Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Seeking Current Info on Linux Encrypted FS?

Cliff posted more than 12 years ago | from the protecting-your-personal-data dept.

Linux 297

slick_rick asks: "I'm looking for info on encrypted file systems under Linux to help my employers company move away from Microsoft centric solutions. However the latest HOWTO is two years old, the latest kernel patch dates back to April (and 2.4.3) and even the Sourceforge project has nearly zero documentation and appears to be very dead. Are slashdotters using encrypted file systems? If so, what are your experiences?" We last talked about this topic, just over a year ago, in this article.

Sorry! There are no comments related to the filter you selected.

first post (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2630932)

first post

Re:first post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2630983)

Why do mods waste the mod point modding down stuff like this to -1?

ACs post at ZERO ALREADY, folks! People who browse at the default (1) won't even see unmodded AC comments.

Save the points for the truly deserving trolls.

BTW, this parent *should* have been Score:-1 (Offtopic), NOT Score:-1 (Troll), if you're going to bother!

Re:first post (0)

Anonymous Coward | more than 12 years ago | (#2631055)

But, as it turns out it was a troll since we're all responding to it. Or maybe it was the original moderation of "Troll" that was the real troll?

Re:first post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2631247)

What's a Trol?

Re:first post (-1)

Fecal Troll Matter (445929) | more than 12 years ago | (#2631285)

A girl making out with a rifle. [wickedpost.com]

win2k (1)

ImaLamer (260199) | more than 12 years ago | (#2630937)

I tried to use win2k's efs, and it ruined me.

Tell them that!

Re:win2k (2, Informative)

TheCabal (215908) | more than 12 years ago | (#2631147)

I tried to use win2k's efs, and it ruined me.

Tell them that!


Ever heard of a File Recovery Agent? There's one set up by default on every Win2k system. And it gets better... you can add more!

****ATTENTION SLASHBOT MODERATORS**** (-1)

Sunken Kursk (518450) | more than 12 years ago | (#2631186)

The above post contains information that portrays Windows 2000 in a positive light and is therefore a troll. Please moderate it as such.

Thank you.

Re:win2k (1)

Parsec (1702) | more than 12 years ago | (#2631206)

And it gets better... you can add more!

Add more what?

Re:win2k (1)

xanadu-xtroot.com (450073) | more than 12 years ago | (#2631236)

And it gets better... you can add more!

Add more what?


Errors, probably... :-)

Re:win2k (0)

Anonymous Coward | more than 12 years ago | (#2631279)

File Recovery Agents

Re:win2k (-1)

neal n bob (531011) | more than 12 years ago | (#2631223)

linux has always been encrusted by j0ncats

FreeBSD & NFS (5, Insightful)

stygian (222011) | more than 12 years ago | (#2630938)

It's been a long time since I set it up under FreeBSD...but, as I recall, it had a very easy-to-setup system for creating an encrypted filesystem. I just 'cattach' it when I boot the machine...and I'm the only user than can look at the contents. It's really quite nifty. And I've never been able to find a good Linux equivalent.

Re:FreeBSD & NFS (5, Informative)

stygian (222011) | more than 12 years ago | (#2630971)

csfd - that's what it was. The Cryptographic File System.... The readme for the FreeBSD port is:

This is CFS, Matt Blaze's Cryptographic File System. It provides transparent encryption and decryption of selected directory trees. It is implemented as a user-level NFS server and thus does not require any kernel modifications.

ftp://research.att.com/dist/mab/cfs.ps

Which is better for FreeBSD? CFS or Rubberhose? (1)

d_force (249909) | more than 12 years ago | (#2631253)

How does CFS compare to Rubberhose? I know the Rubberhose FreeBSD port is out of sync, but has CFS been updated.. or is that more outdated than the Rubberhose port?

- dforce

Re:Which is better for FreeBSD? CFS or Rubberhose? (2)

ftobin (48814) | more than 12 years ago | (#2631289)

but has CFS been updated

I don't see why this question is relevant. I have been using CFS for 3+ years on FreeBSD 2, 3, and 4, without a hitch. There does not seem to be a need for being 'updated'. It works very well.

Re:FreeBSD & NFS (3, Informative)

Marcus Brody (320463) | more than 12 years ago | (#2631356)

I've never been able to find a good Linux equivalent.

Try SuSE. Because they are a European distro (ie no problems with US export controls), and also aimed at secure/server market (unlike mandrake), they have Very Good built in security measures. It is really very trivial to set up a crypto file system. You really should give it a go. See this [suse.com] for some breif details.
Only problem is SuSE dont make iso's downloadable, so you might need to buy (gasp!) a copy. Money well worth spent though.

loop-AES (4, Informative)

Sami (83769) | more than 12 years ago | (#2630941)

Have you tried the loop-AES patch [sourceforge.net] ? It isn't exactly an encrypted FS, but you can create encrypted virtual drives with it.

Re:loop-AES (1)

Sami (83769) | more than 12 years ago | (#2631019)

Oh well, I cannot reach the site at the moment, but at least you can find an announcement for the latest release [lwn.net] from LWN.

W00t! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2630946)

tsop tsirf!

Re:W00t! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2630988)

NO! I got the first post!
bitch!

Stuck in Windows? Bestcrypt works okay... (4, Informative)

Bonker (243350) | more than 12 years ago | (#2630948)

It's a fairly decent encrypted filesystem implementation. I'm certain is has it downsides, but besides being non-free, I haven't found any others.

BC allows you to create encrypted volumes up to the max size of your harddrive, and encrypts anything therein with your choice of encryption schemas. It also comes with a 'Wipe' command that will allow you to delete a file or clean a drive with a 7-stage delete process.

Re:Stuck in Windows? Bestcrypt works okay... (1)

Ashran (107876) | more than 12 years ago | (#2631195)

he asking for a linux solution ..
For windows there is something coming along with PGP that allows you the creating of encrypted drives

Here is how to do it (0)

Anonymous Coward | more than 12 years ago | (#2630949)

Right click on the folder, click properties, click "Encrypt this folder." Any other way is a waste of time.

Re:Here is how to do it (4, Insightful)

EnderWiggnz (39214) | more than 12 years ago | (#2631211)

good thing that you have the ultra-secure, no government backdoors UBER-MS encryption there, right...

sigh...

"its encrypted because we say it is, and trust us on that"

Re:Here is how to do it (1)

LordBeaver (533586) | more than 12 years ago | (#2631274)

at least you dont need a phd in crytography to use it. lets face it if people want in - they'll get in no matter what os you are running

Re:Here is how to do it (2)

danheskett (178529) | more than 12 years ago | (#2631280)

good thing that you have the ultra-secure, no government backdoors UBER-MS encryption there, right...

sigh...



So break it, and be famous. Ohh, wait.. right.. that would require more than just lame spouting and playing to ignorant fears...

Microsoft's EFS does whats it meant to do. It gives employers the ability to have company data encrypted without being held hostage to employees/ex-employees later on down the line. A nice EFS setup will keep critical data encrypted seemelessly, allow employees to access it based on file access controls, AND prevent the data from being useful if the physical machine/device the data is on is stolen.

So, if you really think MS has all kinds of back-doors in it, why not actually go crack it? Go prove it, make a huge name for yourself, and expose MS.

Actually, how about you go and find ANY backdoor in ANY Microsoft product. You'd be a very famous person if you discovered an intentional verified widespread MS backdoor.

BestCrypt (0)

Anonymous Coward | more than 12 years ago | (#2630960)

Use BestCrypt from Jetico. It works on Windows OSes as well.

Re:BestCrypt (1)

NeoTron (6020) | more than 12 years ago | (#2631000)

Yes but Bestcrypt is not compiling against my 2.4.12+ kernels , and I wish they would sort that out :)

Re:BestCrypt (1)

mrplow (9351) | more than 12 years ago | (#2631210)

Bestcrypt 0.8-8 works for me since 2.4.12 (currently running 2.4.16-pre1 and no problems whatsoever).

Re:BestCrypt (1)

NeoTron (6020) | more than 12 years ago | (#2631242)

OMFG!!

Hmm I'm now downloading the latest clean source of kernel 2.4.16, and will try to recompile it - I was geting compilation errors - perhaps because I'm using Mandrake 8.1 kernel packages? They seem to include a lot of guff that's not in the Linus tree...

Thanks for telling me that :)

Reiser4 (5, Informative)

jeffphil (461483) | more than 12 years ago | (#2630963)

If you can wait until September 2002, ReiserFS v4 will have an encryption plugin builtin. [namesys.com]

so... (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2630969)

if linux doesn't have what you're looking for, and MS has a great solution, why bother?

Encryption is fine. Decryption doesn't work (3, Funny)

Karma 50 (538274) | more than 12 years ago | (#2630970)

ÖcéqêK8N& #9561;fö,á>c GîIk&#85 96;:á9fYé7$¼F~ ÿeCCLìM& #9616;ÿ4-
/ñlöúi;`&#957 1;r÷\^"Ç SHNHÄN$RiDeb"&# 9492;3@É-'&#983 5;úïfM¼fz&#978 8;
÷¥ä=jN¥ká&#9567 ;êå0#0_R'&#955 3;lf'\@& #9524;te1q :Æ¥ôä&# 9580;Eüb#
.¥c&#9688 ;Æ>ÿ"w&#9562 ;å+íÅ ï8XRO"# )Wÿ'fò^òY&#9571 ;Kñ2">[.0&#9 786;0Z
ÿ!(VIi±(Av#;d}x övëëúóî|KÖ9&# 9792;9Jq]@2Oü-ö @[WcáÅU3 j

Re:Encryption is fine. Decryption doesn't work (0, Redundant)

42forty-two42 (532340) | more than 12 years ago | (#2631005)

1;r÷\^"& #9658;Öcéq
.¥c&#9688 ; ;Æ>ÿ"w&#9562 ; ;å+íÅ ï8XR2OüáÅU 3 j -+íÅ ï

Re:Encryption is fine. Decryption doesn't work (3, Funny)

rjw57 (532004) | more than 12 years ago | (#2631259)

There is always someone who'll find a way to get Mr. Goatse past the moderators....

SuSE does this out of the box... (5, Informative)

pwagland (472537) | more than 12 years ago | (#2630972)

I am not sure about the other distributions, but as of SuSE 7.2, they do this out of the box. The support was improved in 7.3.

Note that this filesystem based encryption, not user based. I.e. you must enter a password to mount the filesystem, but after that it acts as a normal filesystem (but slower due to the aforementioned encryption).

The way that SuSE do it is to have an encrypted block device, so that you can throw anything you want on top of it. Typically this would be a filesytem ;-)

From the SuSE webpage:

* A highlight of SuSE Linux security technology: the so-called "crypto file system". Secret or sensitive data is encrypted on your own PC. This method is so safe that even if your notebook ist stolen, nobody, absolutely nobody (!) has even the slightest chance of decrypting your data. In addition, the crypto file system is so smart that the thief will not even notice that encrypted data exists.

Re:SuSE does this out of the box... (5, Informative)

MKalus (72765) | more than 12 years ago | (#2631017)

Actually I am using this activly on my Notebook and I haven't really seen any performance degredation (It's a PII 366). The nice thing about it is: It completly prevents you from booting the box at all so the security on the notebook is greatly enhanced:

- Login Bios Password (Yeah, no security there I know)
- crypto FS
- OS Security

Now the two weak links are the BIOS password as well as the OS Security (just boot from CDROM and on you go), but everything on the /data/ partition is encrypted and the parition is invisible if you boot from a boot disk.

Really neat.

Michael

Re:SuSE does this out of the box... (4, Insightful)

Drone-X (148724) | more than 12 years ago | (#2631158)

I take it that if you want to play really safe you'd have to encrypt your swap partition too, after all, any file you recently opened may get swapped to disk.

It would be convinient if you could have multiple entries in fstab share the same password, for now a little shell script will do (also because Aurora [dhs.org] doesn't support text input yet).

Re:SuSE does this out of the box... (1)

MKalus (72765) | more than 12 years ago | (#2631292)

I would say that's a yes, right now though it's only the data directory.....

Michael

Re:SuSE does this out of the box... (0)

Anonymous Coward | more than 12 years ago | (#2631257)

Depending on what you have encrypted the system could still boot up, example would be to just encrypt your /home and /var directorys.

Re:SuSE does this out of the box... (2)

grytpype (53367) | more than 12 years ago | (#2631044)

That's interesting... looking at that link, it appears that SuSE has a kernel module for doing Twofish encryption. I wonder if the source is available and can be ported to other distros...

Re:SuSE does this out of the box... (5, Interesting)

pwagland (472537) | more than 12 years ago | (#2631136)

Indeed the patch [sourceforge.net] is available.

Also, you can get all of the patches [ftp.gwdg.de] that SuSE use on their kernel, not only this one. Please note that this link is

  1. A mirror of the official SuSE site [suse.com] , and
  2. The SuSE development kernel. I.e. this kernel is not guaranteed for production use!
  3. The production kernel source is here [suse.com] .

SuSE got it since 7.2 (0)

Anonymous Coward | more than 12 years ago | (#2630980)

SuSE 7.2 and 7.3 has support for a twofish encrypted fs. You can even set it up in the graphical installer during installation. Works great!

XOR encryption is supported out of the box... (4, Informative)

grytpype (53367) | more than 12 years ago | (#2631003)

... take a look at "man losetup", which has a good example of setting up an XOR encrypted loopback filesystem. XOR is pretty crappy encryption however.

Re:XOR encryption is supported out of the box... (0)

Anonymous Coward | more than 12 years ago | (#2631087)

"Pretty crappy"? How about absolutely worthless. Dont do this, no security is better than the illusion of security.

Re:XOR encryption is supported out of the box... (1)

fdsa (78632) | more than 12 years ago | (#2631193)

Well, if your key is long enough...


However, remembering a 4GB key might be a little difficult, and not really that much easier than just remembering the data.

So is Rot 26 (0)

Anonymous Coward | more than 12 years ago | (#2631180)

Why use XOR when you can just use ROT26 =)

I used it on Suse (1)

kuiken (115647) | more than 12 years ago | (#2631008)

on SuSE crypto FS is an option during installation, so you might want to check this [sdb.suse.de] it is writen for suse but there is some usefull info in there for all distros.

Deniability (5, Informative)

Tet (2721) | more than 12 years ago | (#2631009)

Encrypted filesystems are useless without deniability. Rubberhose gives you that: http://www.rubberhose.org [rubberhose.org]

Re:Deniability (1)

andrew cooke (6522) | more than 12 years ago | (#2631067)

While rubberhose looks like an excellent piece of work, it's not true that encrypted file systems are useless without deniability. Encrypted file systems are often used commercially so that if the hardware is stolen commerical secrets are not made public. In such a situation it's unlikely that the user will be tortured to reveal the password.... (for example, I work at home, and all my source and email is on encrypted disks - my employers understand that I will give up the password at the slightest hint of danger, but still want encryption).

Maybe for you.... (5, Interesting)

coyote-san (38515) | more than 12 years ago | (#2631096)

Maybe you need deniability, but out here in the real world a lot of people should be using encrypted file systems just to ensure that sensitive or confidential information is not exposed to others if the disk is stolen, the cleaning people are bored, etc.

Personally, I don't want my doctor to have deniability about his records regarding me. Or my lawyer. Or my accountant. And most especially not my banker, financial adviser, etc.

In fact, for these people deniability makes a solution look much less attractive. People get *really* nervous when their accountant or lawyer has strong deniability about what the advice they gave you, about where your money went, etc.

50 ways to leave your lover (4, Informative)

mAsterdam (103457) | more than 12 years ago | (#2631012)

...and at least 10 ways to encrypt your data:
http://koeln.ccc.de/~drt/crypto/linux-disk.html
gives them.

loop-AES is the way to go (0)

Anonymous Coward | more than 12 years ago | (#2631020)

I have to second the suggestion of loop-AES [sourceforge.net] . It's really easy to install and use, and works great. I've got both encrypted FS and encrypted swap going using it.

cryptfs (4, Informative)

sdxxx (471771) | more than 12 years ago | (#2631023)

There is a cryptographic file system you can get for SFS [fs.net] . If you go to the download page [fs.net] , it's called cryptfs. Unfortunately, you have to install SFS first to compile cryptfs.

Cryptfs is fully functional, though it was indented mostly as a proof of concept. The point is that such file systems are not hard to build, should someone want to maintain one. Here's an undergraduate programming assignment [nyu.edu] in which the students build a fully-functional cryptographic file system as an NFS loopback server.

crypto filesystems "easy" (2)

coyote-san (38515) | more than 12 years ago | (#2631194)

It's easy to implement a crypto filesystem, but hard to do it *right*.

Some quick examples:

1) Is a standard cipher used? (easy, now that libraries are widely available)

2) Is a standard cipher used *correctly*? (e.g., no ECB mode!)

3) Does the same data in two blocks encrypt to the same ciphertext? If not, how are you randomizing them? What happens if you copy an encrypted FS from one media to another, e.g., via backups?

4) How do you detect an incorrect encryption key?

There's then the whole issue of key management, the truly hard part. How do you generate the key from the password? How do you support multiple users on the encrypted file system? (N.B., this is cryptospeek for "how do you prevent disgruntled employees from encrypting your data then walking away?" This usually means secondary and even tertiary keys automatically inserted by the system.) How do you handle system reboots?

Finally there's the mundane. Top of that list - how do you handle backups? Can you back up the encrypted data? Can you deny backups of the unencrypted data?

More recent CryptoAPI patches can be found at... (2, Informative)

NeoTron (6020) | more than 12 years ago | (#2631032)

ftp://ftp.kernel.org/pub/linux/kernel/people/hvr

Try that :)

ppdd (0)

Anonymous Coward | more than 12 years ago | (#2631046)

By far the best fs-encryption I've encountered for Linux so far is ppdd. You can encrypt everything. It's a kernel patch that uses the loopback devices.

http://linux01.gwdg.de/~alatham/ppdd.html [linux01.gwdg.de]

It's Really Pretty Trivial (5, Insightful)

Lethyos (408045) | more than 12 years ago | (#2631051)

The kernel patch you refer to is not outdated. There just is no reason to release new versions. Here's how you patch your kernel with the international patch.

One level up from your Linux source tree (typically /usr/src), do...

zcat ~/patch-int-2.4.3.1.gz | patch -p0 -E

You'll notice a chunk fails. The ONLY problem here is patching the root Makefile. Look at the file /usr/src/linux/Makefile.rej. It shows you what lines failed. You can easily fix this by adding (under the DRIVERS line)

CRYPTO = crypto/crypto.o

And changing the line

SUBDIRS = kernel drivers mm fs net ipc lib

to...

SUBDIRS = kernel drivers mm fs net ipc lib crypto

Now your kernel should be properly patched. Make it mrproper, then configure as needed. Add the proper cyphers (I'm sure you can figure this out). Typically, serpent and blowfish are the best choices. Also, build them as modules so you can harvest a little extra entropy. :) Also, make sure you build the loopback device as a module, and then add crypto support. I assume you know how to load modules

Now for the easy part. Once you have the kernel modules built and loaded, make sure you have the latest mount tools (including losetup). Pick the device file you want to use as an encrypted file system. For this example, I'm going to use hda3 with 256 bit serpent encryption for shits & giggles.

losetup --keybits 256 --encryption serpent /dev/loop0 /dev/hda3

It will prompt you for a pass phrase. Use a PHRASE and REMEMBER this. You cannot change the passphrase of an encrypted fs after you set it. Get it right. Next, format the device /dev/loop0 with your favorite file system (I prefer ReierFS because I've had trouble with ext2 fscking of encrypted file systems -- data loss most notably whenever I mistyped my passphrase). Do something like

mkreiserfs /dev/loop0

Now, destroy the loopback device...

losetup -d /dev/loop0

And add the following line to your /etc/fstab

/dev/hda3 /mountpoint reiserfs defaults,loop,auto,encryption=serpent 0 0

Now, every time you boot or mount that file system, it will ask you for the key length and the pass phrase. And there you go. Encrypted file system. Yea.

You can see how trivially easy that was and if you had put about half an hour's thought into it, you could have realized that the "outdated" howto hasn't been updated because the process is pretty much unchanged and you would not have wasted our time with yet another linux newbie Ask /. question. But that's just my opinion.

Re:It's Really Pretty Trivial (0, Offtopic)

grytpype (53367) | more than 12 years ago | (#2631094)

>You can see how trivially easy that was and if you had put about half an hour's thought into it, you could have realized that the "outdated" howto hasn't been updated because the process is pretty much unchanged and you would not have wasted our time with yet another linux newbie Ask /. question. But that's just my opinion.

Well, that's quite an attitude from someone with a /. ID in the low four-hundred-thousands.

Re:It's Really Pretty Trivial (0)

Anonymous Coward | more than 12 years ago | (#2631153)

Well, that's quite an attitude from someone with a /. ID in the low four-hundred-thousands.

Right. It's much cooler to have a lower user number and submit questions to Ask /. that are easily answerable if someone would just RTFM. Besides, I had a lower number, but I sold it at 50 karma points on eBay.

Re:It's Really Pretty Trivial (0, Offtopic)

Ewan (5533) | more than 12 years ago | (#2631188)

Errm,a low /. ID now equals some sort of coolness factor and allows you to be rude?

I must be way cool, maybe I should get a badge printed with my number on it? :)

Ewan

Re:It's Really Pretty Trivial (1)

Xenophon Fenderson, (1469) | more than 12 years ago | (#2631339)

Heh, if that's true, I must be even cooler than you! ;')

Oh yeah???? (0, Offtopic)

sterno (16320) | more than 12 years ago | (#2631215)

Well mine is bigger! Er, I mean smaller. Right. No, not that, I mean ... oh nevermind

Re:It's Really Pretty Trivial (2, Insightful)

jezzball (28743) | more than 12 years ago | (#2631264)

Sure, from someone with a 50k id...

Young'un :)

Maybe he just forgot his password on an encrypted file system that he couldn't mount?

Re:It's Really Pretty Trivial (1)

jnik (1733) | more than 12 years ago | (#2631288)

Sure, from someone with a 50k id...Young'un :)
*ahem*
Anyhow, even if the patch applies sorta cleanly, it always helps to look for the latest info. Also learning how to muck with failed patches isn't something that everyone knows. I'm certainly saving Lethyos' post for future reference.

Re:It's Really Pretty Trivial (1)

josecanuc (91) | more than 12 years ago | (#2631297)

I remember, back in the day...

When Slashdot was about equally science and Linux/computer stuff.

It's changed quite a bit, but I still enjoy reading.

--Joe

CFS works great (1)

zinc (81565) | more than 12 years ago | (#2631105)

You should really take a look at CFS. With a little patching it will compile under the various RH distros. Go here for patches: CFS patches [finerty.net]

Re:It's Really Pretty Trivial (2, Insightful)

Peter Dyck (201979) | more than 12 years ago | (#2631121)

You can see how trivially easy that was and if you had put about half an hour's thought into it

Right.

That kind of attitude will really encourage people in general to use Linux and encryption on a daily basis...

Re:It's Really Pretty Trivial (3, Interesting)

Anonymous Coward | more than 12 years ago | (#2631154)

You were doing a stellar job there until the uncalled for jabs at the end of that post. Maybe there are other slashdot readers out there that are interested in having an encrypted file system?

Maybe having an encrypted file system could be part of the install process for upcoming Linux distributions - an easy to use system for encryption in the partitioning stage of the install. Couple that with a runtime tool that can create encrypted partitions after the install, and you immediately have another big plus point over Windows, especially for people in government who have a habit of leaving laptops with top secret material on in taxi cabs.

In other news, the UK government is going to buy 500,000 copies of Windows XP. As a taxpayer, I disagree with this use of my tax money, and with the close relationship that the current government has with Microsoft. I feel that the best solution for the taxpayers is not being researched in the name of PR and photo opportunities for government ministers. And why does the government need to upgrade their computer system to Windows XP? What is wrong with 2000 - a proven OS now, not a just released one...

Re:It's Really Pretty Trivial (1)

Ewan (5533) | more than 12 years ago | (#2631200)

SuSE does this now, and at a presentation I saw on it recently by a SuSE guy he specifically mentioned it and demonstrated it.

I imagine the other distros won't be far behind.

Ewan

Re:It's Really Pretty Trivial (1)

hardburn (141468) | more than 12 years ago | (#2631310)

Maybe having an encrypted file system could be part of the install process for upcoming Linux distributions . . .

The problem is US export laws make it annoying to export strong encryption. With everyone screaming "Terrorism!" like they are right now, this doesn't look like it will be fixed any time soon. SuSe gets away with it because they're German.

Re:It's Really Pretty Trivial (3, Interesting)

dman123 (115218) | more than 12 years ago | (#2631182)

Although I will not be verifying your implementation, your post is well written and seems very informative. Why did you go and blow it at the end??

I constantly have to defend myself against being called part of a cult that is "drinking the Kool-Aid" and this type of attitude does not help. I am proud to be a geek/nerd, but the moment anyone thinks of me as arrogant or haughty, I feel bad.

Apologies (3, Insightful)

Lethyos (408045) | more than 12 years ago | (#2631239)

Sorry to everyone who was offended by my last comment in this post. I did in fact mean to help, but I just though that the original submitter of this Ask /. question could have done a little more work figuring this out. Hell, even I managed to get my file systems encrypted with that outdated HOWTO.

Nonetheless, I'm sorry for spoiling something informative with some elitist babble. It's just a knee-jerk reaction from time to time.

Re:Apologies (0)

Anonymous Coward | more than 12 years ago | (#2631354)

but just look at how much fun we've been having since you stirred the pot

Re:It's Really Pretty Trivial (2)

ishark (245915) | more than 12 years ago | (#2631254)

The kernel patch you refer to is not outdated. There just is no reason to release new versions. Here's how you patch your kernel with the international patch.

Actually, I remember reading (mailing list? cryptoapi doc? newsgroup?) that the patch-int should NOT be used, because the implementation of several cyphers (twofish comes to mind) is broken.

As I already wrote in another post, I didn't do extensive testing to compare patch-int and cryptoapi, but I *did* have lost data with patch-int: some files got garbled beyond repair (to quantify, I'd say less than 1% of them). I was using twofish.

Now I'm using cryptoapi, and I didn't have any trouble (at least not yet).

Another point: you may have troubles with losetup/mount, depending on the distribution you use. In that case, download util-linux from the kernel site, apply the patches and recompile. I keep two separate copies (called losetup-crypto and (u)mount-crypto) of the utilities.

I don't think I agree with the the suggestion about reiserfs. ReiserFS has no trouble with fsck simply because it doesn't do fsck... I'd suggest use whatever you want but disable auto-checking or, even better, modify the startup scripts to make sure that the passphrase is good (just try to mount the fs) before attempting a fsck.

Re:It's Really Pretty Trivial (3, Informative)

Lethyos (408045) | more than 12 years ago | (#2631308)

As I already wrote in another post, I didn't do extensive testing to compare patch-int and cryptoapi, but I *did* have lost data with patch-int: some files got garbled beyond repair (to quantify, I'd say less than 1% of them). I was using twofish.

I had this problem once or twice, but using either serpent or blowfish. It happened after typing a bad passphrase... and e2fsck kicked in and complained about fs errors. Of course, I've gone a little crazy with my set up. I have two hard disks, each encrypted with a different algorithm, that are then interleaved using RAID0. I love it. :) But it's trouble prone.

Now I'm using cryptoapi, and I didn't have any trouble (at least not yet).

Got any links or should I just look in standard locations? (Kernel archives, freshmeat?)

Another point: you may have troubles with losetup/mount, depending on the distribution you use. In that case, download util-linux from the kernel site, apply the patches and recompile. I keep two separate copies (called losetup-crypto and (u)mount-crypto) of the utilities.

That's one reason I mentioned having the latest utilities. Older versions don't support crypto stuff (obviously). But there's really nothing wrong with making hte latest util-linux package your primary. Why do you keep separate binaries?

I don't think I agree with the the suggestion about reiserfs. ReiserFS has no trouble with fsck simply because it doesn't do fsck... I'd suggest use whatever you want but disable auto-checking or, even better, modify the startup scripts to make sure that the passphrase is good (just try to mount the fs) before attempting a fsck.

Well, I suggested Reiser because in light of things not being set up properly, I think it's a little more careful before it goes and tries to replay a journal on a corrupted fs. That may actually be a positive fault here, as giving up early protects your data. In general though, I prefer a journaled fs so I'm boasting some advocacy here. :)

Re:It's Really Pretty Trivial (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2631284)

"you would not have wasted our time with yet another linux newbie Ask /. question. But that's just my opinion."

Heres another opinion, your a jackass.

Re:It's Really Pretty Trivial (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2631327)

Heres another opinion, your a jackass.

What about my jackass? I don't even own a donkey! Did you perhaps mean "you're" as in contracted "you are"? You did, didn't you? Oh my! I'm so hurt and offended by your opinion! You really meant to say something hurtful towards me! I'm going to go commit suicide RIGHT NOW to make penance.

Try BestCrypt (4, Informative)

Wee (17189) | more than 12 years ago | (#2631054)

I know it's not really an encrypted filesystem, per se, but BestCrypt [jetico.com] might be enough for you. It's a bit like NAI's PGPDisk. Essentially, you mount an encrypted file and then access it like any other disk (it has a mount point, etc). The nice part (for me) is that they have a Win32 version as well, so using BestCrypt and Samba means that I can have my wife's securely store her Quicken stuff on my fileserver (which is the only machine that gets a backup). The only "bad" thing about BestCrypt is installation. You have to make real sure your kernel sources are in good shape. I had a few issues installing it because I had a few different kernel sources laying around (not good, I know, I know...). Anyway, it's not that hard to install, but not a userland type thing either.

Like I said, it's not a filesystem, but it might get you by. I personally don't care if /etc is encrypted or not. But I might care if /home was encrypted. It's easy enough to mount a BestCrypt container file at /home, so that might be enough.

-B

I'm using the "old" sourceforge thing.... (2)

ishark (245915) | more than 12 years ago | (#2631059)

...and is seems to work ok. There's a problem with the compilation, you need to add -DEXPORT_SYMBOLS in the api/ subdir makefile for it to compile correctly.


Apart from that I never had any problem with it, but I admit that I never did much testing.

Okay, I Give Up! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2631060)

What is Linux? Why is it important? Does it connect via serial port?

Re:Okay, I Give Up! (-1)

Sunken Kursk (518450) | more than 12 years ago | (#2631217)

It's a new medication for the treatment of open sores. Check at your local Wound Healing Clinic [boone.org] to learn more about it.

PGP DISK (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2631061)

PGP DISK

CFS (2, Interesting)

Anonymous Coward | more than 12 years ago | (#2631079)

I use CFS, which is a daemon the uses NFS to encrypt file and filenames. The files are stored encrypted on an ordinary filesystem.


It works well. I'm no security expert buy I can see a couple of problems with it. Firstly it uses triple-DES. Probably secure enough, but not so fast. There are certainly more suitable ciphers out there.


The key comes from a pass phrase. cfs forces you to have a pass-phrase with at least enough bits to fill the DES keys, but obviously unless you like memorizing long strings of random charcters there will be far less entropy than required in the key.


Secondly meta-data is not encrypted. So, although Eve can't tell what is in a particular file, she can see the directory structure (but not filenames) and when a file was created/modified/accesses.


Apart from these criticisms it seems quite good. Users can create/attach/detach encrypted filesystems without special priveledges. You can specify a timeout on a file store so it is dettached after a certain period.

Question to Cliff: Why does this help? (1)

mAsterdam (103457) | more than 12 years ago | (#2631097)

Ehrmm.. Cliff, why do you think this specific feature might help moving people away from MS-centric thinking? I'ld say most people who know about cryptography know about non-MS systems, the others might not be terribly interested. Please explain.

Re:Question to Cliff: Why does this help? (1)

CTho9305 (264265) | more than 12 years ago | (#2631164)

People might use encrypted NTFS for additional data security - if they can't encrypt a filesystem in Linux, they might not feel secure.

SUSE has it (2, Redundant)

HighTeckRedNeck (538597) | more than 12 years ago | (#2631101)

The install for SUSE version 7.2 professional had it built into the install. Select expert partitioning and it was a check box selection in the mount-point, file system type dialog box. You could edit the boot sequence to remove the prompt to mount the file system and then mount it only when you wanted it mounted. Once mounted it was visible in unencrypted form but you could un-mount anytime. Reading and writing is done via a loop back that decrypts /encrypts during read/write. It is visible as a standard file system once mounted to all programs by all users. SUSE 7.3 has this to say http://www.suse.com/us/products/suse_linux/i386/se curity.html Watch the space in security, comment dialog box is too small to fit url without it injecting a space.

Another Ask Google^WSlashdot: (-1)

Anonymous Coward | more than 12 years ago | (#2631140)

the answer can be found here [google.com] .

Project (0)

Anonymous Coward | more than 12 years ago | (#2631143)

www.gnupg.org

RubberHose (2, Redundant)

Acy James Stapp (1005) | more than 12 years ago | (#2631152)

The Rubberhose encrypted filesystem might be more suitable for individuals.

Read about it at www.rubberhose.org [rubberhose.org] . It's primary feature is deniability, (from their web page)

Rubberhose is a computer program which both transparently encrypts data on a storage device, such as a hard drive, and allows you to hide that encrypted data. Unlike conventional disk encryption systems, Rubberhose is the first successful, freely available, practical program of deniable cryptography in the world. It was released in an earlier form in 1997, but has undergone significant changes since that time. The design goal has been to make Rubberhose the most efficient conventional disk encryption system, while also offering the new feature of information hiding.

Rubberhose is a type of deniable cryptography package. Deniable cryptography gives a person not wanting to disclose the plaintext data corresponding to their encrypted material the ability to show that there is more than one interpretation of the encrypted data. What deniable crypto means in the Rubberhose context is this: if someone grabs your Rubberhose-encrypted hard drive, he or she will know there is encrypted material on it, but not how much -- thus allowing you to hide the existence of some of your data.

CryptoAPI (5, Informative)

Agent_Leprechaun (452587) | more than 12 years ago | (#2631163)

Do a search on google for CryptoAPI. That's the new encrypted filesystem interface for linux. The pathes for 2.4.3 are old. I have an encrypted file system working with 2.4.16 patched with GRSecurity. You no longer need to patch the kernel with CryptoAPI, it just creates kernel modules that you install. It's pretty easy to do.

BestCrypt (-1, Offtopic)

ehackathorn (168173) | more than 12 years ago | (#2631187)

It may not be exactly what you are looking for, but BestCrypt [jetico.com] has always worked for me.


Eric

I've used it the last 2 years (5, Insightful)

lessthan0 (176618) | more than 12 years ago | (#2631199)

For the past two years, I've been using it in several distributions, manually applying the kernel patches and compiling the necessary programs (utils). But with SuSE (>7.2), kernel encryption is built in which has saved me a load of time compiling it into the kernel.

SuSE uses twofish as the encryption algorithm which is good enough for me. I would prefer to use serpent, but not enough to recompile everything. Both twofish and serpent were finalists in the U.S. Federal AES competition, both losing to rijndeal. Of course, W2K/XP use weak 56-bit DES in their EFS and have administrator back doors, so it barely qualifies as encryption.

If you want fast, reliable, and easy to use enrypted file systems, choose SuSE!

encrypted root + warning about crypto in linux 2.4 (5, Insightful)

patbernier (9544) | more than 12 years ago | (#2631228)

For the truly paranoid, or as used to be my case, for laptops that travel a lot and hence are very prone to theft, the cool thing to do is to encrypt your (almost) entire disk, with your root filesystem on an encrypted loopback device, and no swap at all (because swap can't efficiently be encrypted, and RAM is so cheap anyway nowadays). Of course you still need to keep a small unencrypted boot partition to host your kernel, and an initrd image. The initial ramdisk must have a script that will setup the loop device -- prompting you for your passphrase -- before proceeding with system boot.

For additional protection, you might be tempted to keep this boot partition on a business-card size CD-R, thus making sure that nobody can insert code to steal your passphrase, but if they have access to your system for long enough, they could install a hardware keylogger and you're screwed anyway ^_^... Still, might be worth it to put some tamper detection right after the root fs is mounted (i.e. an md5sum check of your entire boot partition)

In any case, I've used such a laptop on a day-to-day basis for over a year and it worked great -- but do expect a huge performance loss on disk access.

On a related note, there is a warning on http://www.kernel.org/pub/linux/kernel/crypto/v2.4 /README.WARNING to the effect that encryption might be a bit broken in 2.4 kernels. I guess you better stick with 2.2 for now if you really need loopback crypto filesystems...

SuSE Linux comes with an encrypted filesystem (2, Informative)

nakana82 (539946) | more than 12 years ago | (#2631293)

When you are at the partitioning stage there is a box you can check that allows encrypted filesystems.

Your employer? (0, Offtopic)

0tim0 (181143) | more than 12 years ago | (#2631296)

Yeah, right, you just want to hide your pr0n from your wife!

--tim

Re:Your employer? (-1)

Fecal Troll Matter (445929) | more than 12 years ago | (#2631316)

I'd rather hide my rifle [wickedpost.com] from my wife, we wouldn't want any accidents...

centric? lame (0)

Anonymous Coward | more than 12 years ago | (#2631321)

Move away from Microsoft centric software, and move to Linux centric software? GAY

Why not just use OpenBSD, which has filesystem encryption by default.

I can't understand why people want to use Linux for everything.

Use OpenBSD or Solaris.

The International Kernel Patch (2, Interesting)

Goodbyte (539941) | more than 12 years ago | (#2631366)

I'm running a mix between the international kernel patch www.kernel.org/pub/linux/kernel/crypto [kernel.org] , (accually http://www.kerneli.org [kerneli.org] but it hasn't been alive for some time now) and crypto api [sourceforge.net] (which is a branch from kerneli.)
Something needs to be done about the block size problem - the solution from cryptoapi doesn't seem "the right way" ;-)

The best things about kerneli are the possibility to choose between different encryption algorithms and that it's not filesystem dependent. Though I miss the oppertunity to use the encryption algorithms in userspace programs. (Same thing about the digest algorithms, do thay have any function except for enlarging the kernel size?)

I'm currently testing a pam module that mounts kerneli encrypted home directories, release scheduled a few weeks into the future.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?