Weekly Edition
Return to the Press pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Protecting Files at Home Using Encrypted Containers (Linux Journal)
The Linux Journal has posted a tutorial on the use of dm_crypt to create encrypted filesystems within files. "I have read many articles on encrypting entire partitions and drives, but I chose to use containers instead. By using containers, I have the flexibility to move them around, back them up to CD or DVD and not mount them when I don't need them.
(Log in to post comments)
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 5, 2005 19:26 UTC (Wed) by eludias (subscriber, #4058) [Link] ...even more flexible is using encfs using Fuse. Dynamically sized. No reason to be root.
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 5, 2005 20:03 UTC (Wed) by job (subscriber, #670) [Link] One reason might be that dm_crypt is well tested and seems to have no obvious cryptographic defects.
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 5, 2005 21:38 UTC (Wed) by aagaande (guest, #32888) [Link] encfs uses openssl as a backend, which is far more tested than dm_crypt is ;)
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 6, 2005 14:34 UTC (Thu) by dougm (subscriber, #4615) [Link] It's still possible to use well-tested libraries in an insecure way. Not saying that FUSE does or doesn't, but your argument isn't convincing.
Common pitfalls to avoid Posted Oct 5, 2005 20:29 UTC (Wed) by Wummel (subscriber, #7591) [Link] A while ago I also wrote some scripts to mount encrypted loopback containers and burn them autmatically to DVD. There are some drawbacks though:
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 5, 2005 22:24 UTC (Wed) by Ross (subscriber, #4065) [Link] Three comments:
a) The script examples are really bad. Overuse of cat, using control-c where it is not needed, etc.
b) Key handling. This is important. They key needs to be both protected from disclosure to unauthorized parties and protected from loss. If you lose the key you lose the data. It shouldn't be stored in plaintext on the hard drive. That's equivalent to storing the original data there. An alternative which isn't really discussed is using passphrases to either a) generate the key or b) encrypt the key for storage. Using a USB memory stick also works as long as you physically protect it and don't leave it plugged in when the data isn't mounted.
c) Memory and swap. When you mount a filesystem portions are loaded into RAM and various portions are cached. Keep in mind that if you do not shutdown the system (and even then to some extent) the data is still present. Similarly userspace accesses to the mounted filesystem will result in portions being loaded into swappable RAM. It is likely that your swap-space will contain portions of the data. Try grepping for one of your passwords in your swap partion some day. Using crypto swap, not using swap at all, and erasing swap partions on shutdown are all ways to address this problem (the latter is the least effective... what if the plug is pulled?).
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 6, 2005 9:55 UTC (Thu) by lamikr (subscriber, #2289) [Link] I still fail to understand why dm_crypt would be better/safer method than cryptoloop for making crypted files that can be mounted.
So far I have only seen some emails from Fruhwirth Clemens and Jari Ruusu.
Could somebody explain this for me?
Mika
Protecting Files at Home Using Encrypted Containers (Linux Journal) Posted Oct 6, 2005 20:52 UTC (Thu) by job (subscriber, #670) [Link] I believe it was not the case that cryptoloop is crackable, just that dm_crypt has a more sound design. Did you read the always-so-good LWN writeup on the issue?
|
|||||||||||