Jump to content

How secure are files if my computer gets stolen?


coffeendonut
 Share

Recommended Posts

I did hear about an encryption method called chaos encryption. You would have to write a script but basically the key is completely random. The "chaos" part is that when it comes to the algorithm, you just mash at the keyboard randomly, and it somehow....works :unsure:

 

Ill google around for a link now and edit it into this post if i find it

Link to comment
Share on other sites

  • Replies 40
  • Created
  • Last Reply

Top Posters In This Topic

hope everyone's aware that all the person would have to do is yank the hard drive, put it in another system running almost any *nix varient and they'd have access to the whole thing.

 

 

bottom line: if your computer gets stolen, your pretty well screwed.

Unless its encrypted.

 

The problem is to BOOT from an encrypted device.

Using an encrypted fs isnt that hard but booting from it is a bit harder.

Thus the USB key idea.

 

Then the stronger the encyption the more hassle each time.

 

One way is a seperate partition and make an encrpted fs on it. Mount it explicitly

If you wanna encrypt your home then you need to do quite a bit to let you log on whereas if you make a seperate explicitly mounted and encrypted partition its easier.

 

Also think what you encrypt.... etc.

Encrypting EVERYTHING is probably overkill.

Link to comment
Share on other sites

Like said. People can just rip out your harddrive and connect it to another computer and read your drive. This can only be prevented using encryption.

 

I've setted up an encrypted partition using mandrake partitioner during install (I suppose this is also available in the control center using the partitioner). I don't know if it can be done when teh partition has already been used.

 

Anyway. I've investigated this also a bit. Although I am not sure, I can give you some hints.

 

*For mail,file, ..encryption there are front-ends for kde and gnome and maybe also others. This is for the file-by-file, ... encryption. You have these front-ends (kgpg, seahorse, ...), but there is also cryptonit. Don't ask me what it doesn precisely, but it seems it can do more than just file-per-file stuff ..this is for kde it seems.

Dor gpg-fornt-ends you can have a look here maybe:

http://www.gnupg.org/(en)/related_software.../frontends.html

 

*You don't have to use encryption on a whole partition, you can also specify it per-folder/file(automatically) using tcfs. I DIDN4T USE THIS MYSELF. IT JUST SEEMS INTERESTING. Their FAQ: It also seems that it isn't maintained anymore, but not sure. http://www.tcfs.it/docs/tcfslinux-faq.3.html#Q3.9

 

 

some info on it:

To make TCFS usable by end-users, we provide a standard key management system called BKSM. The BKSM does not need the user to remember any password other than her login password.

BKSM stores the TCFS encryption key in a key database encrypted using the login password of the user.

Utility tcfsadduser creates an empty entry in the key database for the user while tcfsgenkey generates an encryption key, encrypts it using the login password of the user as a key, and adds it to the key database.

Utility tcfsputkey asks for the user's login password, retrieves the user encryption key from the key database, decrypts it and passes it to the TCFS client by performing the ad-hoc ioctl on the mount points of all the mounted TCFS filesystems.

Similarly, tcfsrmkey performs a remove ioctl on the mount points of all the mounted TCFS filesystems.

 

*this one seems to be up-date: http://loop-aes.sourceforge.net/

 

*You can HIDE content in images, but here in music if you want. It seems to work well, but I know that people are searching for methids to find this hidden content. Don't know if they succeeded yet. http://stego-lame.sourceforge.net/.

 

*syou maybe know this tuff, but store your personal key on a removable media liek an usb-stick or floppy or whatever you have, so you can set it to read-only physically (hardware).

 

*This is a good howto (think it wasn't mlentionned yet):

 

http://www.linuxsecurity.com/docs/HOWTO/En...on-HOWTO-4.html

*this seems nice too. Really from the bottom up it seems:

http://www.sdc.org/~leila/usb-dongle/README

 

 

Hopes this helps some.

Link to comment
Share on other sites

Holy smokes,

 

How do I access the encrypted file systems in the control center partitions utilty?! I read in http://www.mandrakelinux.com/en/10.0/features/#10 about encrypted file systems but I can't seem to find it when I use the utility. When I access format, I only get ext2, ext3, resier, etc. as is typcial but I find nothing to do with encryption?

 

I guess encrypting everything makes sense but I would be happy with just encrypting a volume for my documents, if that is an easier thing.

 

Thank you kindly,

Ben

Link to comment
Share on other sites

YOu shouldnt really worry all too much.

 

Who would want to steal your computer for your data??

 

And if the common theif stole it -- i doubt highly that they would know how to use linux or even the linux 1 boot.

 

So areyou being targeted because you have precious critical data that someone would like to steal?

i would think that sort of data shouldnt be kept on a home PC. Better on a USB FLash drive or a SD card both of which are very easy to hide, especially the SD, which is the size of a postage stamp.

 

Besides if you were in that sort of situation, with data someone would steal intentionally, its the sorta thing where you would expect the person to be wealthy or the business providing some money for some 'security'

 

And if you have money, it wouldnt be hard to organise for a NFS server to be setup offsite, which would be mounted as a normal partition however requiring a password to mount.

Even then, its not hard for a password to be brute forced.

 

So in simpe terms, unless you pay a secuity detatchment to guard the computer around the clock. You cant keep the data 100% safe.

 

If i were you, i would take ramfree's second option. Get a comfy pillow to sleep at night

 

Or demand money from your employer/ underground gang leader/ drug lord/ hitman :P for a server

Link to comment
Share on other sites

hope everyone's aware that all the person would have to do is yank the hard drive, put it in another system running almost any *nix varient and they'd have access to the whole thing.

 

 

bottom line: if your computer gets stolen, your pretty well screwed.

Unless its encrypted.

now now, we should know better than to trust encryption

 

:jester:

Link to comment
Share on other sites

iphitus.

Not quite.

I have lots of confidential trade secret data (professionally) . In fact hundreds of terrabytes of it.

 

On the other hand personally I havent so much.

My most precious is on a USB key ... (64MB)

The rest I guess an encrypted filesystem would be a good idea.

 

However its a hassle and if you make it automatic your defeating the purpose.

 

Even servers are not safe without military grade security.

Someone enterprising with knowledge could walk into where I work and extract a disk .... bear in mind where I work is secured. You cant enter the building without ID and an employee with ID. Even then I cant get onto my floor without a special badge etc.

But knowing what I know i could work out a plan to steal this data becuase no security is perfect. I might have to kill a couple of people and ive never tested if retinal scans work on dead people ... but it COULD be done. Even if it involves a brigade of mercs and resorting to C4 to get into the server rooms.

 

The information is potentially worth billions and potentialy some people would kill for it. Hence we take it seriously. However i could save myself a whole load of trouble by paying a contracter to give me a backup tape etc.

 

Hence the security is only as good as the weakest link. In our case I know several and all of these are easier than having to mount a military style operation. Hence secured access etc. ARE important commerically

 

I think the best thing is to decide what is possible/available and how much data you might/b] have that is SO sensitive.

Link to comment
Share on other sites

  • 2 weeks later...

Greetings all from a Linux newbie (but otherwise veteran geek).

 

I'll be looking into this kind of question myself, and when I searched on "linux" from the PGP corporate site they appear to be hiring to expand their offerings to this OS. Good.

 

Having been a Mac user for over a decade I encrypt all the important stuff with PGPdisk on OS 9.2.2. If there's a more secure consumer-available method of [virtual] disk encryption I haven't found it. I'm impressed by MDK 10.0, (and hoping a PPC version will arrive soon) but I'll be hard-pressed to give up something that is so stable and reliable (assuming of course that there are no keystroke loggers or spyware on my machine and Big Brother has no interest in my boring files, because I assume they can probably crack anything PGP puts out whether they admit it or not -- and I don't use virtual memory).

 

As for trusting OS X with such a task, well, I don't trust it yet, even if there is an OS X version of PGP's latest. Especially not after this week's advisories (sheesh!). :oops:

 

Cheers,

 

S.

Link to comment
Share on other sites

Hello everyone,

 

Just wanted to let everyone know my 'conclusion'.

 

It turns out MDK 10 does come w/ an encrypted file system out of the box, but only available if you use the expert mode in the diskdrake tool, then options. I made a partition for /home encrypted, and set up with /etc/modprobe.preload to load up cryptoloop, so during boot up it prompts me for the pass phrase.

 

I'm quite pleased with this solution, but a word of warning, setting up an encrypted file system has a huge performance hit, it's very obvious and slows all disk i/o down. This may not be acceptable if you really need maximum performance. The obvious solution to this would be to have a very fast system but I don't have the $$$ for that right now, but at least I can sleep well at night.

 

Thank you kindly,

Ben

Link to comment
Share on other sites

  • 2 weeks later...
Hi guys,

 

Holy smokes that is scary about root!! But I see how it is convenient as well. Thanks for replying, I am grateful we are part of such an active community.

 

Regarding mounting a secure volume on a USB key or what have you (I don't see why it would not equally apply to USB2 drives), can I do such a thing w/o figuring out BestCrypt/Loop/etc.?

 

I heard of this myth about mountloop but unlike everything mandrake it seems it's ill documented, no man page and the command line help is so brief:

 

usage: mountloop <enc> <file> <dir> [<fs type>]

 

Does anyone know the secrets to using mountloop? Could it possibly be useful in my scenario or perhaps just useful if I had something loop already in place?

 

Thank you kindly,

Ben

IIRC, mountloop is broken on fresh 9.2 and 10.0 Mandrake installs "out of the box". I know that at least on 10.0 there is a patch available via MandrakeUpdate to fix mountloop. Once you have that then setting up encrypted sections of disk is really easy:

 

# drakloop ; this will bring up the Mandrake encrypted disk GUI

 

at this point give it the name of a *new* directory (don't use a previous existing one as I don't know what will happen, if anything, to your files!) (e.g., /home/joe/mysecrets

 

Give it the filesize (in MB). I like to use 95MB in order to store contents on Zip disk, or ~600MB to burn to CD.

 

Choose your key. It *must* be minimum of 20 characters.

 

Choose the encryption key size (i.e., AES128, AES192, AES256).

 

If you have the correct (patched version) of mountloop on your machine, this will create a loopback directory that you named earlier (e.g., /home/joe/mysecrets). Anything you move into that directory (size fitting) will be encrypted when the filesystem is unmounted. Until it's unmounted everything looks like a 'normal' file. When you unmount it (via umountloop) it will appear as 1 large file named 'encfile'.. DO NOT DELETE THIS FILE UNLESS YOU INTEND TO DELETE ALL YOUR ENCRYPTED STUFFF!

 

To re-mount it, use the mountloop command.

 

Note that the filesystem is *NOT* dismounted when you log out; only when the machine is rebooted. REMEMBER TO 'UMOUNTLOOP' TO CLOSE THE FILES WHEN YOU'RE THROUGH WITH THEM!!!

 

Hope this helps!

 

Wren

wrenhunt[at]mindspring.com

Link to comment
Share on other sites

  • 2 months later...
Guest kingbyu

For some people in some situations, gnupg may be useful to protect files from being read. The following will work if you use kde.

 

Install kgpg (it should be in a package of its own from the same repository where kde stuff is found). When you first start kgpg, it will help you create your private key. It will also ask you if you want to put the "shredder" on your desktop. Go ahead and do this. In theory, you should be set up to encrypt, decrypt, and really delete files.

 

To encrypt a file, right click on it, and under actions, select encrypt. It will give you a list of keys, and you should select your private key to encrypt the file. It will create a file ending in .asc in the same directory. This is your encrypted file. However, you will notice that your old unencrypted file is still hanging around. You should then move it into the shredder for it to be really deleted (don't put it in the trash). Now when you go to use the file, you can right click on it, and select to open it with kgpg. You will then be prompted for the password associated with the private key that you used to encrypt it. After typing the password in, you will find the unencrypted file in the same directory.

 

I understand that this is kind of a more complicated process. But it may be the easiest thing to set up if you are only using a few "secret" files here and there. If you are constantly opening and closing many secret files, and want them to always be encrypted upon closing, then this is probably a little too long of a process to always be doing.

Link to comment
Share on other sites

  • 4 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share


×
×
  • Create New...