Both in Windows, and in Linux, the files are normally free available, that gives to each "accidental passerby" (or also not especially accidental) the free access to each information. If you would like to keep something a secret from the stranger - this article is for you. Especially it has to do with notebook-owner (everybody heard of notebook thefts).
I have busied myself with the encoding thing, looked what the people write, and found only a few clever articles, and almost none for Linux, than I had to reinvent the wheel myself. Maybe it also will be usefully for somebody.
I didn't encrypt all partitions but only the user dates. It is just as certain as the all partitions with all packages and the libraries would be encoded!

Therefore the user dates are following:
  • swap
  • /home - to put in container tc (also possible as a file or as a partition)
  • /tmp - these files are only needed for a session, therefore, simply to put it in tmpfs
  • /var/tmp - the same
  • /var/spool - here are the cron-tasks of the user, tasks for printer, it's better to put these in container together with the home file
  • /var/mail - in container
  • /var/lib/slocate - in container
  • /var/log - In container. Although not everything comes here by the starting, but it has nothing to do with the user logs.
For Linux there are both the implemented (dm-crypt, loop-aes..) and an external tool - TrueCrypt, that works both in windows Vista/XP/2000 and in Linux (though about 1.5 times slower). Of course, with the source code :-)

For the encoding swap you can depend on the Linux-tools.
Therefore shortly and detailed: 
sudo -i
apt-get install cryptsetup
echo aes >> /etc/modules
echo dm_mod   >> /etc/modules
echo dm_crypt >> /etc/modules
[ restart computer ]
sudo -i
swapoff -a
cryptsetup -d /dev/urandom create cryptoswap /dev/sda2
mkswap /dev/mapper/cryptoswap -L accessisdenied -v1
echo 'cryptoswap /dev/sda2 /dev/urandom swap' >> /etc/crypttab
in fstab replace your swap with:
  /dev/mapper/cryptoswap none  swap  sw  0  0
dd if=/dev/urandom of=/dev/sda2 count=100
swapon -a

Anymore. Put in tmpfs: 
mv /tmp /ttmp
mkdir tmp
chmod 777 tmp
/etc/fstab complete with:
echo 'tmpfs /tmp tmpfs rw,nosuid,nodev,mode=0777' >> /etc/fstab
mv /var/tmp /var/ttmp
ln -s /tmp /var/tmp

Now we put the folders from /var in cryptopartition 
mkdir /home/.var
chmod 755 /home/.var
mv /var/spool/ /home/.var/spool
ln -s /home/.var/spool /var/spool
mv /var/mail /home/.var/mail
ln -s /home/.var/mail /var/mail
mkdir /home/.var/lib
chmod 755 /home/.var/lib
mv /var/lib/slocate /home/.var/lib/slocate
ln -s /home/.var/lib/slocate /var/lib/slocate
mv /var/log home/.var/log
ln -s /home/.var/log /var/log
You must deactivate the indexing of the encoded partitions, add in file /etc/updatedb.conf, in PRUNEPATHS - /home.
Than reboot and delete the folders /ttmp, /var/ttmp.

The encoding of the partition /home proper comes as next. I have used the instructions of MasterGnome, only corrected some trifles that concern the installation and formatting.
For Ubuntu Feisty the installation is somewhat simpler:
We install the package Automatix2, if it is not yet available. By means of the Automatix we adjust TrueCrypt.
Test TC:
if truecrypt --test &> /dev/null; then echo "Ok"; else echo "Error"; fi
TrueCrypt allows to create the cryptocontainers both in partitions and in files, that must be mounted as a partitions. For substitute the partition for the file in commands it is enough to change the partition name (e.g. /dev/sda3) against the name of the file (e.g. home.tc).

Truecrypt allows the encoding with the using of the algorithms of AES, Twofish, Serpent.
All three are certain enough and momentarily it doesn't even exists the theoretical possibility of the break-in, except for brute force.
AES - serves as a government standard into USA
Twofish - is the fastest on the processor AMD64 (Linux kernel I386 2.6.20-16). It overtakes AES about around 20%
Serpent - is considerably slower then the above-mentioned.
I have noted, that Twofish are faster on AMD, and AES - on Intel, at the same time the two are approximate equally fast on Intel mobile. You can select any algorithm, but I recommend however to check it on the own computer for the speed first.

At the same time you must also select one of the following Hash-functions: RIPEMD-160, SHA-1 and Whirlpool.
SHA-1 - theoretically there is a break-in possibility, and although it has to do with the letters and the digital signatures first, is not recommended for using.
RIPEMD-160 - is by default. Theoretically it doesn't still exist the break-in possibility for this algorithm. But its predecessor RIPEMD was, however, already broken.
Whirlpool - is slow, some sources even assert, that it is 2-3 times slower than the other. However, according to my tests, it isn't so in TrueCrypt. Both in Linux, and in Windows XP it is no more as around 5% of the other behind. Momentary it is the stablest. And the youngest.
You also can use Whirlpool or RIPEMD-160.

In TC it is possible to work with the Cascade of algorithms. AES-Twofish together with Whirlpool and the hidden container in addition - is the composition for the super secret files ;)

Before you continue, save /home somewhere. After that if your home is on the single partition (e.g. sda3), it must be unmounted: 
umount /home
For folder /home we create an external cryptocontainer: 
truecrypt --encryption AES --type normal -c /dev/sda3
the file system - as None, the any Hash-algorithm and two times the password. After that: 
truecrypt /dev/sda3
Then comes the format of the container: 
mkfs.ext2 -v /dev/mapper/truecrypt0
mount /dev/mapper/truecrypt0 /home
Rewrite there the stored /home with all your files. Do not forget .var of the stored /home and delete there all files. 
umount /home
truecrypt -d
Instead of ext2 you can also use the other file systems: ext3, ReiserFS.

Truecrypt is also practical because you can hide in the encrypted container yet another one. Although is written in documentation, that the external container must be formatted as FAT, it also unproblematically works with ext2. By the exceed of the limits between the containers with the key -P the system doesn't say anything (like it is possible in Windows), the files simply go lost.
Journal of the file system is automatically situated in cryptocontainer.

Now we install the script in the boot process (thanks to MasterGnome again), which asks the password and mounts: 
cd /usr
wget http://privat.heinzelzwerg.de/howtos/debian  -->>
      -->> /truecrypt/tcbootscreen.tar.bz2
tar -xvjf tcbootscreen.tar.bz2
chown root:root /usr/tcbootscreen/*
chmod ugo+x /usr/tcbootscreen/*
chmod ugo-x /usr/tcbootscreen/tcscreen.tmp
chmod ugo-x /usr/tcbootscreen/main.log
and change around #! /bin/sh against #! /bin/bash everywhere in all scripten, otherwise in Ubuntu a mistake arises with declare.
Now copy 
mv /usr/tcbootscreen/tcbootscreen /etc/init.d/tcbootscreen
update-rc.d tcbootscreen defaults
In file /usr/tcbootscreen/decrypt set own values for device and mountpoint.
One problem remains only, that the password appears b y input, i.e., that "stty -echo" doesn't work by the starting... Perhaps somebody can help...

14 Votes | Average: 4.8 out of 514 Votes | Average: 4.8 out of 514 Votes | Average: 4.8 out of 514 Votes | Average: 4.8 out of 514 Votes | Average: 4.8 out of 5 (14 votes, average: 4.8 out of 5)
Loading ... Loading ...
 

Top Posts: