Ask Slashdot: Tools For Linux Disk Encryption and Integrity?

An anonymous reader writes "I have been using Gentoo Linux for a long time now and have always been satisfied with one of its many disk encryption tools: cryptsetup (dm-crypt and LUKS). However, I recently gave FreeBSD a try and, although I concluded BSD is not for me, I was amazed at geli(8), FreeBSD's disk encryption tool. It happens this tool also provides what it calls an 'authentication mode.' Besides encrypting the disk sector-by-sector, it also stores checksums (sha256 in my case) in it on every write. On reads, if the checksum mismatchs, it propagates the error up, resulting in, say, a read() error. Thus I do not have to trust my disk (except of course for the boot partition) any longer: any data inconsistency will be detected before the data is used. Having searched for a long time without answers, I want to ask: is there something similar to this in Linux? Note: Using Btrfs is a valid solution, but is far from stable (got a few oopses during my tests)."

Yep

You can use IMA (2.6.30 and later) and EVM (2.6.38 and later). :)

Re:TrueCrypt

[munozdj]

Yes, exactly. I've been using TrueCrypt for my important info (mostly pr0n), and have had no problems. It lets you choose between different encryption algorithms (blowfish, twofish, AES, and others I can't remember) and allows you to encrypt individual files, mount an encrypted virtual volume or encrypt your entire hard drive. And, as usual on /., its FOSS.

Re:TrueCrypt

[Jeremiah+Cornelius]

Volume encryption?

Why is it needed? Unless you have a requirement that dictates this, there are more ways for volume encryption to fail.

I am surprised no one has mentioned encfs. You could run it in userspace over whatever precious checksumming system your heart desired.

http://www.arg0.net/encfs

Advantages of pass-thru system vs an encrypted block device

• Size: an empty EncFS filesystem consists of a couple dozen bytes and can grow to any size without needing to be reformatted. With a loopback encrypted filesystem, you allocate a filesystem ahead of time with the size you want. Depending on the filesystem, there may be ways of resizing it later, but that requires user intervention.
• Automated Backups: An EncFS filesystem can be backed-up on a file-by-file basis. A backup program can detect which files have changed, even though it wonâ(TM)t be able to decipher the files. This way backups can be made without needing to mount the encrypted filesystem.
• Layering / Separation of Trust: EncFS can be layered on top of other filesystems in order to add encryption to unencrypted filesystems. This also allows you to store data on filesystems you trust for storage but not for security. For example, EncFS could be used on top of a CD, or a remote NFS filesystem, Samba share, or perhaps even GMail storage using GMailFS.

Disadvantages

• Meta-data: Meta-data remains visible to anyone with access to your encrypted files. This means that Encfs does not encrypt or otherwise hide the following information:
  • The number of files you have encrypted
  • The permissions on the files (readable, writable, executable)
  • The size of each file
  • The approximate size of each filename (to within 16 bytes using AES, or 8 bytes using Blowfish)

Re:TrueCrypt

[koolfy]

Not TrueCrypt.
Nuff said.

also : https://tails.boum.org/support/truecrypt/index.en.html
I'll never say this enough : Don't trust Truecrypt when you have a shitload of similar/better tools that you can actually trust on linux.

I mean just look at this