[tux99]

I have written a mini how-to about disk encryption, it's not meant to be in-depth or comprehensive but rather short and to the point, to allow anyone with a minimum of Linux devices knowledge to create encrypted memory sticks, USB disks, or partitions in minutes.

http://www.linuxtech.net/tips+tricks/linu...ini_how-to.html

I have tested the procedure on Mandriva 2008.1 but it should work on most recent Linux distros.

It would be great if Mandriva could integrate this into the 'MCC/Local disks/Manage disk partitions' tool, but until then, the CLI is the only way to do this that I'm aware of.

Any comments are welcome!

This post has been edited by tux99: 31 March 2009 - 01:06 AM

[neddie]

Nice description! :thumbs:/> neat and to-the-point!
Maybe it would benefit from a mention of the package name on Mandriva for the cryptsetup tool - granted it's pretty obvious and also called "cryptsetup" but it may not be installed on all machines?
Also s/exsisting/existing/ :)/>

[ianw1974]

I use cryptsetup and have my whole hard disk encrypted. About a month or two ago, I then encrypted my USB sticks too and it's really nice because when you plug them in, the system then asks you for the password to gain access. Of course, if you're in X and udev is working, etc. If you're in a console then you'll have to do it manually.

From what I remember, the default encryption is AES so I know when I did it, I didn't specify any additional parameters like the howto, and the end result was the same - same encryption level as this howto.

One other thing, you can add multiple passwords to the USB stick, so that other users can use them if you share them at work - and they can even be used in Windows if you have the relevant app to use it. Another good idea about the password thing is that you can leave an admin password, so that if someone left your company, you'd still have access to the data on the stick/machine if they didn't give you their password.

[tux99]

neddie, on Mar 9 2009, 08:22 AM, said:

Maybe it would benefit from a mention of the package name on Mandriva for the cryptsetup tool - granted it's pretty obvious and also called "cryptsetup" but it may not be installed on all machines?

I thought about that, but I intentionally wrote it generic for any Linux distro, not specific for Mandriva, that's why I didn't include any reference to packages.
Also as it requires some knowledge of Linux /dev/sdX (or /dev/hdX) device naming, (it assumes the reader is able to figure out what device name is assigned to the device to be encrypted), I assumed that anyone being able to do that, would also know how to install the "cryptsetup" command on their distro of choice, if necessary.

neddie, on Mar 9 2009, 08:22 AM, said:

Also s/exsisting/existing/ :)/>

Fixed, cheers!

[tux99]

ianw1974, on Mar 9 2009, 08:25 AM, said:

I then encrypted my USB sticks too and it's really nice because when you plug them in, the system then asks you for the password to gain access. Of course, if you're in X and udev is working, etc. If you're in a console then you'll have to do it manually.

From what I remember, the default encryption is AES so I know when I did it, I didn't specify any additional parameters like the howto, and the end result was the same - same encryption level as this howto.

Interesting, I assume that's on your Ubuntu install? Can you maybe figure out what packages are involved in the prompting of the password under X, as I wonder if that is maybe available in Mandriva too by installing the right packages.

I decided for Twofish instead of AES because Twofish is slightly faster according to all benchmarks I found (and it's a completely free algorithm, unencumbered by patents, while still being at least as good as AES).
BTW, better make sure that your GUI tool uses 'essiv' by default, as without ESSIV your system will be vulnerable to very serious watermark and known plaintext attacks according to: http://www.shimari.c...-crypt-on-raid/ (it's mentioned on other sites, too).
That's actually one reason why I prefer CLI tools for encryption, GUI tools add another layer of abstraction that might introduce unwanted weaknesses.

ianw1974, on Mar 9 2009, 08:25 AM, said:

One other thing, you can add multiple passwords to the USB stick, so that other users can use them if you share them at work - and they can even be used in Windows if you have the relevant app to use it. Another good idea about the password thing is that you can leave an admin password, so that if someone left your company, you'd still have access to the data on the stick/machine if they didn't give you their password.

Yeah, I know the multiple passwords is a feature of LUKS/dm-crypt, for which "cryptsetup" can act as a front-end.
I assume you refer to this, when you say it can be used in Windws, too:

http://www.freeotfe.org/

This post has been edited by tux99: 12 March 2009 - 01:40 AM

[tux99]

tux99, on Mar 8 2009, 05:31 PM, said:

It would be great if Mandriva could integrate this into the 'MCC/Local disks/Manage disk partitions' tool, but until then, the CLI is the only way to do this that I'm aware of.

Actually I found that the 'MCC/Local disks/Manage disk partitions' tool does have an encryption option if you enable the "Toggle expert mode", but at least on my 2008.1 install it uses the older depreciated losetup/cryptoloop method, not the dm-crypt method as described in my how-to.

Also I found out in the meantime that there are really two methods of doing encryption with dm-crypt.

The one I described in my mini how-to which allows only one key, but uses the key directly to encrypt the partition and the LUKS method which creates a header at the beginning of the partition to be encrypted with the key and the encrytion method info in there.

The LUKS method allows multiple keys and easier usage as you don't have to remember the encryption method used (as all that info is stored in the header), the big drawback of the LUKS method is that if the header of the encrypted parttion gets corrupted for some reason you loose the whole content of the encrypted partition while with the plain cryptsetup method described in my mini how-to you only loose the bits of data that got corrupted or damaged.

I might still also write another how-to for the LUKS/dm-crypt method as it has it's uses too.

This post has been edited by tux99: 12 March 2009 - 01:56 AM