Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Tools For Linux Disk Encryption and Integrity?

Posted by timothy on from the guaranteed-wrongness dept.

An anonymous reader writes "I have been using Gentoo Linux for a long time now and have always been satisfied with one of its many disk encryption tools: cryptsetup (dm-crypt and LUKS). However, I recently gave FreeBSD a try and, although I concluded BSD is not for me, I was amazed at geli(8), FreeBSD's disk encryption tool. It happens this tool also provides what it calls an 'authentication mode.' Besides encrypting the disk sector-by-sector, it also stores checksums (sha256 in my case) in it on every write. On reads, if the checksum mismatchs, it propagates the error up, resulting in, say, a read() error. Thus I do not have to trust my disk (except of course for the boot partition) any longer: any data inconsistency will be detected before the data is used. Having searched for a long time without answers, I want to ask: is there something similar to this in Linux? Note: Using Btrfs is a valid solution, but is far from stable (got a few oopses during my tests)."

7 of 123 comments (clear)

  1. Yep by Anonymous Coward · · Score: 5, Informative

    You can use IMA (2.6.30 and later) and EVM (2.6.38 and later). :)

  2. Re:TrueCrypt by munozdj · · Score: 3, Informative

    Yes, exactly. I've been using TrueCrypt for my important info (mostly pr0n), and have had no problems. It lets you choose between different encryption algorithms (blowfish, twofish, AES, and others I can't remember) and allows you to encrypt individual files, mount an encrypted virtual volume or encrypt your entire hard drive. And, as usual on /., its FOSS.

    --
    Democracy: Crowdsourcing a country near you
  3. Re:TrueCrypt by Jeremiah+Cornelius · · Score: 3, Informative

    Volume encryption?

    Why is it needed? Unless you have a requirement that dictates this, there are more ways for volume encryption to fail.

    I am surprised no one has mentioned encfs. You could run it in userspace over whatever precious checksumming system your heart desired.

    http://www.arg0.net/encfs

    Advantages of pass-thru system vs an encrypted block device

    • Size: an empty EncFS filesystem consists of a couple dozen bytes and can grow to any size without needing to be reformatted. With a loopback encrypted filesystem, you allocate a filesystem ahead of time with the size you want. Depending on the filesystem, there may be ways of resizing it later, but that requires user intervention.
    • Automated Backups: An EncFS filesystem can be backed-up on a file-by-file basis. A backup program can detect which files have changed, even though it wonâ(TM)t be able to decipher the files. This way backups can be made without needing to mount the encrypted filesystem.
    • Layering / Separation of Trust: EncFS can be layered on top of other filesystems in order to add encryption to unencrypted filesystems. This also allows you to store data on filesystems you trust for storage but not for security. For example, EncFS could be used on top of a CD, or a remote NFS filesystem, Samba share, or perhaps even GMail storage using GMailFS.

    Disadvantages

    • Meta-data: Meta-data remains visible to anyone with access to your encrypted files. This means that Encfs does not encrypt or otherwise hide the following information:
      • The number of files you have encrypted
      • The permissions on the files (readable, writable, executable)
      • The size of each file
      • The approximate size of each filename (to within 16 bytes using AES, or 8 bytes using Blowfish)
    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  4. Re:Just trolling by Verteiron · · Score: 5, Funny

    ... and I just finished compiling Firefox so I could submit this story to Slashdot!

    *crickets* .. gee, tough crowd.

    --
    End of lesson. You may press the button.
  5. Re:Just trolling by Wingman+5 · · Score: 5, Funny
    My personal favorite gentoo quote:

    <@insomni> it only takes three commands to install Gentoo
    <@insomnia> cfdisk /dev/hda && mkfs.xfs /dev/hda1 && mount /dev/hda1 /mnt/gentoo/ && chroot /mnt/gentoo/ && env-update && . /etc/profile && emerge sync && cd /usr/portage && scripts/bootsrap.sh && emerge system && emerge vim && vi /etc/fstab && emerge gentoo-dev-sources && cd /usr/src/linux && make menuconfig && make install modules_install && emerge gnome mozilla-firefox openoffice && emerge grub && cp /boot/grub/grub.conf.sample /boot/grub/grub.conf && vi /boot/grub/grub.conf && grub && init 6
    <@insomnia> that's the first one

  6. Re:Just trolling by greg1104 · · Score: 3, Insightful

    Gentoo recently postponed using GNOME3 because it seemed like a "work in progress". Meanwhile, Fedora has shipped it, Ubuntu is now on the even less mature Ubiquity, and CentOS can't even get a modern release shipped out the door at all. Gentoo is looking like a stable Linux aimed at old geezers nowadays.

  7. Re:TrueCrypt by johnslater · · Score: 5, Funny

    For pr0n you should definitely use blowfish, along with analfish