Slashdot Mirror

← Back to Stories (view on slashdot.org)

NetBSD's Crypto-Graphic Disk

Posted by ryuzaki0 on from the can-you-crack-me-now dept.

An anonymous reader writes "Security-minded laptop users live in fear of theft, not only of their computer but also of their precious secret data. NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem. Recently its author, Roland Dowdeswell, was interviewed and provided a lot of details, and made a comparison with Linux's Loop-AES, FreeBSD's GBDE, OpenBSD's svnd. This is a must-read for any laptop owner (and paranoid androids)!"

9 of 219 comments (clear)

  1. Interesting but not exactly new news by Ffakr · · Score: 4, Informative

    This is interesting and all, but this isn't exactly a ground-breaking news item.
    PGP lets you do this on various platforms.
    As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information. When I need something I mount it and when I'm done I umount it and it's nice and safe (as long as I never tell Keychain to remember the password).
    You can do this on a vanilla OS X install with Disk Utility.

    ffakr

    --

    I'm not feeling witty so bite me

  2. Re:mutually exclusive? by pepdar · · Score: 4, Informative

    Mac OS X is a *nix OS.
    It also features an encrypted file system, FileVault.

  3. TrueCrypt for WIndows and Linux. by Futurepower(R) · · Score: 5, Informative

    TrueCrypt is disk encryption software for Windows XP/2000/2003 and Linux. Version 4.1 was released last month. It seems to have been designed by people who are VERY serious about encryption. For example, TrueCrypt "provides two levels of plausible deniability".

    1. Re:TrueCrypt for WIndows and Linux. by jbarr · · Score: 4, Informative

      I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

      One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

      Have a read of their FAQ and and you will see that a LOT of thought and effort has gone into this application.

      --
      My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
    2. Re:TrueCrypt for WIndows and Linux. by trifish · · Score: 5, Informative

      You forgot to write a very important thing:

      TrueCrypt is open source and free (as in freedom and beer).

  4. Filevault by Savage-Rabbit · · Score: 3, Informative

    So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

    OS.X ships with something called Filevaut, accessable from 'System Preferences'. Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it. This image gets mounted onto your Home directory when you log in and cannot be accessed unless you either know the login password or somehow manage to crack the encryption on the image file. This is useful for mobile professionals and the on the fly encryption works surprisingly well unless you are working with say, Photoshop files that weigh in in the hundreds of megabytes. For day to day stuff this works quite well. Just for example, I keep my iTunes collection on a filevault image and it does not seem to kill performance even with resource hogs like MS Word and Excel running.

    If you only want a small secure area rather than encrypting the entire Home directory like you do with Filevault you can also create stand alone *.dmg images with the 'Disk Utility'. These have the same 128-bit AES encryption as Filevault. Fire up /Applications/Utilities/Disk Utility.app, select File->New->Blank Disk Image... Once created this can be accessed by double clicking it and feeding it the password.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  5. Re:mutually exclusive? by thebdj · · Score: 3, Informative

    Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

    In reality, it is probably still safe to call it a *nix, only the BSD zealots would like us to separate it into a "BSD", which is about as anal as separating the Linux distributions into different groups.

    BTW, your original post compared it to *nix operating systems and complained about OSX. The Article refers to this about NetBSD, therefore making your statements a bit mixed.

    The folks over at Wikipedia seem to agree with us on this one.

    --
    "Some days you just can't get rid of a bomb."
  6. dm-crypt? by Gadzinka · · Score: 4, Informative

    It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.


    If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:

    • it allows to use encryption algorithms in CBC mode;
    • uses published linux kernel crypto API, which means that you can use any cipher known by kernel;
    • because of the above, if kernel has hardware support for some crypto algo, dm-crypt uses it automagically: I have a very low power VIA Epia MicroITX board (soon to be replaced by even lower power Nano ITX board by Epia) serving as my home fileserver. The processor, VIA Nehemiah is disgustingly slow at it's 800MHz, but it has VIA Padlock crypt engine doing AES in hardware -- access speed on encrypted AES256-CBC partition is indistinguishable from the speed on the same non-encrypted disk, and a lot higher than on my Pentium M 1.6GHz notebook with Blowfish (i.e. the fastest-yet-quite-safe) dm-crypt partition.
    • because it uses Crypto API, you can use any new safer or faster algo, whether it's done in software or hardware, as soon as there is crypto api driver for it (crypto using GPU anyone? ;)
    • with existing cryptsetup tool you can create encrypted swap partition with random key taken from /dev/random; and since some platforms (e.g. VIA Epia, but also chipsets from Intel, AMD and others) have true hardware random generators with Linux drivers, I wish a lot of luck to someone trying to recover passwords from my swap device ;)
    • while existing key generation method is not as kosher as described PKCS#5 PBKDF2 or multifactor solutions, cryptsetup is just a userspace tool controlling kernel space diskmapper virtual disk engine; you can write your own tool and initialize your dm-crypt partitions any way you want;

    OK, I'm tired, go read the links and you'll be much wiser and better informed than after reading TFA ;)

    Robert

    --
    Bastard Operator From 193.219.28.162
  7. Re:of course it helps... by BobNET · · Score: 3, Informative

    I have no idea why these mechanisms are not enabled by default on these OSes (not even on OpenBSD!) as the overhead really isn't that noticble...

    Swap is now encrypted by default in OpenBSD 3.8: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=1111 85331505174&w=2