Encryption

kestrel · 2008-12-19 21:23:59

Let's start a thread exploring encryption options in #!. I'm interested in /home and swap encryption. Having a "My Private Folder" would help but is a bit cumbersome. Having the ability to encrypt on install would be rad.

kestrel · 2008-12-28 16:05:49

I have not gotten too far on this project. I thought I'd update progress so far.

I have tried out Intrepid's "Encrypted Private Directory" and as expected it is a mixed blessing. On the plus side it is very easy to set up.

Install ecryptfs-utils
sudo apt-get install ecryptfs-utils
Setup your private directory
ecryptfs-setup-private
Enter your login password, and either choose a mount pass phrase or generate one
Record both pass phrases in a safe location!!! They will be required if you ever have to recover your data manually.
Logout, and Log back in to establish the mount

On the minus side.
1. Requires a little hackery to protect things like browser cache and ssh keys.
2. Backups are unencrypted without more hackery.
3. Leaves tons of data unencrypted and it is hard to know just what could be comprised given my precious eee should fall into evil-doers hands.

So for now I've set up ~/Private and

mv ~/.mozilla ~/Private

and

ln -s ~/Private/.mozilla ~/.mozilla

to protect my browser cache which is currently my biggest worry.

I looked at how to encrypt the entire disk/filesystem and Ubuntu can do this on install but requires the "Alternate Install" CD which is not available yet in Cruncheee.

I have another method to try but require a reinstall back to bare metal and first I'd like more confidence in my backups. (Another story to be told someday.)

d0n0vAn · 2009-01-05 19:26:03

I have downloaded Truecrypt and encrypted my thumbdrive (Ext3 with AES Whirlpool).

$sudo apt-get install sun-java6-jre

$sudo apt-get install python-pexpect

Download truecrypt-6.1a-ubuntu-x86.tar.gz
from http://www.truecrypt.org/downloads.php. Unpack and execute the script. The script installed the software flawlessly for me.

$gksu truecrypt

I chose Ext3 because I write files larger than 4 GB (eg DVD .iso) if you do not then FAT32 will make the drive Windows compatible without a driver or software.

Hope this helps.

rizzo · 2009-01-05 22:51:31

I've never used encryption but truecrypt looks interesting. There is a package in the repos called easycrypt that appears to use truecrypt.

DUDE · 2009-01-12 15:30:42

Quick question, do I have to format my drive to get Truecrypt working?
If so, shall I encrypt / or just the /home, whats the difference if I just encrypt /home...
Would the system slow down if I encrypt /?

Is it worth encrypting your line out on the web as well? I mean through a proxy.
Or is this just a step towards overkill?

ZAP · 2009-02-04 08:29:04

I usually install Ubuntu with full disk encryption using the alternate CD, and it's always worked flawlessly. I haven't yet tried TrueCrypt, but that seems to be the best full disk encryption software available now. I'd like to try it on my #! netbook, but I'm wondering if anyone else has already done this and has experiences to share.

Barring that, a private folder with the .mozilla folder inside it seems like a reasonable alternative.

fhsm · 2009-02-04 12:45:04

SecurityNow covered this in some detail.

Notes: http://www.grc.com/sn/sn-133.txt
Audio: http://aolradio.podcast.aol.com/sn/SN-133.mp3

kestrel · 2009-02-04 13:57:40

I use truecrypt on my usb thumbdrive and it works great for that. It does not support system encryption in Linux. This can only be done in Windows. sad It would be cumbersome to use TrueCrypt for volume encryption as the volume would have to hashed with your password and mounted from a command line at every boot. This would be separate from normal login processes.

The advantage of a private folder and the forth coming "encrypted home directory" in jaunty are they unencrypt and mount as part of the normal booting/login processes.

The best best practice is to do full system encryption using the mini CD Ubuntu installer and crunchbang shell script described here. One tip is to consider your hash key carefully as you will have to present it at every boot.

I have this setup on my desktop and love it. I do not notice any degradation in speed or boot times. This desktop has a dual core AMD 3.2gHz with fast SATA drives. A bit different from the eeepc1000.

I saw a review putting full disk encryption on a eeepc 901 machine and comparing it to a eeepc 901 without encryption. Then they performed a variety of speed tests and compared to non encrypted eeepc 901 the encrypted one was noticeably slower. http://www.phoronix.com/scan.php?page=a … disk&num=1 (Sorry about the visually coarse ads on this site. Page 5 has good info.)

I find the eeepc to such a dog slow machine now, I'm afraid what will happen if I us full system encryption. There are a few people over on eeeforums that confirm that this slows the eeepc even more than otherwise. I'm, waiting for encrypted home directory to see if how that performs.

Felix · 2009-03-19 11:24:02

Another alternative is GNUPG. The open source PGP replacement, Seahorse is available in the package repo's and their is an excellent little addon for firefox called FireGPG that allows you to encrypt stuff on the fly and there is also swathes of addition PGP plug-ins for things like EMACS etc.

You can also use MyPassWordSafe to keep a list of all your online passwords safe in a little encrypted password store but when it saves the *.dat from MyPassWordSafe it also creates a secondary backup *.dat that you might want to remove.

A cheap $3 USB memory stick to save the copies of your Key's from your private and public Key-Ring along with a back-up of you MyPassWordSafe *.Dat and your all set.. I advise that you hide the cheap USB somewhere and dont keep it laying around near your machine! big_smile

RSA and DSA algorithms are still all good, I have yet to meet an attacker that would want to waste their time with trying to brute force your PGP Key, they can sit their and try to break it till the cows come home, but to be honest I seriously dont think they would be bothered.

If it's the government that want to see what's in your encryption folder, then your duty bound by law to tell them all your passwords anyway, unless you want to be slapped with a charge for obstruction of justice. cool

Last edited by Felix (2009-03-19 12:02:13)

ZAP · 2009-03-19 15:52:22

I use KeePassX to encrypt passwords and other sensitive data, which is an excellent cross-platform program. I also use GnuPG+Seahorse for encrypting files and text to be sent to other GPG users and for some sensitive local files. And an encrypted home directory and encrypted off-site backups (I use Jungle Disk for this) would probably be enough for me.

And of course none of this is any good unless you use strong passwords and change them regularly (KeePassX can help you to do this without going mad, and you can use a unique mental algorithm to create them).

This is one of the best security reminders that I've come across: http://xkcd.com/538/

CrunchBang Linux

SEARCH

#1 2008-12-19 21:23:59

Encryption

#2 2008-12-28 16:05:49

Re: Encryption

#3 2009-01-05 19:26:03

Re: Encryption

#4 2009-01-05 22:51:31

Re: Encryption

#5 2009-01-12 15:30:42

Re: Encryption

#6 2009-02-04 08:29:04

Re: Encryption

#7 2009-02-04 12:45:04

Re: Encryption

#8 2009-02-04 13:57:40

Re: Encryption

#9 2009-03-19 11:24:02

Re: Encryption

#10 2009-03-19 15:52:22

Re: Encryption

Board footer