English
Deutsch
РусскийTue 29 May 2007
Both in Windows, and in Linux, the files are normally free available, that gives to each "accidental passerby" (or also not especially accidental) the free access to each information.
If you would like to keep something a secret from the stranger - this article is for you. Especially it has to do with notebook-owner (everybody heard of notebook thefts).
I have busied myself with the encoding thing, looked what the people write, and found only a few clever articles, and almost none for Linux, than I had to reinvent the wheel myself. Maybe it also will be usefully for somebody.
I didn't encrypt all partitions but only the user dates. It is just as certain as the all partitions with all packages and the libraries would be encoded!
Therefore the user dates are following:
For the encoding swap you can depend on the Linux-tools.
Therefore shortly and detailed:
Anymore. Put in tmpfs:
Now we put the folders from /var in cryptopartition
Than reboot and delete the folders /ttmp, /var/ttmp.
The encoding of the partition /home proper comes as next. I have used the instructions of MasterGnome, only corrected some trifles that concern the installation and formatting.
For Ubuntu Feisty the installation is somewhat simpler:
We install the package Automatix2, if it is not yet available. By means of the Automatix we adjust TrueCrypt.
Test TC:
Truecrypt allows the encoding with the using of the algorithms of AES, Twofish, Serpent.
All three are certain enough and momentarily it doesn't even exists the theoretical possibility of the break-in, except for brute force.
AES - serves as a government standard into USA
Twofish - is the fastest on the processor AMD64 (Linux kernel I386 2.6.20-16). It overtakes AES about around 20%
Serpent - is considerably slower then the above-mentioned.
I have noted, that Twofish are faster on AMD, and AES - on Intel, at the same time the two are approximate equally fast on Intel mobile. You can select any algorithm, but I recommend however to check it on the own computer for the speed first.
At the same time you must also select one of the following Hash-functions: RIPEMD-160, SHA-1 and Whirlpool.
SHA-1 - theoretically there is a break-in possibility, and although it has to do with the letters and the digital signatures first, is not recommended for using.
RIPEMD-160 - is by default. Theoretically it doesn't still exist the break-in possibility for this algorithm. But its predecessor RIPEMD was, however, already broken.
Whirlpool - is slow, some sources even assert, that it is 2-3 times slower than the other. However, according to my tests, it isn't so in TrueCrypt. Both in Linux, and in Windows XP it is no more as around 5% of the other behind. Momentary it is the stablest. And the youngest.
You also can use Whirlpool or RIPEMD-160.
In TC it is possible to work with the Cascade of algorithms. AES-Twofish together with Whirlpool and the hidden container in addition - is the composition for the super secret files ;)
Before you continue, save /home somewhere. After that if your home is on the single partition (e.g. sda3), it must be unmounted:
Truecrypt is also practical because you can hide in the encrypted container yet another one. Although is written in documentation, that the external container must be formatted as FAT, it also unproblematically works with ext2. By the exceed of the limits between the containers with the key -P the system doesn't say anything (like it is possible in Windows), the files simply go lost.
Journal of the file system is automatically situated in cryptocontainer.
Now we install the script in the boot process (thanks to MasterGnome again), which asks the password and mounts:
Now copy
One problem remains only, that the password appears b y input, i.e., that "stty -echo" doesn't work by the starting... Perhaps somebody can help...
(13 votes, average: 4.8 out of 5)
Loading ...
I have busied myself with the encoding thing, looked what the people write, and found only a few clever articles, and almost none for Linux, than I had to reinvent the wheel myself. Maybe it also will be usefully for somebody.
I didn't encrypt all partitions but only the user dates. It is just as certain as the all partitions with all packages and the libraries would be encoded!
Therefore the user dates are following:
- swap
- /home - to put in container tc (also possible as a file or as a partition)
- /tmp - these files are only needed for a session, therefore, simply to put it in tmpfs
- /var/tmp - the same
- /var/spool - here are the cron-tasks of the user, tasks for printer, it's better to put these in container together with the home file
- /var/mail - in container
- /var/lib/slocate - in container
- /var/log - In container. Although not everything comes here by the starting, but it has nothing to do with the user logs.
For the encoding swap you can depend on the Linux-tools.
Therefore shortly and detailed:
sudo -i apt-get install cryptsetup echo aes >> /etc/modules echo dm_mod >> /etc/modules echo dm_crypt >> /etc/modules [ restart computer ] sudo -i swapoff -a cryptsetup -d /dev/urandom create cryptoswap /dev/sda2 mkswap /dev/mapper/cryptoswap -L accessisdenied -v1 echo 'cryptoswap /dev/sda2 /dev/urandom swap' >> /etc/crypttab in fstab replace your swap with: /dev/mapper/cryptoswap none swap sw 0 0 dd if=/dev/urandom of=/dev/sda2 count=100 swapon -a
Anymore. Put in tmpfs:
mv /tmp /ttmp mkdir tmp chmod 777 tmp /etc/fstab complete with: echo 'tmpfs /tmp tmpfs rw,nosuid,nodev,mode=0777' >> /etc/fstab mv /var/tmp /var/ttmp ln -s /tmp /var/tmp
Now we put the folders from /var in cryptopartition
mkdir /home/.var chmod 755 /home/.var mv /var/spool/ /home/.var/spool ln -s /home/.var/spool /var/spool mv /var/mail /home/.var/mail ln -s /home/.var/mail /var/mail mkdir /home/.var/lib chmod 755 /home/.var/lib mv /var/lib/slocate /home/.var/lib/slocate ln -s /home/.var/lib/slocate /var/lib/slocate mv /var/log home/.var/log ln -s /home/.var/log /var/logYou must deactivate the indexing of the encoded partitions, add in file /etc/updatedb.conf, in PRUNEPATHS - /home.
Than reboot and delete the folders /ttmp, /var/ttmp.
The encoding of the partition /home proper comes as next. I have used the instructions of MasterGnome, only corrected some trifles that concern the installation and formatting.
For Ubuntu Feisty the installation is somewhat simpler:
We install the package Automatix2, if it is not yet available. By means of the Automatix we adjust TrueCrypt.
Test TC:
if truecrypt --test &> /dev/null; then echo "Ok"; else echo "Error"; fiTrueCrypt allows to create the cryptocontainers both in partitions and in files, that must be mounted as a partitions. For substitute the partition for the file in commands it is enough to change the partition name (e.g. /dev/sda3) against the name of the file (e.g. home.tc).
Truecrypt allows the encoding with the using of the algorithms of AES, Twofish, Serpent.
All three are certain enough and momentarily it doesn't even exists the theoretical possibility of the break-in, except for brute force.
AES - serves as a government standard into USA
Twofish - is the fastest on the processor AMD64 (Linux kernel I386 2.6.20-16). It overtakes AES about around 20%
Serpent - is considerably slower then the above-mentioned.
I have noted, that Twofish are faster on AMD, and AES - on Intel, at the same time the two are approximate equally fast on Intel mobile. You can select any algorithm, but I recommend however to check it on the own computer for the speed first.
At the same time you must also select one of the following Hash-functions: RIPEMD-160, SHA-1 and Whirlpool.
SHA-1 - theoretically there is a break-in possibility, and although it has to do with the letters and the digital signatures first, is not recommended for using.
RIPEMD-160 - is by default. Theoretically it doesn't still exist the break-in possibility for this algorithm. But its predecessor RIPEMD was, however, already broken.
Whirlpool - is slow, some sources even assert, that it is 2-3 times slower than the other. However, according to my tests, it isn't so in TrueCrypt. Both in Linux, and in Windows XP it is no more as around 5% of the other behind. Momentary it is the stablest. And the youngest.
You also can use Whirlpool or RIPEMD-160.
In TC it is possible to work with the Cascade of algorithms. AES-Twofish together with Whirlpool and the hidden container in addition - is the composition for the super secret files ;)
Before you continue, save /home somewhere. After that if your home is on the single partition (e.g. sda3), it must be unmounted:
umount /homeFor folder /home we create an external cryptocontainer:
truecrypt --encryption AES --type normal -c /dev/sda3the file system - as None, the any Hash-algorithm and two times the password. After that:
truecrypt /dev/sda3Then comes the format of the container:
mkfs.ext2 -v /dev/mapper/truecrypt0
mount /dev/mapper/truecrypt0 /homeRewrite there the stored /home with all your files. Do not forget .var of the stored /home and delete there all files.
umount /home truecrypt -dInstead of ext2 you can also use the other file systems: ext3, ReiserFS.
Truecrypt is also practical because you can hide in the encrypted container yet another one. Although is written in documentation, that the external container must be formatted as FAT, it also unproblematically works with ext2. By the exceed of the limits between the containers with the key -P the system doesn't say anything (like it is possible in Windows), the files simply go lost.
Journal of the file system is automatically situated in cryptocontainer.
Now we install the script in the boot process (thanks to MasterGnome again), which asks the password and mounts:
cd /usr wget http://privat.heinzelzwerg.de/howtos/debian -->> -->> /truecrypt/tcbootscreen.tar.bz2 tar -xvjf tcbootscreen.tar.bz2 chown root:root /usr/tcbootscreen/* chmod ugo+x /usr/tcbootscreen/* chmod ugo-x /usr/tcbootscreen/tcscreen.tmp chmod ugo-x /usr/tcbootscreen/main.logand change around #! /bin/sh against #! /bin/bash everywhere in all scripten, otherwise in Ubuntu a mistake arises with declare.
Now copy
mv /usr/tcbootscreen/tcbootscreen /etc/init.d/tcbootscreen update-rc.d tcbootscreen defaultsIn file /usr/tcbootscreen/decrypt set own values for device and mountpoint.
One problem remains only, that the password appears b y input, i.e., that "stty -echo" doesn't work by the starting... Perhaps somebody can help...
(13 votes, average: 4.8 out of 5) Loading ...
Latest blog entries
June 2nd, 2007 at 7:56 a.m.
А как шифрованный своп подружить с suspend-to-disk ?
June 2nd, 2007 at 1:55 p.m.
Это основная проблема при любом шифровании. Если не шифровать своп, то данные все в чистом виде пишутся на диск, если шифровать, то невозможно восстановить при спячке.
Я не знаю решения этой проблемы. Тут каждый выбирает для себя, безопасность или возможность засыпания.
June 2nd, 2007 at 2:16 p.m.
Еще стоит написать про то где и как можно хранить ключи.
June 2nd, 2007 at 2:17 p.m.
там есть скрипт, запускаемый при старте с убунтой, так вот у него есть возможность автоподмонтирования USB-флешки, и после проверки ключа и пароля, авторазмонтирование
June 2nd, 2007 at 2:18 p.m.
В вашем случае, чтобы не плодить контейнеры, проще было бы зашифровать корневой раздел целиком. На ноутбуке для этого лучше использовать loop-aes, т.к. c он поддерживает soft suspend. Я бы так же добавил ключ с flash брелка.
Если немного поиграться с алгоритмами шифрования и хэширования, можно увеличить скорость работы swap/tmp. Нет смылса защищать временные данный сильным и медленным алгоритмом.
Единственный плюс в иcпользовании truecrypt в linux - возможность использовать криптоконтейнер из windows. Полезность plausible deniability при шифровании целых файловых систем сомнительность.
На десктопе /var/log обычно тоже можно поместить на tmpfs.
June 2nd, 2007 at 2:19 p.m.
я обхожусь одним контейнером, в котором только /home, естественно, что весь диск не надо размещать одновременно в внешнем и скрытом контейнерах, а вот для домашней папки я думаю - в самый раз. И алиби-данные, и свои - все в одном месте.
сначала я так и сделал c /var/log, но потом обнаружил, что например CUPS ругается. Хотя это не принципиально, можно немножко подкрутить ;)
June 2nd, 2007 at 2:21 p.m.
Пользуюсь TrueCrypt'ом уже полгода, доволен полностью: бесплатный, кросплатформенный. Там есть чудная функция "Traveller Disk Setup" - создает свой автозапуск на флешке, удобно - воткнул флешку, ввел пароль и твой секретный диск уже тут.
June 15th, 2007 at 10:57 a.m.
А зачем TrueCrypt, если есть штатные cryptsetup, dm-crypt, LUKS? И _большинство_ дистрибутивов имеют в своем составе не только их поддержку, но и средства для работы с зашифрованными дисками в KDE, Gnome, etc? И, что характерно, это совместимо (с использованием FreeOTFE) с Windows. В том числе - portable.
Так что пример - неудачный...
June 16th, 2007 at 1:16 p.m.
2ABATAPA:
Все очень просто...а есть ли во всех этих средствах реализация скрытого контейнера внутри зашифрованного?
April 3rd, 2008 at 11:32 a.m.
в debian юзаю cryptsetup (в 2.6 стандарт как бы)
на http://linuxgazette.mirrors.org.ua/14... можно прочесть что к чему
April 3rd, 2008 at 6:04 p.m.
2slav0nic:
насколько я знаю, скрытые тома он не поддерживает