encrypting the hard drive

SliTaz Forum » English Support » Live and installation

encrypting the hard drive

(16 posts) (4 voices)

Started 12 years ago by gap
Latest reply from gap
This topic is not a support question

Tags:

No tags yet.

12 Next »

gap

offline
Member

how do i encrypt my file system? is it encrypted in slitaz by default? thanks.

Posted 12 years ago #
christophe

offline
Member

I have not done it and someone asked question about that recently

Default is unencrypted.
See: http://doc.slitaz.org/en:guides:uncommoninst

Posted 12 years ago #
gap

offline
Member

Would I have to re-install the distro? Thank you

Posted 12 years ago #
christophe

offline
Member

if you want to install with a crypted root, then i believe yes.

There might be a way to create a crypted partition and then you would move the / there, but i do not know.

I have not tried anything crypted with latest slitaz so other might know better.

Posted 12 years ago #
gap

offline
Member

I don't know how much Linux I know to be able to try making an encrypted partition and moving the root to it, but I will read up on it. Thanks!

Most of my installs have been GUI based, but it's high time I learned CLI for that.

Posted 12 years ago #
domcox

offline
Administrator

See:

http://doc.slitaz.org/en:guides:uncommoninst#crypto-install

Posted 12 years ago #
gap

offline
Member

Is there a way to make this a default version of the distro? Would that be hard to do?

I enjoy security using my computers, and while I recognize I can do it with my own machine I believe security from outside threats to be of utmost importance; especially in a Linux machine. It is one of the reasons I enjoy Linux so much.

I realize I am not all Slitaz users, and not all may feel the same, and honestly do not know the difference pros/cons of encrypted vs. unencrypted when it comes down to it save for security (like filesystem, etc, which I know Slitaz has partial goals to be under) but it's just a thought.

I want to help make this distro the best it can be, for me this would go toward doing that. I'm really just trying to help. I've checked out the road map.

Posted 12 years ago #
Trixar_za

offline
Key Master

For a personal desktops? Not really needed and you will suffer performance hits at boot and shutdown because of the initial encryption and decryption at boot - i.e. It boots and shutdowns are slower than usual. It also makes recovery impossible if the drive fails and no LiveCD or external Linux could use the partition if it fails while encrypted. This also means very little if somebody is already logged in to your system - even by being physically at the system or using some remote login system like VNC or ssh. All in all, for Personal Desktops, it's all bad for little gain.

However, if this is used with businesses, where encrypting data is important to keep competitors from stealing data, it does become a viable solution.

Posted 12 years ago #
christophe

offline
Member

I studied that in the last company i worked for, 18months ago.
We reached that same conclusion.
For laptops, you want to use at least an i5 processor (they have embedded instructions to hw assist encryption/decryption and i thing the gain is about a factor 10, provided you use an encryption software which uses them (TrueCrypt does, from version 7 and above).
Additionnally it parallelised the operations, making de facto use of otherwise generally unused cores (I have not tested it).

And additionnally what kept us away from doing it was the complexity of handling backups and keys. Not a huge problem but too much burden on a small company while our primary problem was to get orders.

One day, though, AES chips will be in all drives which will handle their own security transparently....

Posted 12 years ago #

domcox

offline

Administrator

For a desktop I agree with both of you. Not for a laptop, a laptop is easily lost or stolen and may have sensitive information that could be used by a thief, I mean bank, e-mails, PayPal, eBay, iTunes, IM accounts, full name, personal address, date of birth, social security number, passwords, phone numbers, family information, credit card numbers, other credit information...

So it maybe interesting to think about encrypting (at least) the home directory.

I'd do it this way:

Launch the Mount Box:
# mountbox
and press the button labeled 'crypto', accept the missing packages installation. Stop here, don't click the create button.

Load the needed kernel modules:

# modprobe dm_crypt
# modprobe dm_mod
# modprobe aes_generic

Add these modules to LOAD_MODULES in /etc/rcS.conf, for an automatic load at next reboot:
LOAD_MODULES=".... dm_crypt dm_mod aes_generic"
Unmount /home:
# umount /home
Erase /home (be sure to have an effective backup):
```
# fdisk -l
   Device Boot      Start         End      Blocks   Id  System
/dev/hda1           19336       19457      979933+  83  Linux
```
Report the number of blocks, (979933 here) to the count option:
# dd if=/dev/zero of=/dev/hda1 count=979933

Encrypt /home:

# cryptsetup --verbose --verify-passphrase luksFormat /dev/hda1
WARNING!
========
This will overwrite data on /dev/hda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: *PASS1*
Verify passphrase: *PASS1*
Command successful.

(Don't forget PASS1!)

Open the encrypted partition:

# cryptsetup luksOpen /dev/hda1 home
Enter LUKS passphrase: *PASS*
key slot 0 unlocked.
Command successful.

Verify mount point:

# ls -l /dev/mapper/
total 0
lrwxrwxrwx 1 root root     16 Mar  6  2009 control -> ../device-mapper
brw-r----- 1 root disk 254, 0 Mar  6 09:51 home

Format the encrypted partition:

# mkfs.ext3 /dev/mapper/home
mke2fs 1.40.8 (13-Mar-2008)
Warning: 256-byte inodes not usable on older systems
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
61312 inodes, 244854 blocks
12242 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=251658240
8 block groups
32768 blocks per group, 32768 fragments per group
7664 inodes per group
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Mount the encrypted filesystem as /home:
# mount /dev/mapper/home /home

Ask passphrase at boot time. Add this code to /etc/init.d/local.sh:

# ask passphrase
cryptsetup luksOpen /dev/hda1 home && mount /dev/mapper/home /home || echo "failed."

It should work, but please note that it is completely untested.

Posted 12 years ago #

gap

offline
Member

I'm running on very little sleep right now, but when I get my wits about me I will test this and let you know if it works. I fully agree about latop/desktop and the difference in security measures needed to take. I'm running off a laptop, and Slitaz is the fastest distro I have ever used (and I have used a lot), so I feel I can sacrifice a bit of boot time for peace of mind.

Posted 12 years ago #
Trixar_za

offline
Key Master

I'd still disagree about the laptops, especially if you have auto-login enabled. Kind of defeats the point.

Also sites that use banking details or credit cards are already encrypted and not cached by all browsers unless you purposefully configure it otherwise. Saving passwords or details on there sites are normally also disabled. In other words, you have to work really hard to do a stupid thing like saving your bank in an unencrypted form. If you have text files on your system with these details, no amount of encryption will protect them from your own clear stupidity.

This is pointless for any desktop systems. It slows stuff down, makes recovery impossible and won't protect the user from their own careless stupidity.

Posted 12 years ago #
gap

offline
Member

Well, I don't bank online. It's incredibly foolish to do so, I think, even with an encrypted hard drive. I don't actually have anything on here that's sensitive information I'm just a very private person. It's why I use linux on my home machines.

Also, you may be surprised what Criminal Justice majors can do with a disk and proper time with a hard drive as far as data recovery is concerned (even with encrypted drives).

Posted 12 years ago #
christophe

offline
Member

if you use encrypted drive understanding what you are doing (ie, how to manage them, eg with a long enough key, but read the documentation for a few hours if you haven't yet, and you will learn a lot about how to avoid crypting weaknesses..) then you are pretty much on the safe side.

Of course, it COULD be that the CIA or another service has done tremendous progresses, but then they are kept secret....

--------------------------------------------------------------------

FBI hackers fail to crack TrueCrypt - Techworld.com
news.techworld.com › News -

John E Dunn

De John E Dunn
30 Jun 2010 – The FBI has admitted defeat in attempts to break the open source encryption used to secure hard drives seized by Brazilian police during a 2008 investigation.

-------------------------------------------------------

Posted 12 years ago #
christophe

offline
Member

for an effortless solution you may want to consider an AES hw accelerated device

eg

http://www.hermitagesolutions.com/produits/istorage

Posted 12 years ago #

RSS feed for this topic

12 Next »

Reply »

You must log in to post.