[gentoo-user] Using USB key as real $HOME and possible encryption?

[gentoo-user] Using USB key as real $HOME and possible encryption?

[Walter Dnes]

  I want to set up my notebook for use whilst travelling.  I intend to
have an innocuous /home/waltdnes partion on the notebook, and have the
"real" $HOME (a copy of my desktop machine's $HOME) on a 128 gigabyte
USB key.  When I want to access it, I'll mount the USB key over
/home/waltdnes. That protects against the notebook being lost/stolen.
The next question is how do I guard the data on the USB key.  I'm
looking at using cryptsetup to encrypt the USB key.  Some interesting
stuff on Google...  http://sleepyhead.de/howto/?href=cryptpart shows how
to use cryptsetup with and without LUKS.

========================================================================
dm-crypt without LUKS

# cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0
# dmsetup ls                          # check it, will display: sdc1 (254, 0)
# mkfs.ext3 /dev/mapper/sdc1          # This is done only the first time!
# mount -t ext3 /dev/mapper/sdc1 /mnt
# umount /mnt/
# cryptsetup remove sdc1              # Detach the encrypted partition

Do exactly the same (without the mkfs part!) to re-attach the partition.
If the password is not correct, the mount command will fail. In this
case simply remove the map sdc1 (cryptsetup remove sdc1) and create it
again.
========================================================================

  I did a --pretend emerge of cryptsetup, and I see that it pulls in
lvm2 as a dependancy, presumably to enable the /dev/mapper/* entries.
Any comments on whether I'm better off with or without LUKS?  I also
intend to use ext2, because I understand that a journalling fs is murder
on USB keys.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Rick "Zero_Chaos" Farina]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2014 04:57 PM, Walter Dnes wrote:
>   I want to set up my notebook for use whilst travelling.  I intend to
> have an innocuous /home/waltdnes partion on the notebook, and have the
> "real" $HOME (a copy of my desktop machine's $HOME) on a 128 gigabyte
> USB key.  When I want to access it, I'll mount the USB key over
> /home/waltdnes. That protects against the notebook being lost/stolen.
> The next question is how do I guard the data on the USB key.  I'm
> looking at using cryptsetup to encrypt the USB key.  Some interesting
> stuff on Google...  http://sleepyhead.de/howto/?href=cryptpart shows how
> to use cryptsetup with and without LUKS.
> 
> ========================================================================
> dm-crypt without LUKS
> 
> # cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0
> # dmsetup ls                          # check it, will display: sdc1 (254, 0)
> # mkfs.ext3 /dev/mapper/sdc1          # This is done only the first time!
> # mount -t ext3 /dev/mapper/sdc1 /mnt
> # umount /mnt/
> # cryptsetup remove sdc1              # Detach the encrypted partition
> 
> Do exactly the same (without the mkfs part!) to re-attach the partition.
> If the password is not correct, the mount command will fail. In this
> case simply remove the map sdc1 (cryptsetup remove sdc1) and create it
> again.
> ========================================================================
> 
>   I did a --pretend emerge of cryptsetup, and I see that it pulls in
> lvm2 as a dependancy, presumably to enable the /dev/mapper/* entries.
> Any comments on whether I'm better off with or without LUKS?  I also
> intend to use ext2, because I understand that a journalling fs is murder
> on USB keys.
> 


I suggest with LUKS.  Also I suggest using ext4 and disabling the
journal (mkfs.ext4 -O ^has_journal).  Gentoo has some pretty good init
scripts for dmcrypt that you can use to mount your usb key when ready,
check it out in /etc/conf.d/dmcrypt.

- -Zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTXwWWAAoJEKXdFCfdEflKgMkP/AjZAEi+ltpEDS320Kf70SFd
tIrQrYhNM+DggnX0JlW0C37zM82ecCbfOGqvSGgkgbUtmUznBCKKfa1wbauljQS1
aBlXYv4RfNH/ZJ2ldrnnfd/BHbHLIJIkobXBfFsMS8s7EIQI+IOLr3dbWiYAzqIb
eKfqjGAJqlvWK+9MmFTJkZdT3KgQU1KJdvKyq7UK7bt6Fi/3a8zRm7N0UU4h0lQd
VQcfUm7Lq6nNUMJldtwp4uL+vxZREFSszSID1blqHQpzxBAHZO8ntSwLq98W0W1P
E0fqTbifEu7jBY14ek2jysdPj/bHvNJulUIj6sqTc5qenu8ozwnt0olzkS1M0Yrr
vzzF/HKbV70GjSjbx9cSVgv5opyTq+9n3oH5u7L87T0sXQdAch2yW0HpeQlCuYQe
EPHt10zP0AtnSlLMIr7D2pVNI2NvsIrWsIdAC9op9ZtxYSnTgruBGyH2xw3QM6XZ
A2NAemrbq6J2DGihC0kEBvBDTylUW5RL7WOQuxjmelp27sV2/lqtRTBaWz/cFGrK
PvqEZuKkWW9ThpuAdEsSbZNGhf+wka+B8swAOlBXqSVIx5VKmTsxp92wJs3UEzT+
3NyjWx/nmk1IHFAAQqLebcciBKE4/5Ix+9CJ1QHQsvC70iSXcyyBH6YkrHor9bJM
X0M40ycF4uss0QtKmWEe
=6vUW
-----END PGP SIGNATURE-----

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Walter Dnes]

On Mon, Apr 28, 2014 at 09:51:18PM -0400, Rick "Zero_Chaos" Farina wrote

> I suggest with LUKS.  Also I suggest using ext4 and disabling the
> journal (mkfs.ext4 -O ^has_journal).

  I didn't know you could do that, but what's the point?  I'm not trying
to be argumentative, but isn't ext4 without a journal a glorified ext2?
I believe that an ext2 driver can read ext4, if none of the fancy ext4
options have been invoked.  And ext4 can read ext2.

  Another couple of things I didn't realize.  According to
https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the
crypt target in the kernel.  It also suggests
<*> SHA224 and SHA256 digest algorithm

  Any comments on their strength?  I'm not worried about the NSA or CSIS
as much as opportunistic criminals.

  One other item in passing.  The "make menuconfig" help text for
CONFIG_DM_CRYPT points to http://www.saout.de/misc/dm-crypt/ but that
site says, and I quote...

> Note: This page is horribly out of date.
> You can find the current pages for the dm-crypt project (the Linux
> kernel part) here: http://code.google.com/p/cryptsetup/wiki/DMCrypt
> and the project page for the command line tool cryptsetup (with Linux
> Unified Key Setup - LUKS) here: http://code.google.com/p/cryptsetup/.

  Who should be notified about this?  I don't think kernel help text
(except for Gentoo Sources patches) is handled by Gentoo developers.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Rick "Zero_Chaos" Farina]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2014 12:27 PM, Walter Dnes wrote:
> On Mon, Apr 28, 2014 at 09:51:18PM -0400, Rick "Zero_Chaos" Farina wrote
> 
>> I suggest with LUKS.  Also I suggest using ext4 and disabling the
>> journal (mkfs.ext4 -O ^has_journal).
> 
>   I didn't know you could do that, but what's the point?  I'm not trying
> to be argumentative, but isn't ext4 without a journal a glorified ext2?
> I believe that an ext2 driver can read ext4, if none of the fancy ext4
> options have been invoked.  And ext4 can read ext2.

I'm not a filesystem expert but there are more differences between ext2
and ext4 than the journal... I think :-)
> 
>   Another couple of things I didn't realize.  According to
> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the
> crypt target in the kernel.  It also suggests
> <*> SHA224 and SHA256 digest algorithm
> 
>   Any comments on their strength?  I'm not worried about the NSA or CSIS
> as much as opportunistic criminals.

I use whirlpool.  Why you ask? It sounds cool! Also it supported 512bit
which seems nice.
> 
>   One other item in passing.  The "make menuconfig" help text for
> CONFIG_DM_CRYPT points to http://www.saout.de/misc/dm-crypt/ but that
> site says, and I quote...
> 
>> Note: This page is horribly out of date.
>> You can find the current pages for the dm-crypt project (the Linux
>> kernel part) here: http://code.google.com/p/cryptsetup/wiki/DMCrypt
>> and the project page for the command line tool cryptsetup (with Linux
>> Unified Key Setup - LUKS) here: http://code.google.com/p/cryptsetup/.
> 
>   Who should be notified about this?  I don't think kernel help text
> (except for Gentoo Sources patches) is handled by Gentoo developers.
> 
https://bugzilla.kernel.org/

Thanks,
Zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTX+I+AAoJEKXdFCfdEflKolMP/isYoZMccymIqKeVI/MVDxSM
2EMuEFVpopcvmvuDwRXw0U9XB0b04Yr8SDevL+Tb+zOgSGidKGX4cAwHkAH5p2fp
KOchjP0gXzO/oHfRJgaECP7G8ovtvaOyiUdokb352D1RJsYcq/aqXGbNNDLmziZo
Ng3qR8R3/3TuwJSZZ8TGFFN/wBc05yUzWy+FD9YDWucn6fBQrloogU/Ie5Pdussf
xxQt/Hb4+6Rjz8mUsGs2vWcoHHkyYmOAt/Qp5HaZ4bwXtZEpxB49xAPXjAyi2Z2n
Z99+xR14BpAi61RdsJE3OIbOscf5w5prx7gWtoWKKCSvWX9OL7/F22duBZP2KnVx
Epwv4+sySlb0Cco+gd6Chxw3HsKPqiNhSoObTMzdFVoqZHoBhut8/d1ynwcI46+J
+kVfXUOhKIchFf4KVTcQxO3uD3BniDhZc17AB5KNy52A9cKX+OEEZGdu/JxzwwjQ
BTkUkbb8cDc5PSB/zE0udksxFWcSIJR231oUMesWdtCT7R81ZonBEg3lE1UpmCaB
neg+RPhdEMA7zPLq8SdaNUuz0xoxDRRFX43mwLyXdf/EcHoGIFazjHb9AW/Yu3WF
4cYVXAlNQ69/Q84M6jlLR+9ED5zegLy3WsVApE1+Am9uEwYmoO5Lnk69wxr3pGkf
mDfrIIdHQlY45aP/tnFz
=JKfw
-----END PGP SIGNATURE-----

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Walter Dnes]

On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote

> On 04/29/2014 12:27 PM, Walter Dnes wrote:
> > 
> >   Another couple of things I didn't realize.  According to
> > https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the
> > crypt target in the kernel.  It also suggests
> > <*> SHA224 and SHA256 digest algorithm
> > 
> >   Any comments on their strength?  I'm not worried about the NSA or CSIS
> > as much as opportunistic criminals.
> 
> I use whirlpool.  Why you ask? It sounds cool! Also it supported 512bit
> which seems nice.

  Sorry to pester you, but I'm beginning to realize just how much is
involved here that I'm a newbie at.  Two more questions...

1) If multiple encryption algorithms are enabled in the kernel, how does
the system decide which one to use?

2) I assume that if I want to use the same encrypted USB key on 2 or
more machines, then the kernels of all the machines must be built with
the same encryption algorithms?

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Rick "Zero_Chaos" Farina]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2014 03:58 PM, Walter Dnes wrote:
> On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote
> 
>> On 04/29/2014 12:27 PM, Walter Dnes wrote:
>>>
>>>   Another couple of things I didn't realize.  According to
>>> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for the
>>> crypt target in the kernel.  It also suggests
>>> <*> SHA224 and SHA256 digest algorithm
>>>
>>>   Any comments on their strength?  I'm not worried about the NSA or CSIS
>>> as much as opportunistic criminals.
>>
>> I use whirlpool.  Why you ask? It sounds cool! Also it supported 512bit
>> which seems nice.
> 
>   Sorry to pester you, but I'm beginning to realize just how much is
> involved here that I'm a newbie at.  Two more questions...
> 
> 1) If multiple encryption algorithms are enabled in the kernel, how does
> the system decide which one to use?

dmcrypt/luks stores the proper encryption algorithm, as long as the
correct one is supported you are all set.
> 
> 2) I assume that if I want to use the same encrypted USB key on 2 or
> more machines, then the kernels of all the machines must be built with
> the same encryption algorithms?
> 
No, but they do both need the encryption and hashing algorithm you are
using.

- -Zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTYGTkAAoJEKXdFCfdEflKmd8QAIYHiSe6oPPDjHcbuzQBxqmf
xCx0bdcs3vaHCgb8Nh0AZrckR4tgyedkk2OWyXVkPI29fQl5up1PLnSBqgePJQou
oJT/q/kNXhFOoWVc0iNCWASoSjmv6X/F5JQGCK/kfJMR0FOM373JPx2iBk6Dhbxf
FGepnQkDKGLSlm+BUjLfNPX161EC+EwEw5B29gtKZZpk9VlI7aeRDTPtjXQClB8g
sdJA5h/1g21YX47gqvgQ3KKH7dJjav4l0eom+yO/WkhDAzySqtXl0OaGLg2vnqND
OIy8sX3Dc6qwMr6h0G6o3Wdc7YpRlIPYuINv4HQFfl9l745/Cmv6SDBLF5BHpIg2
pXGOimwc/drSkzxjC9i8f2boa8piSAAE+YITykarVaJnlF8pqs+lB2fMt0kW34aH
oFlzuPLZjb4Rdzq5MwypGfTumRKTa2zn6A9EdrvJugazY9b5WGtTet2Du8i5o7Xp
z6bwS97+1GvwhybzKCk2BE+h1FQAaTQo0hBhCIKwxn5AHyL5VS2yA53Oz8c2yM8B
xKfu96hwTBCIVSBXEWU1QM++vFRYhPuOtug4GgLixbXi7WEed2q3eUEDyb0I5Oba
CJTrrAfl97wuL8RJrZyVVlXkcsHAqVeDtmT2IWeDU1CmAi58aXsDfRGDRoRHq7e/
a3/DHVGvebwUxEac8NgB
=53C+
-----END PGP SIGNATURE-----

Re: [gentoo-user] Using USB key as real $HOME and possible encryption?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2322 bytes --]

On Wednesday 30 Apr 2014 03:50:12 Rick "Zero_Chaos" Farina wrote:
> On 04/29/2014 03:58 PM, Walter Dnes wrote:
> > On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote
> > 
> >> On 04/29/2014 12:27 PM, Walter Dnes wrote:
> >>>   Another couple of things I didn't realize.  According to
> >>> 
> >>> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for
> >>> the crypt target in the kernel.  It also suggests
> >>> <*> SHA224 and SHA256 digest algorithm
> >>> 
> >>> Any comments on their strength?  I'm not worried about the NSA or
> >>> CSIS as much as opportunistic criminals.

If it's only opportunistic criminals you're worried about then SHA1 with its 
160-bit string is ample and so is MD5 with its 128-bit.  Both are considered 
weak hashes these days and should be avoided for business critical set ups, 
but they are soooooo widely used (esp. by internet browsers, VPN routers, 
etc.) that it would be difficult to upgrade everything overnight to SHA2.


> >> I use whirlpool.  Why you ask? It sounds cool! Also it supported 512bit
> >> which seems nice.

Whirlpool is of course better, because it has an even longer 521-bit string.


> > Sorry to pester you, but I'm beginning to realize just how much is
> > involved here that I'm a newbie at.  Two more questions...
> > 
> > 
> > 1) If multiple encryption algorithms are enabled in the kernel, how does
> > the system decide which one to use?
> 
> dmcrypt/luks stores the proper encryption algorithm, as long as the
> correct one is supported you are all set.

It will use the default.  Run:

  cryptsetup -h 

to see the default that it was compiled with.

Or,

it will use the --hash and --cipher options that you specify when you run 
cryptsetup.  Have a look at the fine manual.


> > 2) I assume that if I want to use the same encrypted USB key on 2 or
> > more machines, then the kernels of all the machines must be built with
> > the same encryption algorithms?
> 
> No, but they do both need the encryption and hashing algorithm you are
> using.

As I understand it, but may be wrong because I have not used LUKS you need to 
have the same ciphers and hashes on both machines.  Thankfully, all PCs these 
days have aes and sha1.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]