how do i encrypt my file system? is it encrypted in slitaz by default? thanks.
encrypting the hard drive(16 posts) (4 voices)
Would I have to re-install the distro? Thank you
if you want to install with a crypted root, then i believe yes.
There might be a way to create a crypted partition and then you would move the / there, but i do not know.
I have not tried anything crypted with latest slitaz so other might know better.
I don't know how much Linux I know to be able to try making an encrypted partition and moving the root to it, but I will read up on it. Thanks!
Most of my installs have been GUI based, but it's high time I learned CLI for that.
Is there a way to make this a default version of the distro? Would that be hard to do?
I enjoy security using my computers, and while I recognize I can do it with my own machine I believe security from outside threats to be of utmost importance; especially in a Linux machine. It is one of the reasons I enjoy Linux so much.
I realize I am not all Slitaz users, and not all may feel the same, and honestly do not know the difference pros/cons of encrypted vs. unencrypted when it comes down to it save for security (like filesystem, etc, which I know Slitaz has partial goals to be under) but it's just a thought.
I want to help make this distro the best it can be, for me this would go toward doing that. I'm really just trying to help. I've checked out the road map.
For a personal desktops? Not really needed and you will suffer performance hits at boot and shutdown because of the initial encryption and decryption at boot - i.e. It boots and shutdowns are slower than usual. It also makes recovery impossible if the drive fails and no LiveCD or external Linux could use the partition if it fails while encrypted. This also means very little if somebody is already logged in to your system - even by being physically at the system or using some remote login system like VNC or ssh. All in all, for Personal Desktops, it's all bad for little gain.
However, if this is used with businesses, where encrypting data is important to keep competitors from stealing data, it does become a viable solution.
I studied that in the last company i worked for, 18months ago.
We reached that same conclusion.
For laptops, you want to use at least an i5 processor (they have embedded instructions to hw assist encryption/decryption and i thing the gain is about a factor 10, provided you use an encryption software which uses them (TrueCrypt does, from version 7 and above).
Additionnally it parallelised the operations, making de facto use of otherwise generally unused cores (I have not tested it).
And additionnally what kept us away from doing it was the complexity of handling backups and keys. Not a huge problem but too much burden on a small company while our primary problem was to get orders.
One day, though, AES chips will be in all drives which will handle their own security transparently....
For a desktop I agree with both of you. Not for a laptop, a laptop is easily lost or stolen and may have sensitive information that could be used by a thief, I mean bank, e-mails, PayPal, eBay, iTunes, IM accounts, full name, personal address, date of birth, social security number, passwords, phone numbers, family information, credit card numbers, other credit information...
So it maybe interesting to think about encrypting (at least) the home directory.
I'd do it this way:
- Launch the Mount Box:
and press the button labeled 'crypto', accept the missing packages installation. Stop here, don't click the create button.
- Load the needed kernel modules:
# modprobe dm_crypt # modprobe dm_mod # modprobe aes_generic
- Add these modules to LOAD_MODULES in /etc/rcS.conf, for an automatic load at next reboot:
LOAD_MODULES=".... dm_crypt dm_mod aes_generic"
- Unmount /home:
# umount /home
- Erase /home (be sure to have an effective backup):
# fdisk -l Device Boot Start End Blocks Id System /dev/hda1 19336 19457 979933+ 83 Linux
Report the number of blocks, (979933 here) to the count option:
# dd if=/dev/zero of=/dev/hda1 count=979933
- Encrypt /home:
# cryptsetup --verbose --verify-passphrase luksFormat /dev/hda1 WARNING! ======== This will overwrite data on /dev/hda1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: *PASS1* Verify passphrase: *PASS1* Command successful.
(Don't forget PASS1!)
- Open the encrypted partition:
# cryptsetup luksOpen /dev/hda1 home Enter LUKS passphrase: *PASS* key slot 0 unlocked. Command successful.
Verify mount point:
# ls -l /dev/mapper/ total 0 lrwxrwxrwx 1 root root 16 Mar 6 2009 control -> ../device-mapper brw-r----- 1 root disk 254, 0 Mar 6 09:51 home
- Format the encrypted partition:
# mkfs.ext3 /dev/mapper/home mke2fs 1.40.8 (13-Mar-2008) Warning: 256-byte inodes not usable on older systems Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 61312 inodes, 244854 blocks 12242 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=251658240 8 block groups 32768 blocks per group, 32768 fragments per group 7664 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 35 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
- Mount the encrypted filesystem as /home:
# mount /dev/mapper/home /home
- Ask passphrase at boot time. Add this code to /etc/init.d/local.sh:
# ask passphrase cryptsetup luksOpen /dev/hda1 home && mount /dev/mapper/home /home || echo "failed."
It should work, but please note that it is completely untested.
- Launch the Mount Box:
I'm running on very little sleep right now, but when I get my wits about me I will test this and let you know if it works. I fully agree about latop/desktop and the difference in security measures needed to take. I'm running off a laptop, and Slitaz is the fastest distro I have ever used (and I have used a lot), so I feel I can sacrifice a bit of boot time for peace of mind.
I'd still disagree about the laptops, especially if you have auto-login enabled. Kind of defeats the point.
Also sites that use banking details or credit cards are already encrypted and not cached by all browsers unless you purposefully configure it otherwise. Saving passwords or details on there sites are normally also disabled. In other words, you have to work really hard to do a stupid thing like saving your bank in an unencrypted form. If you have text files on your system with these details, no amount of encryption will protect them from your own clear stupidity.
This is pointless for any desktop systems. It slows stuff down, makes recovery impossible and won't protect the user from their own careless stupidity.
Well, I don't bank online. It's incredibly foolish to do so, I think, even with an encrypted hard drive. I don't actually have anything on here that's sensitive information I'm just a very private person. It's why I use linux on my home machines.
Also, you may be surprised what Criminal Justice majors can do with a disk and proper time with a hard drive as far as data recovery is concerned (even with encrypted drives).
if you use encrypted drive understanding what you are doing (ie, how to manage them, eg with a long enough key, but read the documentation for a few hours if you haven't yet, and you will learn a lot about how to avoid crypting weaknesses..) then you are pretty much on the safe side.
Of course, it COULD be that the CIA or another service has done tremendous progresses, but then they are kept secret....
FBI hackers fail to crack TrueCrypt - Techworld.com
news.techworld.com › News -
John E Dunn
De John E Dunn
30 Jun 2010 – The FBI has admitted defeat in attempts to break the open source encryption used to secure hard drives seized by Brazilian police during a 2008 investigation.
for an effortless solution you may want to consider an AES hw accelerated device
You must log in to post.