From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-191668-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 2824C1382C5
	for <garchives@archives.gentoo.org>; Sat,  6 Jun 2020 10:33:03 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 63850E0965;
	Sat,  6 Jun 2020 10:32:53 +0000 (UTC)
Received: from mail-gw.thundermail.uk (mail-gw.thundermail.uk [149.255.60.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 09D7AE0957
	for <gentoo-user@lists.gentoo.org>; Sat,  6 Jun 2020 10:32:52 +0000 (UTC)
Received: from mailgw01.thundermail.uk (mail-gw.thundermail.uk [149.255.60.66])
	by mail-gw.thundermail.uk (Postfix) with ESMTPS id 99C8E60000A2
	for <gentoo-user@lists.gentoo.org>; Sat,  6 Jun 2020 11:32:50 +0100 (BST)
X-ASG-Debug-ID: 1591439570-05541315ac2010ea0001-LfjuLa
Received: from cloud307.thundercloud.uk (cloud307.thundercloud.uk [149.255.58.40]) by mailgw01.thundermail.uk with ESMTP id Xi3WdapzrzkiFC5i (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <gentoo-user@lists.gentoo.org>; Sat, 06 Jun 2020 11:32:50 +0100 (BST)
X-Barracuda-Envelope-From: confabulate@kintzios.com
X-Barracuda-Effective-Source-IP: cloud307.thundercloud.uk[149.255.58.40]
X-Barracuda-Apparent-Source-IP: 149.255.58.40
Received: from lenovo.localdomain (230.3.169.217.in-addr.arpa [217.169.3.230])
	by cloud307.thundercloud.uk (Postfix) with ESMTPSA id 12FE7E3B24A
	for <gentoo-user@lists.gentoo.org>; Sat,  6 Jun 2020 11:32:49 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kintzios.com;
	s=default; t=1591439569;
	bh=PGl0W1XH/JAB9TNQU330e/NPI88HRnyVkVLIaAidzh4=; h=From:To:Subject;
	b=Z5qhVZJH+aYjxw6i2gCNBUho+HycfgQznBABqL42pc0c1yARwPCToE7fgoail044B
	 3zQOX7+dfDpcyxoqBh++ynxuU750VSOZAXCO2ZS8e3eFdrM5j73kKqOB5L8m3XH+4u
	 D7trcTsYq0p59I8OlFoOxvCowy94mfCJkFFj99nU=
Authentication-Results: cloud307.thundercloud.uk;
        spf=pass (sender IP is 217.169.3.230) smtp.mailfrom=confabulate@kintzios.com smtp.helo=lenovo.localdomain
Received-SPF: pass (cloud307.thundercloud.uk: connection is authenticated)
From: Michael <confabulate@kintzios.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Encrypting a hard drive's data. Best method.
Date: Sat, 06 Jun 2020 11:32:33 +0100
X-ASG-Orig-Subj: Re: [gentoo-user] Encrypting a hard drive's data. Best method.
Message-ID: <3362513.R56niFO833@lenovo.localdomain>
In-Reply-To: <adae07b0-fe10-1c9e-572e-f1c9a0a831aa@gmail.com>
References: <ddcf7e41-ef39-eae8-ba36-82efc057a1ee@gmail.com>
 <12F6F6AC-B646-4638-8349-BD5B9DB51B5E@antarean.org>
 <adae07b0-fe10-1c9e-572e-f1c9a0a831aa@gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3479804.MHq7AAxBmi";
 micalg="pgp-sha256"; protocol="application/pgp-signature"
X-PPP-Message-ID: <20200606103249.2129109.57388@cloud307.thundercloud.uk>
X-PPP-Vhost: kintzios.com
X-Barracuda-Connect: cloud307.thundercloud.uk[149.255.58.40]
X-Barracuda-Start-Time: 1591439570
X-Barracuda-Encrypted: ECDHE-RSA-AES128-GCM-SHA256
X-Barracuda-URL: https://149.255.60.66:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at thundermail.uk
X-Barracuda-Scan-Msg-Size: 6544
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1.9 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.82365
	Rule breakdown below
	 pts rule name              description
	---- ---------------------- --------------------------------------------------
X-Archives-Salt: 86199394-7d4a-4cf7-be0b-211e9959564b
X-Archives-Hash: b8b34feebaf68ca41a57f7bdfa244352

--nextPart3479804.MHq7AAxBmi
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="UTF-8"

On Saturday, 6 June 2020 08:49:54 BST Dale wrote:
> J. Roeleveld wrote:
> > On 6 June 2020 06:37:23 CEST, Dale <rdalek1967@gmail.com> wrote:
> >> Howdy,
> >> 
> >> I think I got a old 3TB hard drive to work.  After dd'ing it, redoing
> >> partitions and such, it seems to be working.  Right now, I'm copying a
> >> bunch of data to it to see how it holds up.  Oh, it's a PMR drive too. 
> >> lol  Once I'm pretty sure it is alive and working well, I want to play
> >> with encryption.  At some point, I plan to encrypt /home.  I found a
> >> bit
> >> of info with startpage but some is dated.  This is one link that seems
> >> to be from this year, at least updated this year. 
> >> 
> >> https://linoxide.com/linux-how-to/encrypt-linux-filesystem/
> >> 
> >> It seems like a nice one since it has commands and what it should look
> >> like when it is performing the commands.  I like knowing what I'm doing
> >> sort of matches what the howto shows.  It also seems to use LVM which I
> >> will be using as well.  I think I can follow that and get a working
> >> encrypted storage.  Later, I can attempt this on /home without doing it
> >> blind.  I also have the options in the kernel as well.  I'll post them
> >> at the bottom.  I enabled quite a lot a while back.  ;-) 
> >> 
> >> Is this a secure method or is there a more secure way?  Is there any
> >> known issues with using this?  Anyone here use this method?  Keep in
> >> mind, LVM.  BTFRS, SP?, may come later. 
> >> 
> >> One other question, can one change the password every once in a while? 
> >> Or once set, you stuck with it from then on? 
> >> 
> >> If anyone has links to even better howtos, I'd love to check them out. 
> >> 
> >> Dale
> >> 
> >> :-)  :-) 
> >> 
> >> root@fireball / # zcat /proc/config.gz | grep crypt | grep =y
> >> CONFIG_ARCH_HAS_MEM_ENCRYPT=y
> >> CONFIG_DM_CRYPT=y
> >> CONFIG_CRYPTO=y
> >> CONFIG_CRYPTO_ALGAPI=y
> >> CONFIG_CRYPTO_ALGAPI2=y
> >> CONFIG_CRYPTO_AEAD=y
> >> CONFIG_CRYPTO_AEAD2=y
> >> CONFIG_CRYPTO_SKCIPHER=y
> >> CONFIG_CRYPTO_SKCIPHER2=y
> >> CONFIG_CRYPTO_HASH=y
> >> CONFIG_CRYPTO_HASH2=y
> >> CONFIG_CRYPTO_RNG=y
> >> CONFIG_CRYPTO_RNG2=y
> >> CONFIG_CRYPTO_RNG_DEFAULT=y
> >> CONFIG_CRYPTO_AKCIPHER2=y
> >> CONFIG_CRYPTO_AKCIPHER=y
> >> CONFIG_CRYPTO_KPP2=y
> >> CONFIG_CRYPTO_ACOMP2=y
> >> CONFIG_CRYPTO_MANAGER=y
> >> CONFIG_CRYPTO_MANAGER2=y
> >> CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
> >> CONFIG_CRYPTO_GF128MUL=y
> >> CONFIG_CRYPTO_NULL=y
> >> CONFIG_CRYPTO_NULL2=y
> >> CONFIG_CRYPTO_CRYPTD=y
> >> CONFIG_CRYPTO_AUTHENC=y
> >> CONFIG_CRYPTO_SIMD=y
> >> CONFIG_CRYPTO_GLUE_HELPER_X86=y
> >> CONFIG_CRYPTO_RSA=y
> >> CONFIG_CRYPTO_ECHAINIV=y
> >> CONFIG_CRYPTO_CBC=y
> >> CONFIG_CRYPTO_ECB=y
> >> CONFIG_CRYPTO_LRW=y
> >> CONFIG_CRYPTO_XTS=y
> >> CONFIG_CRYPTO_NHPOLY1305=y
> >> CONFIG_CRYPTO_NHPOLY1305_SSE2=y
> >> CONFIG_CRYPTO_NHPOLY1305_AVX2=y
> >> CONFIG_CRYPTO_ESSIV=y
> >> CONFIG_CRYPTO_HMAC=y
> >> CONFIG_CRYPTO_CRC32C=y
> >> CONFIG_CRYPTO_XXHASH=y
> >> CONFIG_CRYPTO_BLAKE2B=y
> >> CONFIG_CRYPTO_CRCT10DIF=y
> >> CONFIG_CRYPTO_MD5=y
> >> CONFIG_CRYPTO_RMD128=y
> >> CONFIG_CRYPTO_RMD160=y
> >> CONFIG_CRYPTO_RMD256=y
> >> CONFIG_CRYPTO_RMD320=y
> >> CONFIG_CRYPTO_SHA1=y
> >> CONFIG_CRYPTO_SHA1_SSSE3=y
> >> CONFIG_CRYPTO_SHA256_SSSE3=y
> >> CONFIG_CRYPTO_SHA512_SSSE3=y
> >> CONFIG_CRYPTO_SHA256=y
> >> CONFIG_CRYPTO_SHA512=y
> >> CONFIG_CRYPTO_WP512=y
> >> CONFIG_CRYPTO_AES=y
> >> CONFIG_CRYPTO_AES_TI=y
> >> CONFIG_CRYPTO_ARC4=y
> >> CONFIG_CRYPTO_BLOWFISH=y
> >> CONFIG_CRYPTO_BLOWFISH_COMMON=y
> >> CONFIG_CRYPTO_BLOWFISH_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA=y
> >> CONFIG_CRYPTO_CAMELLIA_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
> >> CONFIG_CRYPTO_DES=y
> >> CONFIG_CRYPTO_SERPENT=y
> >> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
> >> CONFIG_CRYPTO_TWOFISH=y
> >> CONFIG_CRYPTO_TWOFISH_COMMON=y
> >> CONFIG_CRYPTO_TWOFISH_X86_64=y
> >> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
> >> CONFIG_CRYPTO_ANSI_CPRNG=y
> >> CONFIG_CRYPTO_DRBG_MENU=y
> >> CONFIG_CRYPTO_DRBG_HMAC=y
> >> CONFIG_CRYPTO_DRBG=y
> >> CONFIG_CRYPTO_JITTERENTROPY=y
> >> CONFIG_CRYPTO_USER_API=y
> >> CONFIG_CRYPTO_USER_API_HASH=y
> >> CONFIG_CRYPTO_USER_API_SKCIPHER=y
> >> CONFIG_CRYPTO_USER_API_RNG=y
> >> CONFIG_CRYPTO_LIB_AES=y
> >> CONFIG_CRYPTO_LIB_ARC4=y
> >> CONFIG_CRYPTO_LIB_DES=y
> >> CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
> >> CONFIG_CRYPTO_LIB_SHA256=y
> >> CONFIG_CRYPTO_HW=y
> >> root@fireball / #
> >> 
> >> Just wanted to have a few extras.  ROFL 

Nowt wrong with that, as long as you remember MD5, SHA1 and some other 
offerings from your list above have been compromised and should not be used if 
strong encryption/integrity is required.


> > A gentoo centric manual/howto:
> > 
> > https://wiki.gentoo.org/wiki/Dm-crypt
> 
> Thanks for both replies.  I found one other Gentoo one but it was
> encrypting the whole thing, /boot and all, plus they used efi.  I didn't
> find the one you linked too. 
> 
> First drive seems to have died.  Got part way copying files and things
> got interesting.  When checking smartctrl, it even puked on my
> keyboard.  Drive only had a few hundred hours on it so maybe the drive
> was iffy from the start or that enclosure did damage somehow.  Either
> way, drive two being tested.  Running smartctrl test first and then
> restart from scratch and fill it up with files or something. 
> 
> Thanks much.
> 
> Dale
> 
> :-)  :-) 

There is also ecryptfs, kernel ext4 fs encryption, CryFS, if encrypting a 
directory/file may be desired, rather than encrypting a whole block device.  
CryFS in particular supports cloud storage as a use case.

I have not tried any of them and don't know how they compare.  I wanted to 
look into ext4 native kernel encryption, but the Gentoo wiki only describes a 
systemd-centric implementation.  :-(

Of particular interest to me is recovery of encrypted files/partitions, using 
a different installation than the original.  Having to keep a copy of the 
original installation kernel keys for ext4 with any data backups and 
additionally remembering to refresh them every time a new kernel is installed, 
adds to the user-un-friendliness of an encryption method.

For block level encryption there's also veracrypt.

https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/eCryptfs
https://wiki.gentoo.org/wiki/Ext4_encryption
--nextPart3479804.MHq7AAxBmi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAl7bcMEACgkQseqq9sKV
Zxk3jw/+Ku3CA6qAxy5/KtFJW/Sc+06sBLXBZvIdtRElulBrEAFCDXdHahaKECeN
4i7HgU4ycXqvpRL0lSYgPp/oVpyRCYpZUGSBkAfEPc7s4AupENdTEu1HxIZ9WPLI
bGlvHRMGgNdBxhNLVwIp09MZ0IcuRlFP34dVmQE45IZBR+Cgqy1opXI86lbKlx00
+oIdlOnYSaTEOAIE+hOWI2HMRiVJfIVjKQPefO8MPGl3vKvt4wl5tVDBtasb6YDa
RQtrDspcaSmaP2Mfl3wf3Bl81IPASTBXn4UpUNqbfqSiZsskOVTw3yNbeAzu2QuV
mh8gFjNFngkty09emyHq5ztDegKTD+tNgJX7Ijmw63p5POcqMXPKktlWU9ob8zZn
Dt7C8QE8a3AF6DD9AF/j2KrA3HjPzaWp0mJHcSJ5Xt1fS5bpGFRv1qHMUNUyblH7
b0bsu61dhcE1vsXeBXFSHQv3prAe+V4NTqLaKkez8H9Mdo4UtFdpuCEbUMCJjQjt
6CEtnAbXI18k3dHKhwmqZYEOLrSUHTqBhn1JcnUQrtL5htuvim119qNjSwwMibEB
v9tDvGDvdtangqN8XLM36tf+0xUQCQR/uDHYDm6rD1mEHCj+Yj7IzgBiIDCpYSx0
iUyDAOO2pkgI9kh9XNqpwTXFhsE+XVVn/U+1jOAy4kt5+4SgZMY=
=Hord
-----END PGP SIGNATURE-----

--nextPart3479804.MHq7AAxBmi--