CINXE.COM

LKML: Andreas Hartmann: crypting filesystems

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Andreas Hartmann: crypting filesystems</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Andreas Hartmann" href="/groupie.php?aid=2580" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2005"> [2005]</a> 聽 <a class="nb" href="/lkml/2005/4"> [Apr]</a> 聽 <a class="nb" href="/lkml/2005/4/4"> [4]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2005/4/4/80" onclick="this.href='/lkml/headers'+'/2005/4/4/80';">[headers]</a>聽 <a href="/lkml/bounce/2005/4/4/80">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2005/4/4/80">First message in thread</a></li><li class="origin"><a href="/lkml/2005/4/4/216">Andreas Hartmann</a><ul><li><a href="/lkml/2005/4/4/216">Wiktor</a><ul><li><a href="/lkml/2005/4/5/150">Felipe Alfaro Solana</a></li></ul></li></ul></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Mon, 04 Apr 2005 12:45:57 +0200</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Andreas Hartmann &lt;&gt;</td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">crypting filesystems</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">Hello,<br /><br />I want to crypt some filesystems (/var, /home, /Data). I'm running LVM I<br />on all these partitions yet.<br /><br />I searched, how to do this with linux and found 3 ways to achieve, what I<br />want to do.<br /><br />1. crypto-loop (with kernel 2.6)<br />2. loop-AES (with kernel 2.2.x, 2.4.x and 2.6.x)<br />3. dm-crypt (with kernel 2.6.x)<br /><br />Because I'm new to filesystem encryption, I searched for documentation of<br />all of these solutions and found, that crypto-loop seems not to be<br />maintained any more. loop-AES and dm-crypt remained. dm-crypt uses the<br />device mapper concept, which I know long ago from LVM and which therefore<br />seems to be the most logical solution to me. There is no need to patch the<br />mount-utility and integration is "out of the box".<br /><br />So, I suggested to use dm-crypt with 2.6.11.6. I built 3 partitions with<br />cryptsetup (LUKS) with ESSIV-cipher and 256Bit keys on top of LVM 1 and<br />reiserfs as filesystem. The swap-partition is crypted with a random key,<br />which is generated each time at booting.<br /><br />After all, there are remaining some questions open concerning the security<br /> / stability of this solution.<br /><br />1. In order to put in the passphrase just once a time at booting, I put<br />the passphrase in a gpg-crypted file (cipher AES256 and 256Bit key size),<br />which is decrypted at boot-time to /tmp (-&gt; tmpfs) and immediately removed<br />with shred, after activating the three partitions. Is it possible to see<br />the cleartext password after this action in tmpfs?<br /><br />2. Is it possible to gain the passphrase from the active encrypted<br />partitions (because the passphrase is somewhere held in the RAM)?<br /><br />3. I read at clemens.endorphin.org about 4 different cipher modes (CBC,<br />CMC, EME and LRW). Actually implemented in dm-crypt is the public-IV<br />on-disk format or ESSIV, both using CBC cipher mode. The other cipher<br />modes (CMC, EWE, LRW) are not implemented yet although they promise more<br />security.<br /><br />My question is:<br />Was anybody able to decrypt one of these two implemented public-IV on-disk<br />formats, or, to say it in other words: are the known problems a mainly<br />theoretical discussion until today?<br /><br />4. Are there any master keys existing, which could be used to open every<br />encrypted filesystem?<br /><br />5. I read about problems (corrupted filesystem) with reiserfs (I'm using V<br />3.6). Are they fixed in 2.6.11.6? Would it be better to use XFS?<br /><br /><br /><br />I would be very glad, if somebody could give me some advice.<br /><br /><br />Kind regards,<br />Andreas Hartmann<br />-<br />To unsubscribe from this list: send the line "unsubscribe linux-kernel" in<br />the body of a message to majordomo&#64;vger.kernel.org<br />More majordomo info at <a href="http://vger.kernel.org/majordomo-info.html">http://vger.kernel.org/majordomo-info.html</a><br />Please read the FAQ at <a href="http://www.tux.org/lkml/">http://www.tux.org/lkml/</a><br /><br /></pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2005-04-06 13:31 聽聽 [from the cache]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10