Slashdot Mirror
Ask Slashdot: Tools For Linux Disk Encryption and Integrity?
An anonymous reader writes "I have been using Gentoo Linux for a long time now and have always been satisfied with one of its many disk encryption tools: cryptsetup (dm-crypt and LUKS). However, I recently gave FreeBSD a try and, although I concluded BSD is not for me, I was amazed at geli(8), FreeBSD's disk encryption tool. It happens this tool also provides what it calls an 'authentication mode.' Besides encrypting the disk sector-by-sector, it also stores checksums (sha256 in my case) in it on every write. On reads, if the checksum mismatchs, it propagates the error up, resulting in, say, a read() error. Thus I do not have to trust my disk (except of course for the boot partition) any longer: any data inconsistency will be detected before the data is used. Having searched for a long time without answers, I want to ask: is there something similar to this in Linux? Note: Using Btrfs is a valid solution, but is far from stable (got a few oopses during my tests)."
You can use IMA (2.6.30 and later) and EVM (2.6.38 and later). :)
Yes, exactly. I've been using TrueCrypt for my important info (mostly pr0n), and have had no problems. It lets you choose between different encryption algorithms (blowfish, twofish, AES, and others I can't remember) and allows you to encrypt individual files, mount an encrypted virtual volume or encrypt your entire hard drive. And, as usual on /., its FOSS.
Democracy: Crowdsourcing a country near you
Nope, it offers full disk encryption, partition encryption, and file container, regardless of filesystem type within on Linux. My only problem with in on linux is the partition labels do not propagate thru mounting (eg /media/truecrypt1 instead of /media/MyDiskLabel)
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
Volume encryption?
Why is it needed? Unless you have a requirement that dictates this, there are more ways for volume encryption to fail.
I am surprised no one has mentioned encfs. You could run it in userspace over whatever precious checksumming system your heart desired.
http://www.arg0.net/encfs
Advantages of pass-thru system vs an encrypted block device
Disadvantages
"Flyin' in just a sweet place,
Never been known to fail..."
As far as I am concerned, you already said too much. Your post does not even remotely address the question asked. Please read the summary next time. As for the original poster: sorry, I don't know any such tool for Linux. ZFS has already been mentioned. Maybe you could compile Geli on Linux?
Not TrueCrypt.
Nuff said.
also : https://tails.boum.org/support/truecrypt/index.en.html
I'll never say this enough : Don't trust Truecrypt when you have a shitload of similar/better tools that you can actually trust on linux.
I mean just look at this
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
... and I just finished compiling Firefox so I could submit this story to Slashdot!
*crickets* .. gee, tough crowd.
End of lesson. You may press the button.
<@insomni> it only takes three commands to install Gentoo /dev/hda && mkfs.xfs /dev/hda1 && mount /dev/hda1 /mnt/gentoo/ && chroot /mnt/gentoo/ && env-update && . /etc/profile && emerge sync && cd /usr/portage && scripts/bootsrap.sh && emerge system && emerge vim && vi /etc/fstab && emerge gentoo-dev-sources && cd /usr/src/linux && make menuconfig && make install modules_install && emerge gnome mozilla-firefox openoffice && emerge grub && cp /boot/grub/grub.conf.sample /boot/grub/grub.conf && vi /boot/grub/grub.conf && grub && init 6
<@insomnia> cfdisk
<@insomnia> that's the first one
Gentoo recently postponed using GNOME3 because it seemed like a "work in progress". Meanwhile, Fedora has shipped it, Ubuntu is now on the even less mature Ubiquity, and CentOS can't even get a modern release shipped out the door at all. Gentoo is looking like a stable Linux aimed at old geezers nowadays.
For pr0n you should definitely use blowfish, along with analfish
You have no clue about block-oriented storage encryption, obviously. There is no space for checksums and the task is done on a lower layer (the disk) and can be done on filesystem layer. Doing it on block layer in addition to the encryption breaks block alignment.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
ZFS has very good per-block checksumming and many other features, and now has encryption support, which should be in OpenIndiana (the non-Oracle fork of OpenSolaris): http://milek.blogspot.com/2010/10/zfs-encryption.html. ZFS is a combination of volume manager (like LVM), software RAID and filesystem. Here's a useful HOWTO on setup: http://hardforum.com/showthread.php?t=1573272
Unfortunately ZFS support in Linux is userland only due to licensing issues. It may not have encryption yet either - however you could run TrueCrypt on top of a ZFS volume (like an LVM logical volume), bypassing the ZFS filesystem part.
You will probably get your wish, as there are people working on a secure boot using UEFI (modern replacement for BIOS) and the sort of cryptographic integrity validation you are talking about: https://lwn.net/Articles/447381/ (subscription required, but free from 23 Jun 2011)
This can be used for good (if you own your own keys, you can compile and install your own kernel etc) or bad (if the hardware vendor or OS vendor owns the keys, you have no way to install anything else, i.e. you have a Tivoized system).
Be careful what you wish for... There's a good chance that in a few years' time, new PCs that come with Windows will make it cryptographically impossible to install a new OS. Only if the UEFI allows you to disable this secure boot feature will you be able to do anything beyond Windows.
Linux IMA (Integrity Measurement Architecture) is a separate project, in kernel 2.6.30+, that does similar things within Linux based on TPM: http://linux-ima.sourceforge.net/ - again, the ownership of the keys is critical.
Not if you store the sum in another block. Look at how ZFS does it, very sweet because data stays data and the metadata contains the checksum. I could copy and paste the details here, but you could find those by yourself.
You should never trust your disk. The amount of unrecognized single sector failures on modern disks is so big, that with a >90% probability, at any given moment, a stripe/raid with four 2TB disks will contain at least one of them. All professional grade storage systems have disc scrubbing and checksumming in place just because of this.
The extreme large amounts of storage you are talking about was valid when disks were 4GB. Modern discs have the same error rate as then, per byte stored. All you do is have these 500 4GB discs consolidated on a single disk of 2TB. Same amount of sectors that can get broken, same actual amount of broken sectors.
I was promised a flying car. Where is my flying car?
The definition of open source is maintained here: http://www.opensource.org/osd.html
It does not meet the requirements, therefore it is not technically open source.
sorry the correct link was : http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
I Usually use LUKS with DM-Crypt, but there are other tools more user-friendly that come with gnome.
Last day I discovered a gnome applet that manages crypted volumes written on the fly as you modify the mounted folder, that scale with the size of the content of the volume. (Dm-crypt has a defined volume size that you cannot outgrow, and the chiffered file used to mount the volume always has the maximum size it can reach --If I want a 15gB crypted volume, I get a 15gB file, no matter how empty the volume is.)
I know avoiding TrueCrypt sounds like tinfoil hat paranoia, but if you need te encrypt your data in the first place, maybe this is healthy paranoia.
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.