Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Volumes for Linux and Windows?

Posted by Cliff on from the privacy-in-dual-booting dept.

share_it asks: "On my Win PC I used a lot of encryption: I had encrypted small files for personal stuff, encrypted virtual disks for programs, music, video, etc. I used PGPdisk and mounted 3 big virtual disks (for a total of 170 gigs) on startup with just one single passphrase and those 'disks' were even quite fast. I have now switched to GNU-Linux for most of my interests, but sometimes I have to use Windows and I want my data to be encrypted and accessible from both OSes The only software that I found which can mount the same encrypted disk on both platforms is BestCript, but from Linux I can't store file with long names. Is there a better way to share encrypted data between when I dual-boot?"

15 of 59 comments (clear)

  1. NAH6's Secure-Notebook project covers this by schmaltz · · Score: 4, Informative

    Although Rop has moved on to other projects, Secure Notebook was a pretty good idea. The software may still be useful (documentation here, check the page for file signatures.)

    IIRC, this was a secure-ified Debian with encrypted swap, encrypted partitions, running VMWare which ran Win2K as a guest o/s. The idea was to run Windows while treating it as a small child that keeps burning itself on the stove. Everything was filtered thru the Linux host o/s, including network and hardware access.

    Also, I believe the encryption key was provided in two parts: a dongle containing part of the key, and then also a key requested of the user during boot.

    Worth a look.

    --
    Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma ... where's Siggy?
  2. tin foil by ralphus · · Score: 2, Interesting
    the poster seems to be going through the "i just discovered crypto" phase where everything should be encrypted. 170 gb of encrypted partitions for all his programs, music, video etc? EGADS!

    I have been around the crypto block a time or two and unless i completely missed it, I don't think there is a solution for what the poster is looking for other then bestcrypt.

    I was once where the poster is, encrypting all my partitions including swap with a USB token required for boot. it was a nice excercise in orwellian paranoia and i learned a lot, but it is completely impractical and a total pain in the ass.

    best of luck to the poster in his quest for ultimate, um, security.

    --
    Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
    1. Re:tin foil by kisielk · · Score: 2, Insightful

      Care to explain why encrypting your partitions with a USB token required was completely impractical and a pain in the ass? Specifically, what problems and inconveniences did you run in to with this setup? I'm just curious..

    2. Re:tin foil by ralphus · · Score: 2, Informative

      mainly because I always had to have the darn thing or I couldn't use the computer. Also because it slowed things down a bunch, made anything like accessing the drive from another OS an impossibility and generally did it's job. It was basically a trade off in usability/security that eventually rose past my patience for the useless personal email about inane things, porn and personal digital audio i was "protecting". Oh, i also spent a lot of time being paranoid about losing my USB token and therefore all my data because I just have that kind of worrysome personality.

      --
      Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
    3. Re:tin foil by Anonymous Coward · · Score: 2, Informative

      It is not paranoid to be concerned with security. As a person who has recieved a "visit" from federal agents, I know of what I speak.

      I view my machines as extensions of my mind. Whatever I have in my mind is private. No one's business except my own. I have nothing "illegal" on any of my machines, but I was once involved with what some people might deem "fringe" politics. The worst thing that could have happened was for someone to take information from me and use it against someone who shared my goals.

      For example, let us say that there was an unsolved crime that happed in a specific place at a specific time. In order to discredit someone, the authorities would only need to place them nearby at the time of the crime. An old lady gets mugged and the mugger takes $50 from her. You happen to be 5 miles away at the time and you spend $45 on some widget...Next thing you know "We can't prove he did it, but he was in the area at the time and spending the same amount of money that was missing. Do you want to believe his word or ours?"

      Don't ask why I'm anonymous.

  3. Safe deposit by metalhed77 · · Score: 2, Funny

    I would also be paranoid as hell about my usb token. You ever consider copying it and storing one in a safe deposit box?

    --
    Photos.
    1. Re:Safe deposit by harrkev · · Score: 3, Funny

      I assume that you got a small one that you could swallow. Chewing would be tough, though (and might break a tooth).

      I hope they used lead-free solder.

      --
      "-1 Troll" is the apparently the same as "-1 I disagree with you."
  4. Try a modified approach by tchuladdiass · · Score: 4, Interesting

    First, you don't need the OS encrypted. The most you'll need is /var, /tmp, /home and swap (and /data or wherever you put your bulk data files). So, that takes care of having to get the OS to boot off an encrypted volume.
    Now, to make things easy, you probably will only need to access /home and /data from windows. So, when you boot windows, fire up a virtual host program (either vmware, or a free alternative) to boot a linux kernel / mini distribution, which then mounts & exports /home and /data via samba, then use the virtual network connection to mount those volumes from windows.
    Of course, in windows, you never know where it may leave temp files laying around, so you might want to encrypt the entire win volume using a seperate utility.

    1. Re:Try a modified approach by Anonymous Coward · · Score: 2, Interesting

      First, you don't need the OS encrypted.

      If you're concerned about someone editing one of the binaries, then you want the OS to be encrypted.

    2. Re:Try a modified approach by Tux2000 · · Score: 2, Interesting

      First, you don't need the OS encrypted. The most you'll need is /var, /tmp, /home and swap (and /data or wherever you put your bulk data files).

      Right. Encrypting the OS is encrypting known data. <paranoia>This may lead to a key recovery by just comparing the encrypted OS and the unencrypted OS.</paranoia> Regarding encrypted swap: I think encrypting swap slows down too much. Just a dd if=/dev/random of=swappartition in the shutdown script should do the job as well. OK, if someone knocks you down, rips out the HDD of your PC before it has a chance to shut down properly, and runs strings swappartition | grep somepattern, he might find something useful. Decide yourself how important your data security is. You could also add some more RAM and do not use a swap partition at all.

      I think "Windows in VMware" is the way to do work with encrypted data with more than one OS. Always boot Linux, configure its firewall as paranoid as possible, and "wire" Windows in it's VMware box to the inside of the firewall. Mount your data directory via Samba in Windows. Encrypt and decrypt it in Linux. Make sure there is no way to connect to the VMware virtual LAN except inside your PC; this also means to set up firewall (iptables) rules to prohibit a connection to Samba from the real LAN or Wireless LAN.

      Tux2000

      --
      Denken hilft.
    3. Re:Try a modified approach by alien+at+large · · Score: 2, Informative
      So, when you boot windows, fire up a virtual host program (either vmware, or a free alternative) to boot a linux kernel / mini distribution
      Colinux may be another nice alternative for this scenario.
  5. Re:WTF IS THIS?!?! by Nermal6693 · · Score: 4, Funny

    Since we're already off topic...

    I'd honestly love to see ActiveX ads. Especially if they become more popular than Flash ads. Why? Because none of the browsers/OSes I use support ActiveX. Built-in ad blocking at its finest :)

  6. BestCrypt is great by davegaramond · · Score: 5, Informative

    I have been using BestCrypt for several years and it's great. Unfortunately it's the only solid product available on Linux and Windows that I know of.

    Why can't you store long filenames on Linux? BestCrypt just provides a block device on which you can use any filesystem. FAT32/VFAT is fine for Linux-Windows work. I've formatted a Bestcrypt volume with fat, vfat, iso9660, ext2, ext3, reiserfs, all without any problem.

    Another alternative is to use VMware and then use ext3 on Bestcrypt and serve Windows needs with Samba.

  7. Try the munitions site by Ragetech · · Score: 2, Informative

    Well, I'm not sure if this is a mirror or the primary, but anyway check this out: Munitions - cryptographic software for Linux.

    At home w/ SuSE I use cryptofs, but if you don't have SuSe here's something else that looks pretty good (And I think OpenBSD has this one too)-- CFS. I think there are actually a lot of options out there for you, just look around through Google.

  8. ok what do you need ? by johnjones · · Score: 2, Interesting

    what do you need ?

    how about a file e.g. tar/zip of all your files that is encrypted each time you login/logout ?
    use a standard AES/DES and secure deletion

    whats wrong with this ?

    slow
    unsecure if power fails

    but with everthing else you are at vendors mercy

    I would use PGP disk or a secure online file server...

    regards

    John Jones