Re: [gentoo-user] Encrypting a hard drive's data. Best method.

[Michael <confabulate@kintzios.com>]

[-- Attachment #1: Type: text/plain, Size: 6366 bytes --]

On Saturday, 6 June 2020 08:49:54 BST Dale wrote:
> J. Roeleveld wrote:
> > On 6 June 2020 06:37:23 CEST, Dale <rdalek1967@gmail.com> wrote:
> >> Howdy,
> >> 
> >> I think I got a old 3TB hard drive to work.  After dd'ing it, redoing
> >> partitions and such, it seems to be working.  Right now, I'm copying a
> >> bunch of data to it to see how it holds up.  Oh, it's a PMR drive too. 
> >> lol  Once I'm pretty sure it is alive and working well, I want to play
> >> with encryption.  At some point, I plan to encrypt /home.  I found a
> >> bit
> >> of info with startpage but some is dated.  This is one link that seems
> >> to be from this year, at least updated this year. 
> >> 
> >> https://linoxide.com/linux-how-to/encrypt-linux-filesystem/
> >> 
> >> It seems like a nice one since it has commands and what it should look
> >> like when it is performing the commands.  I like knowing what I'm doing
> >> sort of matches what the howto shows.  It also seems to use LVM which I
> >> will be using as well.  I think I can follow that and get a working
> >> encrypted storage.  Later, I can attempt this on /home without doing it
> >> blind.  I also have the options in the kernel as well.  I'll post them
> >> at the bottom.  I enabled quite a lot a while back.  ;-) 
> >> 
> >> Is this a secure method or is there a more secure way?  Is there any
> >> known issues with using this?  Anyone here use this method?  Keep in
> >> mind, LVM.  BTFRS, SP?, may come later. 
> >> 
> >> One other question, can one change the password every once in a while? 
> >> Or once set, you stuck with it from then on? 
> >> 
> >> If anyone has links to even better howtos, I'd love to check them out. 
> >> 
> >> Dale
> >> 
> >> :-)  :-) 
> >> 
> >> root@fireball / # zcat /proc/config.gz | grep crypt | grep =y
> >> CONFIG_ARCH_HAS_MEM_ENCRYPT=y
> >> CONFIG_DM_CRYPT=y
> >> CONFIG_CRYPTO=y
> >> CONFIG_CRYPTO_ALGAPI=y
> >> CONFIG_CRYPTO_ALGAPI2=y
> >> CONFIG_CRYPTO_AEAD=y
> >> CONFIG_CRYPTO_AEAD2=y
> >> CONFIG_CRYPTO_SKCIPHER=y
> >> CONFIG_CRYPTO_SKCIPHER2=y
> >> CONFIG_CRYPTO_HASH=y
> >> CONFIG_CRYPTO_HASH2=y
> >> CONFIG_CRYPTO_RNG=y
> >> CONFIG_CRYPTO_RNG2=y
> >> CONFIG_CRYPTO_RNG_DEFAULT=y
> >> CONFIG_CRYPTO_AKCIPHER2=y
> >> CONFIG_CRYPTO_AKCIPHER=y
> >> CONFIG_CRYPTO_KPP2=y
> >> CONFIG_CRYPTO_ACOMP2=y
> >> CONFIG_CRYPTO_MANAGER=y
> >> CONFIG_CRYPTO_MANAGER2=y
> >> CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
> >> CONFIG_CRYPTO_GF128MUL=y
> >> CONFIG_CRYPTO_NULL=y
> >> CONFIG_CRYPTO_NULL2=y
> >> CONFIG_CRYPTO_CRYPTD=y
> >> CONFIG_CRYPTO_AUTHENC=y
> >> CONFIG_CRYPTO_SIMD=y
> >> CONFIG_CRYPTO_GLUE_HELPER_X86=y
> >> CONFIG_CRYPTO_RSA=y
> >> CONFIG_CRYPTO_ECHAINIV=y
> >> CONFIG_CRYPTO_CBC=y
> >> CONFIG_CRYPTO_ECB=y
> >> CONFIG_CRYPTO_LRW=y
> >> CONFIG_CRYPTO_XTS=y
> >> CONFIG_CRYPTO_NHPOLY1305=y
> >> CONFIG_CRYPTO_NHPOLY1305_SSE2=y
> >> CONFIG_CRYPTO_NHPOLY1305_AVX2=y
> >> CONFIG_CRYPTO_ESSIV=y
> >> CONFIG_CRYPTO_HMAC=y
> >> CONFIG_CRYPTO_CRC32C=y
> >> CONFIG_CRYPTO_XXHASH=y
> >> CONFIG_CRYPTO_BLAKE2B=y
> >> CONFIG_CRYPTO_CRCT10DIF=y
> >> CONFIG_CRYPTO_MD5=y
> >> CONFIG_CRYPTO_RMD128=y
> >> CONFIG_CRYPTO_RMD160=y
> >> CONFIG_CRYPTO_RMD256=y
> >> CONFIG_CRYPTO_RMD320=y
> >> CONFIG_CRYPTO_SHA1=y
> >> CONFIG_CRYPTO_SHA1_SSSE3=y
> >> CONFIG_CRYPTO_SHA256_SSSE3=y
> >> CONFIG_CRYPTO_SHA512_SSSE3=y
> >> CONFIG_CRYPTO_SHA256=y
> >> CONFIG_CRYPTO_SHA512=y
> >> CONFIG_CRYPTO_WP512=y
> >> CONFIG_CRYPTO_AES=y
> >> CONFIG_CRYPTO_AES_TI=y
> >> CONFIG_CRYPTO_ARC4=y
> >> CONFIG_CRYPTO_BLOWFISH=y
> >> CONFIG_CRYPTO_BLOWFISH_COMMON=y
> >> CONFIG_CRYPTO_BLOWFISH_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA=y
> >> CONFIG_CRYPTO_CAMELLIA_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
> >> CONFIG_CRYPTO_DES=y
> >> CONFIG_CRYPTO_SERPENT=y
> >> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
> >> CONFIG_CRYPTO_TWOFISH=y
> >> CONFIG_CRYPTO_TWOFISH_COMMON=y
> >> CONFIG_CRYPTO_TWOFISH_X86_64=y
> >> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
> >> CONFIG_CRYPTO_ANSI_CPRNG=y
> >> CONFIG_CRYPTO_DRBG_MENU=y
> >> CONFIG_CRYPTO_DRBG_HMAC=y
> >> CONFIG_CRYPTO_DRBG=y
> >> CONFIG_CRYPTO_JITTERENTROPY=y
> >> CONFIG_CRYPTO_USER_API=y
> >> CONFIG_CRYPTO_USER_API_HASH=y
> >> CONFIG_CRYPTO_USER_API_SKCIPHER=y
> >> CONFIG_CRYPTO_USER_API_RNG=y
> >> CONFIG_CRYPTO_LIB_AES=y
> >> CONFIG_CRYPTO_LIB_ARC4=y
> >> CONFIG_CRYPTO_LIB_DES=y
> >> CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
> >> CONFIG_CRYPTO_LIB_SHA256=y
> >> CONFIG_CRYPTO_HW=y
> >> root@fireball / #
> >> 
> >> Just wanted to have a few extras.  ROFL 

Nowt wrong with that, as long as you remember MD5, SHA1 and some other 
offerings from your list above have been compromised and should not be used if 
strong encryption/integrity is required.


> > A gentoo centric manual/howto:
> > 
> > https://wiki.gentoo.org/wiki/Dm-crypt
> 
> Thanks for both replies.  I found one other Gentoo one but it was
> encrypting the whole thing, /boot and all, plus they used efi.  I didn't
> find the one you linked too. 
> 
> First drive seems to have died.  Got part way copying files and things
> got interesting.  When checking smartctrl, it even puked on my
> keyboard.  Drive only had a few hundred hours on it so maybe the drive
> was iffy from the start or that enclosure did damage somehow.  Either
> way, drive two being tested.  Running smartctrl test first and then
> restart from scratch and fill it up with files or something. 
> 
> Thanks much.
> 
> Dale
> 
> :-)  :-) 

There is also ecryptfs, kernel ext4 fs encryption, CryFS, if encrypting a 
directory/file may be desired, rather than encrypting a whole block device.  
CryFS in particular supports cloud storage as a use case.

I have not tried any of them and don't know how they compare.  I wanted to 
look into ext4 native kernel encryption, but the Gentoo wiki only describes a 
systemd-centric implementation.  :-(

Of particular interest to me is recovery of encrypted files/partitions, using 
a different installation than the original.  Having to keep a copy of the 
original installation kernel keys for ext4 with any data backups and 
additionally remembering to refresh them every time a new kernel is installed, 
adds to the user-un-friendliness of an encryption method.

For block level encryption there's also veracrypt.

https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/eCryptfs
https://wiki.gentoo.org/wiki/Ext4_encryption

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]