the passphrase-protected encryption key on the HD (or is keeping it
> there part of the LUKS "standard")?

Well, LUKS means "Linux Unified Key Setup", that's what LUKS is all about. But 
hey, maybe I didn't write it often enough: http://luks.endorphin.org should 
answer all your questions. Your question is already answered in the FAQ 
(via "Docs Wiki" tab).

HTH...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]