Five of the Best Free Linux Disk Encryption Tools

An anonymous reader writes "Disk encryption uses software to encrypt the entire hard disk. The onus is therefore not on the user to determine what data should be encrypted, or to remember to manually encrypt files. By encrypting the entire disk, temporary files, which may reveal important confidential data, are also protected. Security is enhanced further when disk encryption is combined with filesystem-level encryption. To provide an insight into the open source software that is available, we have compiled a list of five notable disk encryption tools. Hopefully, there will be something of interest here for anyone who wants easy-to-use data encryption and security."

Link? List?

[Goose+In+Orbit]

Or a linked list even?

Re:Link? List?

[blacktulip]

They encrypted themselves so you can not see them.

Re:Link? List?

[ColdWetDog]

Here. Not so hard, but bog - can't the submitter figure that out? Slow down, guys, nobody is gonna scoop you on this stuff.

Re:Link? List?

Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

Re:Link? List?

Here. Not so hard, but bog - can't the submitter figure that out? Slow down, guys, nobody is gonna scoop you on this stuff.

"The bwshare module will refuse your requests for the next 1139999994000000000 seconds.
You have made too many requests per second. "
I like how clicking the link gave me that. Isn't that like... a few million years or more?

Re:Link? List?

[CyberK]

The submitter had the link (check Firehose), but it seems that the edititors deemd the submission to be too long and chopped it off. After all, this is Slashdot and nobody RTFAs anyway.

Re:Link? List?

#define LOOPAES 1 // Encrypt disk partitions, removable media, swap space and other devices
#define DMCRYPT 2 // Transparent disk encryption subsystem
#define CRYPTSETUP 3 // Configures encrypted block devices
#define SD4L 4 // Hides complete file systems within encrypted regular files
#define TRUECRYPT 5 // Used for on-the-fly encryption

typedef struct gooseOrbit
{
            int data;
            gooseOrbit *next;
};

int main() {

gooseOrbit type1;
gooseOrbit type2;
gooseOrbit type3;
gooseOrbit type4;
gooseOrbit type5;

type1.data = LOOPAES;
type2.data = DMCRYPT;
type3.data = CRYPTSETUP;
type4.data = SD4L;
type5.data = TRUECRYPT;

type1.gooseOrbit =
type1.gooseOrbit =
type1.gooseOrbit =
type1.gooseOrbit =
type1.gooseOrbit = // lol.

return 0;
} // Forgive me if I'm wrong, haven't written c/c++ for like 5 years.

Re:Link? List?

[houstonbofh]

Do I mod this funny, insightful, informative, or flamebate? Tough call...

Re:Link? List?

[ColdWetDog]

Yes.

Re:Link? List?

[causality]

Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

Can they? Yes. Do they? No. They don't even run basic spell-checkers as evidenced by multiple finalized submissions. I'd personally be ashamed to put my name to much of the work they produce. If they worked in the other 99.99999% of job positions bearing the title "editor" they would be fired due to poor job performance. In this shitty job market I imagine there are many thousands of people who would be happy to do better.

I don't get to slack like that in my job. If the "editors" here started acting like they were semi-worthy of the title I would seriously consider a paid subscription. Note, I don't expect perfection or anything like that. I just want them to at least try.

They should stop calling themselves "editors". Another title like perhaps "reposters" would be more appropriate and would remove the expectation that they act like, well, editors.

I notice that any post pointing out that the ad-laden blog they chose to link in the summary is one of the worst and least-direct (second-hand or third-hand) sources available for the story, or pointing out that (particularly for book reviews) the story itself is likely a Slashvertisement, well those get very quickly modded to oblivion. And I do mean *quickly*. I wouldn't notice most of them at all except that I browse at -1.

While I cannot prove that it's solely the editors doing that, it is known that editors have infinite modpoints. So I consider it quite plausible, especially considering that I can't be the only user who considers it useful information when someone points out what may be an undisclosed marketing motive. I tend to mod those "Informative" myself so long as they are thoughtful and can back up what they say. I have seen more unlikely things happen, I admit, but I have a hard time imagining that the majority of moderators find such information so objectionable.

Re:Link? List?

[Roblimo]

The link works for me in both Chrome and Firefox. I don't have Explorer handy, so I can't test it with that browser.

  I'm sorry you're having problems, but I don't see anything wrong.

And yes, I proofread everything and check all links.

Re:Link? List?

[countertrolling]

The 'submitter' has been updated to reduce the chances of a reoccurrence, though it still might happen.

Re:Link? List?

[Fwipp]

You must have fixed it, because when it first went up there was no link.

Re:Link? List?

[c6gunner]

They should stop calling themselves "editors". Another title like perhaps "reposters" would be more appropriate and would remove the expectation that they act like, well, editors.

Even "reporters" gives them too much credit. I think "copy-and-pasters" would be much more accurate.

Re:Link? List?

Um, that's probably why they said "Reposters" and not "Reporters". Slow down a little when you read, you'll get more out of it that way.

Re:Link? List?

[Roblimo]

Nope. Didn't touch a thing. But there's no point in arguing. The backend was doing some strange things earlier, but not *that* strange. Another mystery of the Internet.

Re:Link? List?

Yes a little more than a few million years. (Approximately 3.6 x 10^10 years.)

Re:Link? List?

[A+nonymous+Coward]

He said "reposters", not "reporters". You are as bad at reading as they are.

Re:Link? List?

[c6gunner]

You start paying me to comment, I can guarantee a massive improvement.

Re:Link? List?

[MoeDumb]

First you show improvement, then we pay you.

Re:Link? List?

[MoeDumb]

flamebate: to flame oneself until burnout is achieved.

Re:Link? List?

If I pay you, would you stop commenting? That would be a huge improvement.

Re:Link? List?

[Thing+1]

The reality is that controversy sells ad impressions.

Best of slashdot editing!

Today we bring you the best of slashdot editing. We cut out all the hard parts for you, like links, and real information.

FYI: http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

FAIL - LINK

The link is http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

The /. mod's are taking the day off - tl;dr i guess?

Re:FAIL - LINK

[houstonbofh]

Day?

XKCD

http://xkcd.com/538/

Re:XKCD

[waveclaw]

That xkcd always amused me.

The only way to really delete something is to encrypt it. Then forget the key.

Going to burn through a few wrenches before you find that out. Too bad most people only have two knees.

Relevant to the topic? I have about a dozen CDs of 'encrypted' Linux files that can no longer be opened. Apparently the old cryptoloop encryption implementation on my particular distro was somewhat buggy. The encrypted file system that was contained in those files could only be opened on the original PC. Which promptly died. (Thank you Murphy.)

Fortunately things like luks + cryptsetup made that specific cryptodisk implementation obsolete.

Re:XKCD

Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you unless you're actually important. They might put you in jail however.

Re:XKCD

Yes, but no. The US 9th Circuit recently affirmed that the government has the right to seize and search, without a warrant, any laptop entering the US. For activists who travel, this is a big deal. Will Yemeni security beat you with a wrench? Yes. Will the US? Not in a US airport. The assumption used to be that the US also wouldn't make copies of your data for offsite inspection just for the hell of it, but they are, some 5000 times in the last five years.

Re:XKCD

If your encryption software allows for a salt file (like for example, OpenBSD's vnconfig) then you end up with two secrets items: something you have (the salt file) and something you know (the passphrase). It's a lot more secure than using just one of those things. And if you should happen to wipe the salt file from your disk on purpose (which would take only a couple seconds), then no amount of drugs or wrench-bashing is going to help any attackers. You could also carry the salt file on a separate USB key and "lose" it if the shit hits the fan (by lose it, I mean throw it in a sewer drain, or something).

Re:XKCD

Relevant to this topic:
http://iq.org/~proff/marutukku.org/current/src/doc/sergienko.html

Re:XKCD

[1s44c]

Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you unless you're actually important. They might put you in jail however.

Government agents won't torture you themselves, they will convict you for obstructing their investigation and lock you up for many years with a bunch of violent people. This applies to anyone who doesn't willingly hand over their encryption keys. Most likely it also applies to people who really have forgotten or lost their encryption keys.

Encryption is only protection from unskilled thieves, and agencies who don't want you to know they are watching.

Re:XKCD

[tqk]

... and in the US they aren't likely to be torturing you unless you're actually important.

So, I guess you've not heard about all the FAIL that the US gov't bought itself by waterboarding prisoners? Evidence obtained illegally is inadmissable (in theory).

Re:XKCD

[bingoUV]

Hey, it used to be $1 wrench in this comic. Inflation finally getting to XKCD?

loopback-AES changed recently?

I've had some loopback containers using AES-256 since years and years. Recently after upgrading to Ubuntu 11.04, the same containers no longer will mount, yet I can create brand new ones which work fine. It seems that the old ones are not forward compatible.

Has anyone else noticed this, and if so, what can be done about it? It's really kind of annoying to have to install a whole VM of an older OS just to access my old loopback container files!

Re:loopback-AES changed recently?

[St.Creed]

It's open source. You can write your own code to solve it :)

Re:loopback-AES changed recently?

The default cipher and flags changed, be sure to find out what they used to be.

I had this problem too and by setting explicit opt got it working

Re:loopback-AES changed recently?

[gorilla_au]

Warning: Link in the post above is NSFW!

Re:loopback-AES changed recently?

Try using below command line switch
cryptsetup --cipher aes-plain

I like not having links in the article

Its not like anybody actually views the article before spouting off their ill-informed opinion about it.

Slashdot

Where links are now dying so hard that they are being wiped from the timelines.

encfs?

Really, no encfs? Used it for years -- works great, never had any hiccups with it.

Re:encfs?

[Nerdfest]

It works really well in conjunction with DropBox or other cloud data services as well.

There can be only one

[RenHoek]

http://www.truecrypt.org/

There we go.. I don't understand this is still a question.

Re:There can be only one

Everyone using Truecrypt would be as bad as everyone using Internet Explorer was. Monocultures are foolish, period. The more targets there are for adversaries to attack, the less likely it is that any of them will be breached.

Re:There can be only one

Because of these reasons:

http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/

Don't misunderstand me, I like Truecrypt. But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

Re:There can be only one

[Anrego]

dmcrypt for me!

But yeah, truecrypt and dmcrypt are all people really need to know about. They both do mostly the same thing with slight variation, which people choose is down to preference.

LoopAES is outdated, cryptsetup is a userspace tool linked to dm-crypt, and the other is specialized.

Pretty lame article.

Re:There can be only one

[westyvw]

I used to set up encryption using fuse and encfs. That worked well enough for me. The problem I have with Truecrypt is that I have to define a file size before hand. Is there a function for Truecrypt to use cowfs or auto resizing files?

Re:There can be only one

[knifeyspooney]

You can't encrypt the Linux root filesystem with TrueCrypt. That's where the other tools come in.

Re:There can be only one

[asnelt]

The problem is that TrueCrypt is not free software. It is open source but you don't have the freedom to distribute your own modified version. Therefore, there cannot be any community-driven development of TrueCrypt and - unless you can fix things that you don't like yourself - you are subject to the whim of the original developers of TrueCrypt.

Re:There can be only one

[TangoMargarine]

Is there a function for Truecrypt to use cowfs or auto resizing files?

Yes. I thought "dynamically expanding file" was the default during volume creation?

Re:There can be only one

[asnelt]

Sorry, I just noticed that you can now distribute modified versions of TrueCrypt. They must have changed the license.

Re:There can be only one

This.

Re:There can be only one

[metrometro]

> But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

Wow, the developers who created regime-threatening encryption software registered their domain at a fake address. The makers of a powerful privacy tool seem to like privacy? Scandal!

Code review or STFU. I don't see what else could matter than what's in the source.

Re:There can be only one

[DiSKiLLeR]

Regarding TrueCrypt, some of the stuff is simple enough. Encrypted filesystem inside a file, or encrypted partition. Okay. I've done enough under linux with mounting filesystems within files and other stuff to understand how that works very easily.

But then... what boggles my mind, is, how do some of the features of full disk encryption even work?

What performs the decryption while the operating system (whether it be windows or whatever) loads?

And how can your system disk be in a half encrypted half not state and still WORK?

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

There's some technical details on their site, but nothing that explains how that stuff works in particular.

Re:There can be only one

[knifeyspooney]

For whole disk encryption, TrueCrypt installs a driver between Windows and BIOS that provides transparent crypto service to Windows. And it's only for Windows. For Linux whole disk encryption, something like LUKS is needed.

Re:There can be only one

You can encrypt the entire volume with TrueCrypt, isn't that good enough?

Re:There can be only one

I used to be a very big believer in truecrypt. But I'm having a major bug using truecrypt under Ubuntu right now. It's impossible to close an open truecrypt volume properly. I'm not the only one suffering http://forums.truecrypt.org/viewtopic.php?t=22692 I can certainly understand there being bugs, it just annoys me that we can't seem to get anyone official to acknowledge this problem.

Re:There can be only one

[MikeBabcock]

I've never understood using truecrypt when you can just use the built-in LUKS feature set.

Re:There can be only one

[knifeyspooney]

If that volume contains the root filesystem, then you won't be able to boot.

Re:There can be only one

[sauge]

Cross operating system compatibility. I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

Which leads to another benefit, my mom is no system administrator, but she can open a file, enter a password, and double click the file within.

Further more, if I want to deal with it - I can put it on my Linux machines.

Finally, if a technician needs to fiddle with the system, I can unmount the drives and let them in with (less) worry about what they may find. (Tend to deal with health care information.) In other words, I can compartmentalize who can see what.

Re:There can be only one

[gust5av]

Check this out:

http://sourceforge.net/projects/stlth/

It's like Truecrypt but based on dm-crypt, GPL and supports unlimited numbers of hidden volumes.
That's real plausable deniability, unlike Truecrypt.

Re:There can be only one

Given such has been built into FreeBSD for years, I was under the impression the same situation existed for GNU/Linux

Re:There can be only one

[npsimons]

http://www.truecrypt.org/

There we go.. I don't understand this is still a question.

This is why. Also, dm-crypt/luks is included with Linux by default and Debian makes it dead simple to setup whole disk encryption on a fresh install; I believe that truecrypt won't work for whole disk encryption for Linux.

All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-crypt. Truecrypt really isn't necessary for Linux, unless you have to share encrypted images with other OSes, and you could also do that with GNUPG.

Re:There can be only one

Call me when it does full-disk-encryption for !windows...

Re:There can be only one

[gozar]

All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-crypt.

With OS X you can use Disk Utility to create encrypted sparse images, which are nicer than Truecrypt volumes for some things. Especially since sparse disk images only take up as much space as what is stored on them. Not cross platform though. :-(

Re:There can be only one

[Fnord666]

I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

You really don't have to go to the extreme of mailing your Mac. Just have her use logmein for instance.

Re:There can be only one

LUKS can be used on Linux, as well as Windows (freeotfe.org). Not sure about Mac, but likely there too.

Re:There can be only one

[tqk]

This.

WTF did you bother to post that?!? Do you seriously believe that adds anything to the discussion, any discussion? Are we voting on an optimum solution? Then yours will be attributed "hearsay from AC", and so won't count.

FFS, do better!

Here is the link from the submission

[Meshach]

http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

Re:Here is the link from the submission

[etymxris]

Well do you trust proprietary encryption implementations? I don't.

http://www.rohos.com/2010/02/hardware-encryption-vulnerability-of-kingston-and-sandisk-usb-flash-drives/

Where's eCryptfs?

eCryptfs is the default disk encryption technology shipping in Ubuntu. You can turn it on from the installer. How does that not make the list? I've never even heard of SD4L.

Re:Where's eCryptfs?

[Anrego]

Possibly because it's a file system level encryption tool vice a full disk encryption tool. Then again, they included cryptsetup which is just a userspace utility for dm-crypt, so I'd chalk this up to just being a lame article!

Hardware encryption?

[sunderland56]

Isn't everyone concerned about security already using hardware encryption - which is higher performance, and built in to almost every hard drive?

https://secure.wikimedia.org/wikipedia/en/wiki/Hardware-based_full_disk_encryption

Re:Hardware encryption?

I need to use my 4 5GHz cores for something - might as well be for disk decryption.

Re:Hardware encryption?

You'd have to trust Seagate, Maxtor, Hitachi & co. to not do something idiotic, such as storing the keys on-disk and NOT sealed to a TPM or somesuch (which they used to do with the ATA security features, and you can get any disk unlocked for a few $$).

And you'd also have to trust them not to have been co-opted by a state government.

I.e, you have to be a dumbass to trust hardware security.

Re:Hardware encryption?

[etymxris]

Well do you trust proprietary encryption implementations? I don't.

http://www.rohos.com/2010/02/hardware-encryption-vulnerability-of-kingston-and-sandisk-usb-flash-drives/

Re:Hardware encryption?

Sadly, TCG OPAL doesn't really cover or mandate a few important things if you're going for a serious encryption solution:

• The implementation of the encryption itself. AES-128 or AES-256 are not uncommon - but which mode exactly and how? XTS or XEX would be the optimal choices. LRW has a serious flaw, and CBC is not acceptable unless the IV is formed from an encrypted salted sector ID using a secure cryptographic hash - what Linux dm-crypt calls (for example) aes-cbc-essiv:sha256.

  Meanwhile I've caught "real" encryption solutions using the horrifyingly insecure ECB mode - because hey, they still get to put "AES" on the box.

• The precise nature of key management. Authentication? Well, none. The key can be held in a TPM, and the best you'll get from it will be that it's sealed in the TPM by a secure passphrase (10 word Diceware or 22 random character would be enough, and nothing less). Most implementations will simply seal it with the preboot authentication seed on the TPM (can't even hash the bootloader in the chain because duh, the bootloader's inside the encryption). Sadly, since this is more or less a SHA-1 hash of the BIOS with a starting seed on the TPM, this is machine-constant - and measurable. (Plus SHA-1 has had for some time a birthday collision technique available, which doesn't in this specific scenario completely smash it like a second preimage as far as I can tell - but I may be underestimating the vulnerability - but definitely significantly raises the feasibility of subtle back doors, not to mention that you could read it and insert a backdoor to return the old hash.)
• In this instance, the key will also be held on the hard drive, and can usually be read from it after reboot, if you can boot into another medium (USB stick?). You can even reset the BIOS on some implementations and still get the key from the hard disk. Fail.

  And the key is usually held in the cache RAM on the hard disk. This is exposed to easy freeze-and-breeze effect - you can even unsolder it and tap it conveniently; a hardware-based cold boot attack is a cinch. I was doing those back in the 80s when RAM was slower, but a bit of freezer spray still does the trick for long enough. Even if a few bits rot, you still have a starting place for your search which is only a few bits of Hamming distance away from the key. Piece of cake for a graphics card cluster.

  And again, I've caught "real" encryption solutions using static keys, which is the kind of thing that gets you put in Schneier's "doghouse".

• ELINT. The data in cleartext is being transmitted over the SATA cable, that's one obvious starting point. Also, what are the hard drive's power, RF and sound emissions like? Can you get it all back? Maybe not. Can you identify pad-filled blocks and thus work out how much of the drive is used? Yes. And how much of the drive is used can be very useful metadata to an attacker: maybe it's all the attacker even needs, rather than the content.

Sorry, but in the absence of specific data to the contrary on a given system setup after a full security audit on the complete integrated system and the cryptosystem surrounding it, TrueCrypt and dm-crypt cipher=aes-xts-plain,size=256 (which is aes-xts-128) are more secure than any hardware-based implementation I've encountered, if certain countermeasures against cold-boot attacks are taken.

And, naturally, the obvious points regarding the "lead pipe to the knees attack". The best cryptosystems out there can actually guarantee you deniability and even feasible data confidentiality in the event of capture - but from the point of view of the captured, that may be an undesirable outcome (although possibly less undesirable than if confidentiality were breached - this of course depends on the specific circumstances of deployment and attacker).

Of course, if Stonewood Electronics would like me to undertake a full third-party audit of the Flagstone and Eclypt series, I'd find that entertaining. I would not guarantee them a pass, however, given the above points.

Goatse

[houstonbofh]

Really? Are you not tired of this yet?

Re:Goatse

[browntulip]

Why should I, :

"Ugh. Goatse. You asshole."
"I hope you die in a fire before you are old enough to contaminate the gene pool."
"Ugh. Goatse. NSFW. Asshole (poster and picture, both)."
"Why the sudden coordinated campaign for Goatse? Is someone making money off this?"
"I did not even bother to look, but this same idiot has been doing this for weeks now. Fuck off asshole."
"Thanks, I'm reading slashdot in class like a good student and just got tubgirl'd."
"you are one dedicated troll."
"Parent should be modded down. Link is NSFW and mentally scarring."
"mod to -1, please. this guy is an 'asshole'.... (yes, you guessed it)"
"Seriously ... new account to post that ... what a douche!"
"Argh. Goatse alert..."
"Oh dear god my eyes. Haven't seen THAT awful image in a while."
"Grow up"
just post the damn url, i'm not going to click on a tinyurl link and get goatse'd or something..
Don't click the link! Goatse wannabe.
Well played, sir. Well played.
Goatse URL - Haven't seen that guy in a while
Doh! One has to also recognize data urls. *sigh*
Someone please mod this guy down... Don't click his link.
nice goatse. i like...
i WAS eating lunch you ass!
Asshole... Ginormous asshole, in fact.
Urgh...dammit, am I the only one thinking the goatse trolls are getting worse lately than they have been in the past five years? Are they gaming the mod system or something?
Really? Are you not tired of this yet?
Another quote in my troll food list.

5, really?

Cryptsetup is user-space configuration tool for dm-crypt ... not exactly my definition of "Linux Disk Encryption Tool"

Honest question about encryption

[chucklebutte]

Yes its wonderful, but what if a user stores his /home on same partition as OS install (bad I know, but happens) and uses encryption? If the OS crashes how can recovery be done of users data? Is there a way to recover encrypted data on a drive? Or is it a double edge sword kind of thing?

Re:Honest question about encryption

If you're smart and used cryptsetup+dm_crypt (in their default modes, even), any proper live-cd can be used to access your data. And damage won't spread from one sector to the next, so as far as recovery goes, you're exactly as bad as if it was not encrypted in the first place.

If you've used something else, I wouldn't know. TrueCrypt really is a good choice only if you have to do Windows, otherwise, you are much better off using cryptsetup+dm_crypt, which are MUCH more difficult to trojan.

Re:Honest question about encryption

[TangoMargarine]

TrueCrypt doesn't do folders. It makes encrypted volumes that can either be a file, or a partition.

Re:Honest question about encryption

[LilWolf]

As long as you know the pass phrase used for the encryption you can stick a LiveCD in and mount the encrypted partitions. The way it's done depends on what was used for the encryption. Google is your friend for finding a relevant HOWTO ;)

I recommend encrypting disks

[Black+Parrot]

For most of you this will be obvious, but -

If someone steals you computer (home or laptop) your password is useless to protect it; all they have to do is put your drive in their system and presto, they have access to everything on your disk(s).

And you might be surprised at how many logins are saved on your disk (web pages, mail servers, etc.), and how many are unencrypted or only very weakly encrypted. (For that matter, they can just run the same application using your configuration files, and never have to bother with decrypting anything.)

You should encrypt the disks on every computer. Your boss should require it for computers used for work, and the law should require it for computers that are used by public employees, or even for private-sector companies if they contain personal information about their clients.

How many times have we heard of confidential information on a lost, stolen, or recycled laptop?

And if you're paranoid (you should be), use an open-source encryption tool, to reduce the risk of a back door.

Re:I recommend encrypting disks

[MacTO]

I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

Re:I recommend encrypting disks

[Black+Parrot]

I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

I recommend instead making regular backups to a separate disk, also encrypted.

Re:I recommend encrypting disks

[MikeBabcock]

Backups are a better solution than disk recovery.

I don't recover disks anymore, we just reformat and reinstall for everything these days. I can reinstall a Linux box in under an hour and a Windows machine in a bit more. Restoring from backups is simple enough after that.

I don't want data on the drives to be recoverable, because it may not be me doing the recovering.

Re:I recommend encrypting disks

[Gordonjcp]

You should encrypt the disks on every computer.

What, even when it's massively inappropriate to do so? I can't think of any circumstances under which I'd ever use even FS encryption, never mind full-disk encryption. Disks are slow enough as it is.

Submission untouched by human hands

[countertrolling]

It's an ad link site.. Turn off your cookies on these guys..

Information that is provided to advertisers consists of aggregate statistics that we collate. This includes geographical and psychographic* information.

When links are submitted to our site, we request that the sender provides us with their real name and email address.

You know the routine..

*Huh??

left out the obvious choice

[jlmsprings]

Doesn't matter if the link is in the post or not. The article left out luks

Re:left out the obvious choice

[93+Escort+Wagon]

Doesn't matter if the link is in the post or not. The article left out luks

No, it didn't.

Never Fear!

[GoatseWarning!]

GoatseWarning! is here.

Parent's link is goatese or goatsesqe

Trying it now

[ALeader71]

I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

Re:Trying it now

[peawormsworth]

I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

I've done what you describe and would like to share my experience. I've been running ubuntu with a luks encrypted root drive on an atom netbook for over a year on several systems. I've installed luks on internal HD's, external HD's, SD cards and USB sticks. Also I did experiment with further encryption of home directories using ecryptfs.

Using luks does slow your computer and each additional level of encryption adds to this delay. I have no real measurements but I could "feel" the lag and estimate it to be 10%. Running ecryptfs on top of luks appeared to cause "brown outs" or times when the netbooks would not respond for about 10-30 seconds. My suggestion is to only use ecryptfs for user home directory encryption if you plan to share this netbook with other users (multiple login accounts)... or you wish to provide a guest account.

But luks is reliable for me so far. I have never run into a situation where luks failed and the drive was unusable. I however, made mistakes like overwriting the keys and such and if that happens to you.. just format the drive, because all is gone. Consider this a lesson and backup your luks keys onto USB and throw into your bank deposit box. luks has never let me down... even during improper shutdown and filesystem corruption, ubuntu is able to check/repair the drive and still access the drive just as you would see on a non-luks encrypted drive. I have also used luks disk encryption at work and never lost any data or was unable to access my drive. At this point I trust a luks partition as much as any other non encrypted partition type.

Funny story: I once showed a bunch of managers how easily I could access their own hard drive data simply by booting from my own Ubuntu USB stick on a computer which was protected by a user password that I didn't know. I expressed how full disk encryption would solve the gaping hole in protecting our business data/resources. They were impressed, but came up with their own solution... they removed the ability to boot from USB in the BIOS settings of all work PC's. At first that sounds ideal except it does nothing to prevent the HD from being moved into another PC and allowing full access to data once again. It made me think these managers were more disturbed by the demonstration and wished to prevent me from showing that how weak our current security policy was then actually fixing the issue properly. Lesson: don't be silly like these managers. Install full disk encryption (luks) and you can be sure your data is safe if/when you lose your netbook.

Temporary files in memory, not encrypted

[loufoque]

see subject.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

I think if you that sentence a verb, it might make a bit more sense.

Re:Temporary files in memory, not encrypted

[loufoque]

it's not unusual for headlines to be verbless.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

But replies to them usually need one in order to be cogent.

Re:Temporary files in memory, not encrypted

[loufoque]

The subject of a message counts as a headline to me.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

Seriously, what the heck were you trying to say? "Since temporary Windows files exist unencrypted in memory, encrypting your data doesn't help much"? You can encrypt your entire system drive with TrueCrypt, though I don't know if that would have any effect on said temp files.

Re:Security?

[dgatwood]

Anyone who keeps any of the following on his/her laptop:

• Government secrets
• Corporate secrets
• Any documents with a social security number or other information that could be used for identity theft (e.g. tax documents)
• Bank account numbers or passwords
• Credit card numbers or account passwords
• Other account passwords that could be used to impersonate you (and implicate you)

Remember: identity theft is an equal opportunity crime. Identity thieves don't care if you are rich, poor, man, woman, famous, or obscure.

OS X Corollary?

[Dingo.Neal]

Anyone care to suggest their top five for OS X? Slap me if that's already covered in another post. - DX

Re:OS X Corollary?

Truecrypt... Ththat's all

Re:OS X Corollary?

If you want full disk encryption, you're going to have to pay for it. PGP Corp's seems pretty good.

Re:OS X Corollary?

[ogl_codemonkey]

System Preferences -> Security -> FileVault

Turn it on.

Re:OS X Corollary?

[Voline]

If you're worried that a proprietary framework might be compromised by the Government threatening/bribing Apple into implementing a back door ...

"We can make that FCC investigation into the back-dating of executive stock options go away, Mr Jobs. If you'll cooperate with the government ..."

... or you just want a solution that works better with Time Machine than FileVault does, here is a How-To on getting EncFS full-disk encrytion working on Mac OS X.

Nota bene: I have not tried this yet myself.

Re:OS X Corollary?

[GCsoftware]

Erm, even the author of that states that these issues are now fixed with Snow Leopard and recommends against using EncFS on OS X.

Also, you can't use EncFS on your whole home dir as it doesn't support some extended attributes that OS X relies on.

Re:OS X Corollary?

[Cybersonic]

I agree that you might need to look at a proprietary solution for OSX.

PGP (now owned by Symantec) and Guardian Edge (also owned by Symantec) would work.

Pointsec (now owned by Check Point) also supports OSX.

TrueCrypt Disk Encryption under Linux?

My understanding (from the TrueCrypt site) was that TC can only encrypt the entire disk (OS and all) for Windows machines. Is this not true?

Re:Security?

[Baseclass]

You're missing the point. whether or not my data is worth compromising (which I whole heatedly believe that it is), is irrelevant.
Setting aside the fact that I may have cached passwords and financial information stored on my hard drive, the fourth amendment
is meant to guard against unreasonable searches and seizures. Since the US government has chosen to ignore the constitution, I believe that a "better safe than sorry" approach is quite prudent to say the least. You might want to check if you're currently located in a Constitution Free Zone as well.

x x x x

[metrix007]

xxxxxxxxxxxxx

incomplete list - bitvisor not mentioned

[OrangeTide]

BitVisor is open sourced (BSD licensed). It can provide both disk encryption and transparent VPN/IPsec support to multiple OSes (Win, Linux, ...)

It's a little annoying when people try to make definitive lists, but don't include rather popular options on their list. Do list makers not have Google?

Re:incomplete list - bitvisor not mentioned

I'm sure the authors are terribly sorry for ignoring some obscure japanese tool nobody ever heard of.

"BitVisor® is a tiny hypervisor (Virtual Machine Monitor) for enhancing the security of desktop computers."

No shit. I'm sure a complete hypervisor (WTF?) existing since 2009 (last modified Christmas 2010) and trying to reinvent not just disk encryption but at the same time VPN (WTF^2?) is keeping my data secure and dandy. Thanks but no thanks. I wouldn't touch that thing with a ten-foot pole.

Re:incomplete list - bitvisor not mentioned

[OrangeTide]

Your loss then. It is open source and very well written. It has been mentioned in numerous places before, including on Slashdot. It's often used as a testing ground for security experiments along with Xen. Probably because the code for BitVisor is simpler and easier to hack.

For those who are venerating TrueCrypt: Not Safe

[garompeta]

Whole disk encryption has a side-channel cracking, which is very trivial.
http://en.wikipedia.org/wiki/Cold_boot_attack
http://it.tmcnet.com/news/2010/03/30/4700389.htm
ANY WHOLE HARD DRIVE ENCRYPTION IS PRONE TO A SIDE-CHANNEL ATTACK.

Always links

[moyang]

just some links with ads

Re:Security?

[1s44c]

From who? And for what? Why would anyone think their data is so important that anyone else would want it and that it needs encrypting?

I think my bank account numbers and banking passwords should be kept secret.

I also have a duty to protect any passwords or authentication keys I was trusted with to other people's systems. In fact that one is a condition of employment.

Matt Blazes cfs does too

It actually NFS-mounts encrypted directory via loopback. It's been around for a while :)

http://www.freshports.org/security/cfs/

I haven't been using it for a while, but there has been a linux port too.

dm-crypt performance

dm-crypt has a strange performance issue. Neither the CPU (Core i5) nor the hard disk is maxed out, but I just get 30 MB/s of read/write speed. There is a bug for it somewhere (Ubuntu probably), but I can't find it. To paraphrase, it's an issue about how the scheduling works between different kernel-space tasks. It would make sense for a review to address this important problem.

Phoronix has a review that shows there is not much difference for CPU-intensive tasks at http://www.phoronix.com/scan.php?page=article&item=ubuntu_hdd_encrypt&num=3 .

Re:For those who are venerating TrueCrypt: Not Saf

Whole disk encryption has a side-channel cracking, which is very trivial.

http://en.wikipedia.org/wiki/Cold_boot_attack

http://it.tmcnet.com/news/2010/03/30/4700389.htm

ANY WHOLE HARD DRIVE ENCRYPTION IS PRONE TO A SIDE-CHANNEL ATTACK.

A cold boot attack can be prevented quite simply by 1) setting a BIOS password, and 2) disabling all boot devices but the encrypted hard drive. I believe some BIOSes also zero out all memory on boot.

There is another attack where the attacker physically cools down the RAM while the computer is still running, then takes out the RAM and puts it in another computer. http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900 . This is not really preiventible.

Re:For those who are venerating TrueCrypt: Not Saf

[rainsford]

Those attacks also work just as well on ANY encryption product, it is not a weakness specific to Truecrypt or any other whole disk encryption program. Being able to read RAM through firewire or read old values after the computer is turned off and back on is a fundamental weakness of modern computer systems that encryption software can't really solve.

Similar or better tools are available built-in for

BSD Users

Re:For those who are venerating TrueCrypt: Not Saf

[garompeta]

Precisely the reason I put the emphasis on ANY.
But the Passware forensic tool is focused on Truecrypt and Bitlocker Whole Disk Encryption... and it is so trivial that even a trained monkey could do it (aka. IT guy)

Tool no good for corporate use - Personal use only

[collinl]

These tools are fine for personal use - but not easily adapted to corporate use e.g. PCI DSS. Mandatory requirements for PCI DSS include key management under dual control and split knowledge.
As such, commercial tools still rule in the storage encryption space.
And I'm no programmer, so I can't resolve these shortcomings.
lyalc

You ARE important

[samjam]

You are important - once you've been tortured - then your freedom and even life is very embarrassing.

It only takes one idiot with an itchy torture finger and then they can never afford to let you go.

dasdas

planchas ghd Hair Straightener last IV curling promise, movies and waves, and perfectly straight hair. What? GHD hair irons makes plancha del pelo ghd ceramic the test to see if it can ensure that each day is a good hair plates day.GHD launched for sale in limited edition pink Taylor that there must be an attachment in GHD IV Styler the packaging, including a heat resistant bag, a hairbrush, hair clips a. This pack comes with a warranty of two years, ghd IV sets, free delivery and 10 of each purchase will go to a charity for breast cancer research.
        Every girl wants to be the envy of your friends and have a product, ghd Hair Straightener, and a sort of limited series.Busy Scissors is a game produced by Little orbit hair, GHD South Africa, Redken LLC, which allows players of color, shampoo, cut, dry hair and style, while trying to achieve their virtual exhibition of his son. This ghd Hair Straightener Kiss Pink industry is the first video game, supported, enabling players to get something that is quite realistic in the field, allowing players to create realistic hair and jackets styles.moncler hairnew sale, Moncler coat, moncler jackets are selling children in the factory. onlinehere moncler Quilts with free shipping

ghd hair

It is always better to buy lighterGHD Hair Straighteners having ergonomic designs which make it easy for you to use everyday. Some of the best straightening irons weigh about a pound.

      Make sure that your hair is dry when you use ghd hair as water and electricity don't go well together. There is a chance of your hair burning here too.

    The price is an important point to consider when buying GHD Hair Straighteners. There is no point in buying a very expensive hair straightener.

Interesting technological support

[born2befrag]

We all know that from a technological point of view we should be satisfied. But don't you think we should spend some time in "spreading the word" and teach people that encryption should be considered in our life as a concept? Until we don't let people understand how important encryption is, all those tools out there will just waste space on hard drives. I think the culture of encrypting documents and communication in general is missing. Until we don't have that culture all the technology that already solves the problem is useless... or better... unused.