Slashdot Mirror

← Back to Stories (view on slashdot.org)

Seeking Current Info on Linux Encrypted FS?

Posted by Cliff on from the protecting-your-personal-data dept.

slick_rick asks: "I'm looking for info on encrypted file systems under Linux to help my employers company move away from Microsoft centric solutions. However the latest HOWTO is two years old, the latest kernel patch dates back to April (and 2.4.3) and even the Sourceforge project has nearly zero documentation and appears to be very dead. Are slashdotters using encrypted file systems? If so, what are your experiences?" We last talked about this topic, just over a year ago, in this article.

15 of 297 comments (clear)

  1. loop-AES by Sami · · Score: 4, Informative

    Have you tried the loop-AES patch? It isn't exactly an encrypted FS, but you can create encrypted virtual drives with it.

  2. Stuck in Windows? Bestcrypt works okay... by Bonker · · Score: 4, Informative

    It's a fairly decent encrypted filesystem implementation. I'm certain is has it downsides, but besides being non-free, I haven't found any others.

    BC allows you to create encrypted volumes up to the max size of your harddrive, and encrypts anything therein with your choice of encryption schemas. It also comes with a 'Wipe' command that will allow you to delete a file or clean a drive with a 7-stage delete process.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  3. Reiser4 by jeffphil · · Score: 5, Informative

    If you can wait until September 2002, ReiserFS v4 will have an encryption plugin builtin.

  4. Re:FreeBSD & NFS by stygian · · Score: 5, Informative

    csfd - that's what it was. The Cryptographic File System.... The readme for the FreeBSD port is:

    This is CFS, Matt Blaze's Cryptographic File System. It provides transparent encryption and decryption of selected directory trees. It is implemented as a user-level NFS server and thus does not require any kernel modifications.

    ftp://research.att.com/dist/mab/cfs.ps

  5. SuSE does this out of the box... by pwagland · · Score: 5, Informative
    I am not sure about the other distributions, but as of SuSE 7.2, they do this out of the box. The support was improved in 7.3.

    Note that this filesystem based encryption, not user based. I.e. you must enter a password to mount the filesystem, but after that it acts as a normal filesystem (but slower due to the aforementioned encryption).

    The way that SuSE do it is to have an encrypted block device, so that you can throw anything you want on top of it. Typically this would be a filesytem ;-)

    From the SuSE webpage:

    * A highlight of SuSE Linux security technology: the so-called "crypto file system". Secret or sensitive data is encrypted on your own PC. This method is so safe that even if your notebook ist stolen, nobody, absolutely nobody (!) has even the slightest chance of decrypting your data. In addition, the crypto file system is so smart that the thief will not even notice that encrypted data exists.
    1. Re:SuSE does this out of the box... by MKalus · · Score: 5, Informative

      Actually I am using this activly on my Notebook and I haven't really seen any performance degredation (It's a PII 366). The nice thing about it is: It completly prevents you from booting the box at all so the security on the notebook is greatly enhanced:

      - Login Bios Password (Yeah, no security there I know)
      - crypto FS
      - OS Security

      Now the two weak links are the BIOS password as well as the OS Security (just boot from CDROM and on you go), but everything on the /data/ partition is encrypted and the parition is invisible if you boot from a boot disk.

      Really neat.

      Michael

      --
      If you want to e-mail me, use my PGP Key.
  6. XOR encryption is supported out of the box... by grytpype · · Score: 4, Informative

    ... take a look at "man losetup", which has a good example of setting up an XOR encrypted loopback filesystem. XOR is pretty crappy encryption however.

    --

    - Have a picture

  7. Deniability by Tet · · Score: 5, Informative

    Encrypted filesystems are useless without deniability. Rubberhose gives you that: http://www.rubberhose.org

    --
    "The invisible and the non-existent look very much alike." -- Delos B. McKown
  8. 50 ways to leave your lover by mAsterdam · · Score: 4, Informative

    ...and at least 10 ways to encrypt your data:
    http://koeln.ccc.de/~drt/crypto/linux-disk.html
    gives them.

  9. cryptfs by sdxxx · · Score: 4, Informative
    There is a cryptographic file system you can get for SFS. If you go to the download page, it's called cryptfs. Unfortunately, you have to install SFS first to compile cryptfs.

    Cryptfs is fully functional, though it was indented mostly as a proof of concept. The point is that such file systems are not hard to build, should someone want to maintain one. Here's an undergraduate programming assignment in which the students build a fully-functional cryptographic file system as an NFS loopback server.

  10. Try BestCrypt by Wee · · Score: 4, Informative
    I know it's not really an encrypted filesystem, per se, but BestCrypt might be enough for you. It's a bit like NAI's PGPDisk. Essentially, you mount an encrypted file and then access it like any other disk (it has a mount point, etc). The nice part (for me) is that they have a Win32 version as well, so using BestCrypt and Samba means that I can have my wife's securely store her Quicken stuff on my fileserver (which is the only machine that gets a backup). The only "bad" thing about BestCrypt is installation. You have to make real sure your kernel sources are in good shape. I had a few issues installing it because I had a few different kernel sources laying around (not good, I know, I know...). Anyway, it's not that hard to install, but not a userland type thing either.

    Like I said, it's not a filesystem, but it might get you by. I personally don't care if /etc is encrypted or not. But I might care if /home was encrypted. It's easy enough to mount a BestCrypt container file at /home, so that might be enough.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

  11. CryptoAPI by Agent_Leprechaun · · Score: 5, Informative

    Do a search on google for CryptoAPI. That's the new encrypted filesystem interface for linux. The pathes for 2.4.3 are old. I have an encrypted file system working with 2.4.16 patched with GRSecurity. You no longer need to patch the kernel with CryptoAPI, it just creates kernel modules that you install. It's pretty easy to do.

  12. swap encryption ? use OpenBSD by ^BR · · Score: 4, Informative

    By setting just one sysctl (vm.swapencrypt.enable=1)OpenBSD encrypt its swap using AES.

    You just have to uncomment one line in /etc/sysctl.conf to activate it permanently.

  13. OpenBSD filesystem encryption by friscolr · · Score: 4, Informative
    Why not just use OpenBSD, which has filesystem encryption by default

    It has the code for it, but it isn't enabled by default.

    Enabling swap encryption is easiest, you just modify you /etc/sysctl.conf (it's labelled well in that file) and/or use the sysctl command.
    i use swap encryption on my 1.2 athlon, but not on my 486's running openbsd.

    Enabling filesystem encryption requires a kernel build (you need to add "option TCFS" to your config) and some commands to be compiled and run. i found this article to be helpful.
    i just did this to see what it'd be like. the documentation is rather minimal but it is workable. You have the option of using 3DES, RC5 and Blowfish. Check out that link for more info.

    --

    -f
    www.blackant.net

  14. Re:win2k by TheCabal · · Score: 4, Informative

    Can anyone fill us in on this windows folder/file encryption? How does it work? What does it use as a key, and how is that key accessed?
    I read it uses AES

    I would assume a key/certificate/whatever is stored in the user account profile....

    But what prevents Administrator from changing your password, and signing into your account to read your files? I suppose this leaves a trail... but still.

    The certificate is stored on the user's workstation. If they use multiple workstations, the user must carry their certificate with them. EFS works using 128-bit DESX. A symmetrical recovery key is generated and is encrypted using the Recovery Agent(s) public key, so that those people designated as people who can decrypt other's files can do so.

    For those who still can't understand this, and think that a cracked account/BO Trojan and other absurd conditions are going to make a difference, the answer is Very Little. An agent still needs the certificate installed on the workstation that he/she is going to be recovering files from. Microsoft even recommends that a certificate be generated, the public key added as a recovery agent, and the certificate kept on removable media and stored securely until it is needed. They also recommend storing the certificate as a PKCS#12 cert since you can lock the private key with a password.

    An Admin can't just change your password and sign in as you, unless he can do it at your workstation or wherever you have your certificate installed. He may be a designated Recovery Agent, though in which he can look at your files anyway. But this has always been the case on windows network, but even on Unix/Linux nobody can stop root from reading a file, right?